Remote script upload leading to automated plugin installation which achieves remote code execution on the server (shell execution).

    Any user capable of uploading images to wordpress can bypass some restrictions in uploading files, allowing them to upload a script. Because wordpress does not require much interaction to install plugins, this uploaded script can be used to hijack administrator accounts and install PHP plugins silently. The plugin can contain a backdoor allowing, for example shell command execution. The provided proof of concept code demonstrates the process entirely, installing a backdoor to allow exploiters to run commands on the server.

    Attacker must have access to any level of user which can upload images. Typically this is the author level, but there are several examples online of people modifying their installs so that various user levels can upload.     Attacker must be able to convince a logged in administrator to visit a page containing the uploaded exploit code. Exploit can be within an iframe on a remote page, or they can just visit the upload itself. Visiting the upload installs the PHP backdoor.

Wordpress handles uploads via async-upload.php. This file takes multipart form data as input.     If the name of the uploaded file contains a non-ascii character above 0x7f, the server will assign an incrementing filename to the file (eg. -1, -2, -3) instead of the proper uploaded filename extension. An example would be "filename\x80.txt". The filename will pass name sanity checks initially matching the .txt extension, but fail later when trying to generate a file name.     After the failure, the file is instead assigned a default filename akin to -1, and will store it in the upload directory. If this file contains valid script, it can be executed. Wordpress attempts to filter out html, and script tags, but upon fiddling with it a bit I discovered that html body tags are not filtered. Setting an onload event for the body tag provides code execution.     From there I created an upload exploit that upon viewing by an admin, will automatically install a wordpress PHP plugin and activate it, providing remote OS code execution.     I've created a full proof of concept exploit package using node.js to automate the exploitation of this vulnerability. Simply untar the exploit and examine the files exploit.js and upload_script.html in order to see the steps required for exploitation.     The exploit requires nodejs, and the puppeteer module. The http/https and filesystem modules should come standard with node. The nodejs version used for locally testing the exploit is v10.19.0. You need to configure exploit.js with your own server target settings before running it. Install the exploit dependencies with: npm install puppeteer Proof of Concept code is provided in the links section below.

Hackerone user: Kahoots, Jason Medeiros (PentestUSA).