Wordpress 5.8.1 Exploit
Alterio Wihl
"This is a very serious issue: unauthenticated attackers may exploit this vulnerability to create new user accounts with administrative privileges, giving them the power to take complete control of affected sites," WordPress security firm WPScan said in an alert.
Ultimate Member authors have released version 2.6.7 of the plugin on July 1 to address the actively exploited privilege escalation flaw. As an added security measure, they also plan to ship a new feature within the plugin to enable the website administrators to reset passwords for all users.
The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Our aim is to serve the most comprehensive collection of exploits gathered through direct submissions, mailing lists, as well as other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.
I had a blog based on wordpress, v 3.1.2, the problem is the hosting company tells me a exploit gave access to hackers so they erased my files and databases, but also i found on pastebin the usernames and passwords to my parallels control panel(not the one of wordpress) and my password. See for yourself, available now only on cache:
A vulnerability has been discovered in the Backup Migration Plugin for WordPress, which could allow for remote code execution. The Backup Migration Plugin helps admins automate site backups to local storage or a Google Drive account. Successful exploitation could allow for remote code execution in the context of the Server. Depending on the privileges associated with the logged on user, an attacker could then install programs; view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Wordfence reports CVE-2023-6553 has been exploited in the Wild. Bleeping Computer reports WordPress administrators are also being targeted by a phishing campaign attempting to trick them into installing malicious plugins using fake WordPress security advisories for a fictitious vulnerability tracked as CVE-2023-45124 as bait.
Successful exploitation could allow for remote code execution in the context of the Server. Depending on the privileges associated with the logged on user, an attacker could then install programs; view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
On 21 March, researchers disclosed two vulnerabilities in Social Warfare, a very popular plugin in WordPress which adds social share buttons to a website or blog. One vulnerability is a Stored Cross-site Scripting Attack (XSS) vulnerability and the other is a remote code execution (RCE) vulnerability, both are tracked by CVE-2019-9978. Both vulnerabilities are present in versions 3.5.0-3.5.2 of Social Warfare: a fix was released on 21 March and is in version 3.5.3. Approximately 60,000 active installations were found at the time of writing which are potentially vulnerable until they update to 3.5.3. An attacker can use these vulnerabilities to run arbitrary PHP code and control the website and the server without authentication. The attackers may use the compromised sites to perform digital coin mining or host malicious exploit code. Unit 42 researchers found five compromised sites actively used for hosting malicious exploit code, which allows the attackers to control more websites.
There are many exploits in the wild for the Social Warfare plugin and it is likely they will continue to be used maliciously. Since over 75 million websites are using WordPress and many of the high traffic WordPress websites are using the Social Warfare plugin, the users of those websites could be exposed to malware, phishing pages or miners. Website administrators should to update the Social Warfare plugin to 3.5.3 or newer version.
It would have been hard to miss that a recent exploit in log4j, a popular java logging library, has been exploited in the wild and creating a lot of headlines. CVSS rated the exploit as a 10/10 in severity which highlights the severity of the issue and explains why the issue is attracting so much attention.
In reality, Local File Inclusion vulnerabilities in WordPress are typically valuable for accessing critical files like wp-config.php. However, in the case of this specific vulnerability, it only works with an absolute path (as noted in the packetstorm exploit).
The process is classic, and if you already read one of our articles, you likely familiar with the procedure: setting up a lab environment with the latest plugin version installed.Originally, the plan was to identify in the plugin, a method that could trigger a full path disclosure and help the machine to go deeper in the exploitation. But we found a much more interesting and challenging vulnerability, bringing back old memories.
Other parameters used for conversion are also within the user's control. But all of them are strongly typed to int or even rewrite, which does not give us a large flexibility in our exploitation path:
Alright, that's interesting but clearly unexploitable. It might enable us to potentially access specific PDFs stored outside the WordPress Web Directory, but this would require knowing the exact paths to those PDFs (whether absolute or relative), To make it work, you'd have to combine it with another exploit.
Clearly, since the beginning, our secret goal is to reach the Imagick() function with a controlled file. We all know since a long that a misconfigured Imagick library is a goldmine for attackers, and you can find numerous very interesting papers or write-up exploiting the library (see References).But, to do so, we need to have the is_file() used at the beginning of the function to return True. The first scenario would be to have a file upload functionality on the WordPress (maybe another plugin), find the uploaded path and use the local controlled file to play with Imagick library.
Our previous exploits and all existing technical exploitation papers all point to a common conclusion: ImageMagick is an excellent tool for image rendering, but it must be configured with rigorous security policies. Developers of Imagick have had to patch numerous CVEs across thousands of plugins, and they are now quite clear about their stance on vulnerabilities:
All ImageMagick exploits work basically the same. The idea is to force Imagick to use its own internal scripting format called MSL. The MSL format allows to move or create file within the file server.
In our exploit, the controlled path will failed the is_file() check if we force the msl: formatter within our filename, we have to find another way.SVG came quickly to our minds. SVG is built to use external files and references. When the Imagick default SVG parser is used, the file is converted in MVG format (Magick Vector Graphics Metafiles). image tags with specific inner tags such as xlink:href or path are transformed into the MVG instruction:
But not exploitable in our configuration as the file came from an external source, it cannot be self-calling.Taking a closer look, we discovered that for each SVG converted, we have 3 files created in /tmp folder, all using magick-XXX nomenclature (where XXX is a 32-char random string):
Then, we can only bruteforce the 65 chars as first characters, using 65 different SVG files, each of them containing a first letter to bruteforce: exploiter_A.svg containing text:vid:msl:/tmp/magick-A*, exploiter_B.svg containitngtext:vid:msl:/tmp/magick-B* ...
*While it's possible to defend against certain vulnerabilities, such as the use of SVG's xlink, through a definition mechanism, it's not a robust security approach. For instance, xlink would remain inactive by default unless a specific definition is specified. Yet, this strategy proves inadequate as it's akin to a temporary solution, and we would be continuously reacting to emerging vulnerabilities until the next one emerges. The security policy was designed specifically to address potentially unknown exploits. If a new exploit is discovered, the user is protected by invoking the appropriate security policy. The result is immediate protection against the exploit without the need to update the binary distribution.
Security is a compromise between security and convenience. The open nature of ImageMagick allows any user to exploit all the features of the package in a secure environment such as Docker, yet the security policy allows an administrator to selectively lock out features per their local context in a more open environment such as a public web site. For any public web site, we recommend these coders: MSL, MSVG, MVG, PS, PDF, RSVG, SVG, XPS, be disabled in the security policy.
After verifying the options, set the payload, and execute the exploit through run command. The WPXF stores the script on target WP and waits for user interaction on the vulnerable page. The exploit performs its operation when it detects activity on the target WP system as shown in the following screenshot.
Many of the WordPress attacks can be avoided by regularly updating the CMS and integrated features. However, a complete security audit is required to ensure the safety of websites and applications. WPScan and WPXF demonstrate two different WP penetration testing approaches. Penetration testers can achieve the best results by using both tools together. The WPScan can be used to find specific vulnerabilities in target WP systems whereas the WPXF can be used to exploit those vulnerabilities through exploit modules.
df19127ead