UnPatched Code Execution Vulnerability in WordPress put Users under Risk

WordPress Core Suffers from Code Execution Vulnerability 2018

We all know that WordPress is one of the most popular CMS, on which about 30 percent of the websites are running, and it is always targeted by cyber crooks. Now in this scenario, an unpatched critical vulnerability puts users at risk.

Security researcher Karim El Ouerghemmi, from RipsTech, has found a critical Arbitrary Code Execution vulnerability on WordPress which affects every version to date i.e WordPress 4.9.6 also. This zero-day vulnerability can be used to escalate privileges attained through the takeover of an account with a role as low as Author, or through the exploitation of another vulnerability/ misconfiguration.

Ouerghemmi had reported this vulnerability to the WordPress team on November 2017 via hackerone, and the weird thing is that at that time report has been Triaged but then also the bug remains UnPatched after more than 7 months.

Impact Of the Vulnerability.
As researchers have noted that this vulnerability can be exploited with the role as low as Author, or any other misconfiguration bug on WordPress. Exploiting the vulnerability grants an attacker the capability to delete any file of the WordPress installation (+ any other file on the server on which the PHP process user has the proper permissions to delete).

This bug resides in the wp-includes/post.php which can be found in WordPress core. An arbitrary file deletion vulnerability occurs when unsanitized user input is passed to a file deletion function. In PHP this happens when the unlink() the function is called and user input can affect parts of or the whole parameter $filename, which represents the path of the file to delete, without undergoing proper sanitization.

The researcher points out that in wp_delete_attachement() function the content of $meta[‘thumb’] gets used in the call to unlink() without undergoing any sanitization. These improper checks on unlink() the function made it possible to cause the buy by manipulating the POST request.

What You  Can Do?
In the meantime, there is no fix or patch available for the Vulnerability. But researchers have provided a temporary fix for this. The fix can be integrated into an existing WordPress installation by adding it to the functions.php file of the currently active theme/child-theme.
add_filter( 'wp_update_attachment_metadata', 'rips_unlink_tempfix' ); function rips_unlink_tempfix( $data ) { if( isset($data['thumb']) ) { $data['thumb'] = basename($data['thumb']); } return $data; }

All the provided Hotfix does is hook into the wp_update_attachement_metadata()call and make sure that the data provided for the meta-value thumb does not contain any parts making path traversal possible. Thus, no security-relevant files can be deleted.

Before disclosing the bug, the researcher contacted the WordPress team numerous times and also contact on Twitter DM the security team. 

Read Also
Post a Comment