Shulou(Shulou.com)05/31 Report--

This article shows you how to carry out WordPress 5.0.0 RCE analysis, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

WordPress 5.0.0 RCE Analysis (CVE-2019-6977)

This vulnerability implements remote code execution in the WorePress core through a combination of path traversal and local file containing vulnerabilities. According to the vulnerability publisher ripstech, this vulnerability has existed in the WordPress core for more than 6 years.

Permission requirement

Author and above permissions, relatively speaking, the demand for permissions is not high. Many small collaborative content output communities such as sheet music stations often use wordpress, and then give ordinary authors author permission.

Scope of influence

Due to other security patches of WordPress 4.9.9 and 5.0.1, only a single version of 5.0.0 can be exploited for file inclusion vulnerabilities, while path traversal vulnerabilities are still available and are not currently patched. Any WordPress site that has this plug-in installed will mistakenly process Post Meta entries so that it can still be exploited.

Loophole basis

When uploading the image to the WordPress installation, first move it to the uploads directory (wp-content/uploads). WordPress also creates internal references to images in the database to track meta-information, such as the owner of the image or the time it was uploaded.

This attribute is stored in the database as an Post Meta entry. Each of these entries is a key / value pair assigned to an ID.

For example:

SELECT * FROM wp_postmeta WHERE post_ID = 50 +-- + | post_id | meta_key | meta_value | +- -+-- + | 50 | _ wp_attached_file | evil.jpg | | 50 | _ wp_attachment_metadata | aVOR 5: {SJV 5: "width" IPUR 450... |... +-+

In this example, the image has been assigned to post_ID 50. If the user wishes to use or edit an image with the ID in the future, the WordPress will look for a matching _ wp_attached_file entry and use its value to find the file in the wp-content/uploads directory.

The vulnerability constitutes the containing part of the local file

The problem with these Post Meta entries before WordPress 4.9.9 and 5.0.1 is that any entry can be modified and set to any value.

The edit_post () function is called when the image is updated (for example, its description is changed). This function acts directly on the $_ POST array.

Function edit_post ($post_data = null) {if (empty ($postarr)) $postarr = & $_ POST; ⋮if (! Empty ($postarr ['meta_input']) {foreach ($postarr [' meta_input'] as $field = > $value) {update_post_meta ($post_ID, $field, $value);}}

As you can see, any Post Meta entry can be injected. Since no entries have been modified, an attacker can update the _ wp_attached_file meta-entry and set it to any value. This does not rename the file in any way, it only changes the file that WordPress looks for when trying to edit the image. This will result in a later path traversal.

Specific location:

The POST parameter _ wp_page_template is received in line 1695 of the file wordpress / wp-includes / post-template.php in the function get_page_template_slug ().

The data provided by the user is connected as a path tag in line 635 of the file wordpress / wp-includes / template.php in the function locate_template ().

Then, the user-supplied data is used unprocessed in the sensitive operation require () in line 690 of the file wordpress / wp-includes / template.php in the function load_template ().

Path traversal part

Path traversal occurs in the function called by the wp_crop_image () user when the image is cropped.

This function takes the ID of the image to crop ($attachment_id) and gets the corresponding _ wp_attached_filePost Meta entry from the database.

Because of the defect edit_post (), $src_file can be set to anything.

Function wp_crop_image ($attachment_id, $src_x,...) {$src_file = $file = get_post_meta ($attachment_id,'_ wp_attached_file'); ⋮

In the next step, WordPress must ensure that the image actually exists and load it. WordPress has two ways to load a given image. The first is to simply look for the file name wp-content/uploads provided by the _ wp_attached_file Post Meta entry in the directory (line 2 of the next code snippet).

If this method fails, WordPress will try to download the image from its own server as a backup. To do this, it will generate a download URL that contains the URL of the wp-content/uploads directory and the file name stored in the _ wp_attached_file Post Meta entry (line 6).

