search

NixOS / security

MIT License
30 stars 12 forks source link

Roundup: [oss-security] Multiple vulnerabilities affecting various WordPress Plugins #116

Closed grahamc closed 7 years ago

grahamc commented 7 years ago

Here is a report from the oss-security mailing list for Vulnerability Roundup 27.

Skip to First Email

Instructions:

Identification

Identify if we have the software, in 16.09, 17.03, and unstable. Then determine if we are vulnerable, and make a comment with your findings. It can also be helpful to specify if you think there is a patch, or if it can be fixed via a general update.

Example:

unstable: we are not vulnerable (link to the package)
17.03: we are vulnerable (link to the package)
16.09: we don't have it packaged

IMPORTANT: If you believe there are possibly related issues, bring them up on the parent issue!

Patching

Start by commenting on this issue saying you're working on a patch. This way, we don't duplicate work.

If you open a pull request, tag this issue and the master issue for the roundup.

If you commit the patch directly to a branch, please leave a comment on this issue with the branch and the commit hash, example:

fixed:

release-16.09: abc123

Skip to First Email

Upon Completion ...

Info

Triage Indicator:

-needs-triage +roundup27 thread:0000000000003efb

Should the search term be changed from wordpress? Suggest a new package search by commenting:

-suggested:wordpress +suggested:correctPackageName thread:0000000000003efb

Known CVEs:

