You can now find Cyber Kendra on Google News!

UnPatched Code Execution Vulnerability in WordPress put Users under Risk

WordPress Core Suffers from Code Execution Vulnerability 2018
We all know that WordPress is one of the most popular CMS , on which about 30 percent of the websites is runnig, and it is always in targeted by cyber crooks. Now in this scenario, an unpatched critical vulnerability puts users under risk.

Security researcher Karim El Ouerghemmi, from RipsTech have found a critical Arbitrary Code Execution vulnerability on WordPress which affects every version till date i.e Wordpress 4.9.6 also. This zero-day vulnerability can be used to escalate privileges attained through the takeover of an account with a role as low as Author, or through the exploitation of another vulnerability/ misconfiguration.

Ouerghemmi had reported this vulnerability to WordPress team on November 2017 via hackerone , and wired thing is that at that time report has been Triaged but then also the bug remains UnPatched after more than 7 months.

Impact Of the Vulnerability.
As researcher have noted that this vulnerability can be exploited with the a role as low as Author, or any other misconfiguration bug on WordPress. Exploiting the vulnerability grants an attacker the capability to delete any file of the WordPress installation (+ any other file on the server on which the PHP process user has the proper permissions to delete).

This bug resides in the wp-includes/post.php which can be found in Wordpress core. An arbitrary file deletion vulnerability occurs when unsanitized user input is passed to a file deletion function. In PHP this happens when the unlink() function is called and user input can affect parts of or the whole parameter $filename, which represents the path of the file to delete, without undergoing proper sanitization.

Researcher points out that in wp_delete_attachement() function the content of $meta[‘thumb’] gets used in the call to unlink() without undergoing any sanitization. This improper checks on unlink() function made possible to cause of the buy by manipulating the POST request.

Video Demonstration

What You  can Do?
At the mean time, there is no fix or patch available for the Vulnerability. But researcher have provided a temporary fix for this. The fix can be integrated into an existing WordPress installation by adding it to the functions.php file of the currently active theme/child-theme.
add_filter( 'wp_update_attachment_metadata', 'rips_unlink_tempfix' ); function rips_unlink_tempfix( $data ) { if( isset($data['thumb']) ) { $data['thumb'] = basename($data['thumb']); } return $data; }

All the provided Hotfix does is to hook into the wp_update_attachement_metadata()call and making sure that the data provided for the meta-value thumb does not contain any parts making path traversal possible. Thus, no security relevant files can be deleted.

Before disclosing the bug, researcher have contacted WordPress team numerous times and also contact on Twitter DM to security team. 

Post a Comment