To give a specific example: if the value stored in the _ wp_attached_file Post Meta entry is evil.jpg, then WordPress will first try to check whether the file wp-content/uploads/evil.jpg exists. If not, it tries to download the file from the following URL: https://targetserver.com/wp-content/uploads/evil.jpg.

The reason for trying to download images instead of finding them locally is that some plug-ins generate images dynamically when they access URL.

However, there is no filtering here. WordPress will simply connect the upload directory and URL with $src_file user input.

Once WordPress successfully loads the valid image wp_get_image_editor (), the image is cropped.

⋮if (! File_exists ("wp-content/uploads/". $src_file) {/ / If the file doesn't exist, attempt a URL fopen on the src link. / / This can occur with certain file replication plugins. $uploads = wp_get_upload_dir (); $src = $uploads ['baseurl']. "/". $src_file;} else {$src = "wp-content/uploads/". Src_file;} $editor = wp_get_image_editor ($src); ⋮

Then save the cropped image back to the file system (whether downloaded or not). The generated file name will be a $src_file return file controlled by the get_post_meta () attacker. The only modification to the resulting file name string is the file's basic name prefix cropped- (line 4 of the next code snippet). To follow the example evil.jpg, the generated file name will be cropped-evil.jpg.

WordPress then creates any directories that do not exist in the result path through wp_mkdir_p () (line 6).

It is then finally written to the file system using the method of the save () image editor object. The save () method does not perform a path traversal check on the given file name.

⋮$src = $editor- > crop ($src_x, $src_y, $src_w, $src_h, $dst_w, $dst_h, $src_abs); $dst_file = str_replace (basename ($src_file), 'cropped-'. Basename ($src_file), $src_file); wp_mkdir_p (dirname ($dst_file)); $result = $editor- > save ($dst_file)

The whole function (wp-admin / includes / image.php) is as follows:

Implement RCE

In summary, you can determine which file is loaded into the image editor (because it is not processed). However, if the file is not a valid image, the image editor will throw an exception. Therefore, you can only crop the image outside the upload directory.

So if the desired image is not found, WordPress will try to download it, which leads to RCE.

Set _ wp_attached_file to evil.jpg?shell.php, which results in a HTTP request for the following URL: https://targetserver.com/wp-content/uploads/evil.jpg?shell.php. This request will return a valid image file because? Everything is ignored in this context. The generated file name will be evil.jpg?shell.php.

Although the method of the save () image editor does not check for path traversal, it appends the mime type extension of the image being loaded to the generated file name. In this case, the result file name will be evil.jpg?cropped-shell.php.jpg. This makes the newly created file harmless again.

However, you can still populate the generated image into any directory evil.jpg?/../../evil.jpg by using a Payload such as.

Path traversal-- > themes directory LFI

Each WordPress theme is simply an wp-content/themes directory located in the WordPress directory and provides template files for different cases. For example, if a visitor to a blog wants to view blog posts, WordPress post.php looks for files in the directory of the currently active topic. If it finds the template, then include () is it.

To add an additional custom layer, you can select a custom template for some posts. To do this, the user must set the _ wp_page_template Post Meta entry in the database to such a custom file name. The only restriction here is that the file to be edited by include () must be in the directory of the current active theme.

Typically, you cannot access this directory or upload files. However, by abusing the above Path Traversal, maliciously crafted images can be implanted into the directory of the currently used theme. The attacker can then create a new post and abuse the same error to enable him to update the _ wp_attached_file Post Meta entry for the include () image. By injecting PHP code into the image, an attacker can obtain arbitrary remote execution code.

Payload production-Imagick

WordPress supports two image editing extensions for PHP: GD and Imagick. The difference between them is that Imagick does not delete the exifmetadata of the image, where PHP code can be stored.

The condition of WordPress 5.0.0 RCE is harsh, but after all, it is RCE, which does great harm once it is used. Moreover, although only this small version of the local file contains a collaborative directory traversal to complete the RCE, because the directory traversal vulnerability has not been fixed, the RCE can still be exploited once the user installs a plug-in that allows overwriting any Post data.

The above is how to conduct WordPress 5.0.0 RCE analysis. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.