Skip to End

Wed, 1 Mar 2017 07:17:51 +0100 Summer of Pwnage , 32f3823a-56ce-f384-03dc-7c813169cf38@securify.nl
Please see attached advisories for more information. These issues were 
found during Summer of Pwnage (https://sumofpwn.nl), a Dutch community 
project. Its goal is to contribute to the security of popular, widely 
used OSS projects in a fun and educational way.
analytics_stats_counter_statistics_wordpress_plugin_unauthenticated_php_object_injection_vulnerability.txt ------------------------------------------------------------------------ Analytics Stats Counter Statistics WordPress Plugin unauthenticated PHP Object injection vulnerability ------------------------------------------------------------------------ Yorick Koster, June 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A PHP Object injection vulnerability was found in the Analytics Stats Counter Statistics WordPress Plugin, which can be used by an unauthenticated user to instantiate arbitrary PHP Objects. Using this vulnerability it is possible to execute arbitrary PHP code. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160803-0005 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on the Analytics Stats Counter Statistics [2] WordPress Plugin version 1.2.2.5. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ There is currently no fix available. ------------------------------------------------------------------------ Introduction ------------------------------------------------------------------------ The Analytics Stats Counter Statistics [2] WordPress Plugin analyses visitors statistics on a WordPress site. A PHP Object injection [3] vulnerability was found in the Analytics Stats Counter Statistics WordPress Plugin, which can be used by an unauthenticated user to instantiate arbitrary PHP Objects. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ This issue is possible due to an unsafe call to unserialize() in the wpadm_unpack() method. The input is taken directly from the POST request as can be seen in the following code fragment: wpadm.php: if ( ! function_exists( 'wpadm_run' )) { function wpadm_run($pl, $dir) { @set_time_limit(0); require_once dirname(__FILE__) . '/class-wpadm-method-class.php'; $request_name = 'wpadm_'.$pl.'_request'; if( isset( $_POST[$request_name] ) && ! empty ( $_POST[$request_name] ) ) { require_once dirname(__FILE__) . '/class-wpadm-core.php'; $wpadm = new WPAdm_Core(wpadm_unpack($_POST[$request_name]), $pl, $dir); echo ''.wpadm_pack($wpadm->getResult()->toArray()).''; exit; } } } if ( ! function_exists( 'wpadm_unpack' )) { /** * @param str $str * @return mixed */ function wpadm_unpack( $str ) { return unserialize( base64_decode( $str ) ); } } It has been confirmed that this issues can be used to execute arbitrary PHP code. ------------------------------------------------------------------------ References ------------------------------------------------------------------------ [1] https://sumofpwn.nl/advisory/2016/analytics_stats_counter_statistics_wordpress_plugin_unauthenticated_php_object_injection_vulnerability.html [2] https://wordpress.org/plugins/stats-counter/ [3] https://www.owasp.org/index.php/PHP_Object_Injection
simple_ads_manager_wordpress_plugin_unauthenticated_php_object_injection_vulnerability.txt ------------------------------------------------------------------------ Simple Ads Manager WordPress plugin unauthenticated PHP Object injection vulnerability ------------------------------------------------------------------------ Yorick Koster, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A PHP Object injection vulnerability was found in the Simple Ads Manager WordPress plugin. The unauthenticated PHP Object injection vulnerability can be used by an unautenthicated user to instantiate arbitrary PHP Objects. This issue can potentially result in arbitrary code execution, but this has not been confirmed. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160712-0041 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was succesfully tested on the Simple Ads Manager [2] WordPress plugin version 2.9.8.125. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ There is currently no fix available. ------------------------------------------------------------------------ Introduction ------------------------------------------------------------------------ The Simple Ads Manager [2] WordPress Plugin is an easy to use plugin providing a flexible logic of displaying advertisements. A PHP Object injection [3] vulnerability was found in Simple Ads Manager WordPress plugin. The unauthenticated PHP Object injection vulnerability can be used by an unautenthicated user to instantiate arbitrary PHP Objects. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ This issue is possible due to two unsafe calls to unserialize() in the sam-ajax-loader.php file. The input is taken directly from the POST request as can be seen in the following code fragment: sam-ajax-loader.php: if ( in_array( $action, $allowed_actions ) ) { switch ( $action ) { case 'sam_ajax_load_place': echo json_encode( array( 'success' => false, 'error' => 'Deprecated...' ) ); break; case 'sam_ajax_load_ads': if ( ( isset( $_POST['ads'] ) && is_array( $_POST['ads'] ) ) && isset( $_POST['wc'] ) ) { $clauses = unserialize( base64_decode( $_POST['wc'] ) ); This issue can potentially result in arbitrary code execution, but this has not been confirmed. ------------------------------------------------------------------------ References ------------------------------------------------------------------------ [1] https://sumofpwn.nl/advisory/2016/simple_ads_manager_wordpress_plugin_unauthenticated_php_object_injection_vulnerability.html [2] https://wordpress.org/plugins/simple-ads-manager/ [3] https://www.owasp.org/index.php/PHP_Object_Injection
vaultpress___remote_code_execution_via_man_in_the_middle_attack.txt ------------------------------------------------------------------------ VaultPress - Remote Code Execution via Man in The Middle attack ------------------------------------------------------------------------ David Vaartjes, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ A Man in The Middle (MiTM) vulnerability has been identified in the VaultPress plugin of WordPress. This issue allows an attacker to to sniff clear-text communication and to run arbitrary PHP code on the affected WordPress host. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160728-0002 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on VaultPress [2] WordPress Plugin version 1.8.4 ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ There is currently no fix available. ------------------------------------------------------------------------ Introduction ------------------------------------------------------------------------ The VaultPress plugin with site is a plugin that enables you to easily backup your WordPress installation to the VaultPress cloud. In addition it offers various security features, by scanning your WordPress system for potential security issues. A Man in The Middle (MiTM) vulnerability was found in the VaultPress [2] plugin of WordPress. This issue allows an attacker to to sniff clear-text communication and to run arbitrary PHP code on the affected WordPress host. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ However SSL is used to communicate with the VaultPress backend (www.vaultpress.com [3]), the SSL certificate is not verified. Because of this it is possible for an attacker to sniff clear-text communication and to run arbitrary PHP code on the affected WordPress host. The VaultPress plugins communicates with the https://www.vaultpress.com backend during registration, backups etcetera. Because the SSL connection is not verified, a Man in The Middle can intercept, read and modify traffic. From a code perspective, when the query() method of the VaultPress_IXR_SSL_Client class is called and the WP_Http class has been defined, the sslverify attribute is set to false. The vulnerable code in the vaultpress/class.vaultpress-ixr-ssl-client.php file is listed below: [..] if ( class_exists( 'WP_Http' ) ) { $args = array( 'method' => 'POST', 'body' => $xml, 'headers' => $this->headers, --> 'sslverify' => false, ); if ( $this->timeout ) [..] There are a number of ways a Man in The Middle can exploit this issue to execute arbitrary code on a vulnerable WordPress host running VaultPress. ------------------------------------------------------------------------ Attack vector targeting vulnerable instance during registration using PHP's eval() function ------------------------------------------------------------------------ If the MiTM attack is executed during registration (happens only once) the secret returned by the VaultPress server can be intercepted. Once obtained, the key can be used to communicatie with the WordPress host's exposed VaultPress API. For example the following VaultPress API method allows to run any specified PHP code remotely via eval(). [..] switch ( $_GET['action'] ) { default: die(); break; --> case 'exec': --> $code = $_POST['code']; if ( !$code ) $this->response( "No Code Found" ); --> $syntax_check = @eval( 'return true;' . $code ); if ( !$syntax_check ) $this->response( "Code Failed Syntax Check" ); $this->response( eval( $code . ';' ) ); die(); break; [..] The above code can be triggered using the following request: POST /wp-load.php?vaultpress=true&action=exec HTTP/1.1 Host: Connection: close Content-Length: 67 Content-Type: application/x-www-form-urlencoded code=phpinfo();&signature=5f3db7516912e6b30422a17c1d0bf49beedd6de8: Please note that a valid signature is required. To create it, the secret value is needed, which seems to be exchanged during registration only. So this only affects installations that were targeted by a MiTM during registration. The following little PHP script can be used to create the signature: "phpinfo();", ); ksort( $post ); $sig = explode( ':', $sig ); $to_sign = serialize( array( 'uri' => $uri, 'post' => $post ) ); $signature = hash_hmac( 'sha1', "$to_sign:", $secret ); echo "Signature :". $signature; ?> ------------------------------------------------------------------------ Attack vector targeting vulnerable instance after registration using script injection ------------------------------------------------------------------------ If a MiTM attack is launched against a host which is already registered, the secret value cannot be intercepted. However, during any communication initiated by a user from the VaultPress plugin page (for example during backups) messages are exchanged between the WordPress host and the vaulpress.com backend. Responses from the server lack any encoding when shown in the plugin's dashboard HTML pages. This allows a MiTM to inject scripting code in the target user's WordPress Admin panel. Effectively this allows an attacker to take over the WordPress admin account or to (indirectly) run arbitrary PHP code on the WordPress host. An example of objects lacking output encoding are the ui_message objects. The vulnerable code in the vaultpress/vaultpress.php file is as follows:
-->

