W poniedziałek 20.04.2015r. miałem przyjemność bycia prelegentem na konferencji 4Developers w ścieżce Security organizowanej przez SecuRing .
Slajdy z prezentacji: https://drive.google.com/file/d/0B7U6Q1zbqTkyOEY3TmRXWl8tODQ/view?usp=sharing
Nagranie będzie dostępne w przyszłości. :)
środa, 22 kwietnia 2015
plupload - Same-Origin Method Execution [Wordpress 3.9 - 4.1.1]
This January I've found and reported XSS vulnerability in plupload, that affects Wordpress from 3.9 to 4.1.1. As far as there was no ability to control arguments of function called - the "only" thing we could do with this issue was Same-Origin Method Execution.
Before you start reading technical details - you should update your Wordpress / plupload first.
If you will dig a bit in Flash plupload 2.1.2 source code, you can notice interesting thing in _init() function:
...and _fireEvent()
So we can manipulate with target GET parameter to execute javascript functions, but we can use only alphanumeric characters and dot. Still can be useful, the scenario goes like this:
1. In first tab create new window with target _blank and URL http://hostname/proxy.php
2. Then redirect first tab to http://target-wordpress/wp-admin/plugin-install.php?tab=plugin-information&plugin=google-analytics-dashboard-for-wp§ion=description - of course you can use any other plugin install page.
3. The second's tab proxy.php sleeps for few seconds and then redirect to vulnerable plupload on target-wordpress calling this function:
Before you start reading technical details - you should update your Wordpress / plupload first.
If you will dig a bit in Flash plupload 2.1.2 source code, you can notice interesting thing in _init() function:
...and _fireEvent()
So we can manipulate with target GET parameter to execute javascript functions, but we can use only alphanumeric characters and dot. Still can be useful, the scenario goes like this:
1. In first tab create new window with target _blank and URL http://hostname/proxy.php
2. Then redirect first tab to http://target-wordpress/wp-admin/plugin-install.php?tab=plugin-information&plugin=google-analytics-dashboard-for-wp§ion=description - of course you can use any other plugin install page.
3. The second's tab proxy.php sleeps for few seconds and then redirect to vulnerable plupload on target-wordpress calling this function:
window.opener.document.body.lastChild.previousElementSibling.previousElementSibling.previousElementSibling.lastChild.click()
4. ....aaaand plugin is installed now. ;-)
This one can be of course more automated and faster to install malicious, vulnerable plugins, that after successful exploit will give us webshell or anything we need to own the machine. In my opinion - this can be really dangerous.
PoC: http://ropchain.org/poc/wordpress/
This one can be of course more automated and faster to install malicious, vulnerable plugins, that after successful exploit will give us webshell or anything we need to own the machine. In my opinion - this can be really dangerous.
PoC: http://ropchain.org/poc/wordpress/
Subskrybuj:
Posty (Atom)