-->

To exploit this the following XML (faultcode) can be returned using an XML API call via a MiTM attack. Note the scripting code in the faultString field. faultCode -5 faultString --> alert("XSS");]]> ------------------------------------------------------------------------ References ------------------------------------------------------------------------ [1] https://sumofpwn.nl/advisory/2016/vaultpress___remote_code_execution_via_man_in_the_middle_attack.html [2] https://wordpress.org/plugins/vaultpress/ [3] https://www.vaultpress.com
wordpress_adminer_plugin_allows_public__local__database_login.txt ------------------------------------------------------------------------ WordPress Adminer plugin allows public (local) database login ------------------------------------------------------------------------ David Vaartjes, July 2016 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ The Adminer WordPress plugin allows public login to the site's editor. As a result this allows an attacker to connect to any database running on the local host or on internal systems which are accessible from the target WordPress server. ------------------------------------------------------------------------ OVE ID ------------------------------------------------------------------------ OVE-20160728-0001 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully tested on the Adminer [2] WordPress Plugin version 1.4.4. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Currently no fix for this issue is available. ------------------------------------------------------------------------ Introduction ------------------------------------------------------------------------ The Adminer WordPress plugin is a full-featured MySQL management tool based on the Adminer project [3]. The plugin allows fast database management for WordPress admins. After installation of the plugin your database can be managed easily from within the WordPress Dashboard via the Tools -> Adminer menu option. This issue allows an attacker to connect to any database running on the local host or on internal systems which are accessible from the target WordPress server. Please note that an attacker still needs to login (for example using username and password) to the target database. However, many site owners probably do not know or do not expect that anyone out there can try to login by using various password combinations to their (local) WordPress database. Often local or internal databases have weak credentials assigned to them. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ This issue exists due to the fact that the Adminer WordPress plugin exposes a publicly accessible interface (Adminer editor) that can be used by anyone on the web to authenticate against the site’s database directly. No login to the WordPress dashboard or admin login is required. It seems that the Adminer editor component was added about 5 months ago. An attacker can also specify the target host:port combination of the database to connect to, which allows him to connect to any database running on the local host or on internal systems which are accessible from the target WordPress server. The script has a measure in place to limit brute-force attacks. Upon 30 connection attempts from a single IP this IP will be blocked for 30 minutes. The script can be found at the following location (change URL to your WordPress site): http://wp-site.com/wp-content/plugins/adminer/inc/editor/index.php Using Google many sites can be found that have a publicly accessible database login page exposed: https://www.google.nl/search?q=inurl:/adminer/inc/ [4] ------------------------------------------------------------------------ Proof of concept ------------------------------------------------------------------------ - http:///wp-content/plugins/adminer/inc/editor/index.php - http:///wp-content/plugins/adminer/inc/editor/index.php?server=10.0.0.1&username=root&db=wordpress&password=root ------------------------------------------------------------------------ References ------------------------------------------------------------------------ [1] https://sumofpwn.nl/advisory/2016/wordpress_adminer_plugin_allows_public__local__database_login.html [2] https://wordpress.org/plugins/adminer/ [3] https://www.adminer.org/en/editor/ [4] https://www.google.nl/search?q=inurl:/adminer/inc/

Skip to End

Mic92 commented 7 years ago

unstable: we don't have it packaged 17.03: we don't have it packaged 16.09: we don't have it packaged

grahamc commented 7 years ago

Thank you!