WordPress vulnerability allows attacker to gain full remote access of server

By Alfred Vergara on March 1, 2019

On February 19, 2019 security researchers at RIPS Technologies found a vulnerability in WordPress that allowed an attacker who had author privileges to execute arbitrary hypertext preprocessor (PHP) code to gain full remote access of the server.

Disclaimer: this report is a synthesis of the original report given by RIPS Technologies, which explains the vulnerability in detail: https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/

What is WordPress?

WordPress is a free service/software that allows a user to host a website. Currently, it has over 33% market share in the context of content managers–services that allow users to manage content on a website.

The Vulnerability

The vulnerability exists through the exploitation of a Path Traversal and Local File Inclusion vulnerability. To understand the exploitation, there must be discussion about the image management of WordPress.

When an image is uploaded to WordPress, it is uploaded to the wp-content/uploads directory. For retrieval later, WordPress stores key information about the file in a database using a key/value pair. One of these keys is the _wp_attached_file key which is attributed to the value of the picture filename, in this case evil.jpg.

When searching for a file, WordPress searches for values that closely match in the _wp_attached_file key.

Path Traversal

In the edit_post() function, which is called when an image is updated, it is possible to modify any of the values in the database where image information is stored. This includes the _wp_attached_file value.

When a user crops an image, wp_crop_image() is called. It calls the ID of the image, then retrieves the _wp_attached_file for the image. To load the image, WordPress checks two places for the image:

  • It checks the _wp_attached_file value and refers to the wp-content/uploads directory
  • If it is not there, it will download the file from its own server at a URL: https://targetserver.com/wp-content/uploads/evil.jpg.

After the image is uploaded and cropped, it is saved as a new image with cropped- prepended to the _wp_attached_file value. WordPress then creates directories for the new path. There are no Path Traversal Checks done, which means one could arbitrarily place crafted images into any directory, using the edit_post() function and the crop functionality.

Local File Inclusion

Local file inclusion is a vulnerability that allows an attacker to include a supplied, malicious file on the target. This vulnerability can be found in the ability to traverse paths of the server using the crop functionality, and the edit_post() function. This can be used to include a malicious image into the wp-content/themes directory where templates will be included with include(), and interpreted as PHP.

_wp_attached_file can be changed to evil.jpg?shell.php. The attacker would crop the picture. Since this file name would not be in the wp-content/uploads directory, it would be downloaded from https://targetserver.com/wp-content/uploads/evil.jpg?shell.php. A valid image would be given in this context, and the file would be saved as evil.jpg?shell.php. The new file created through the crop feature would be inert (the PHP would not be interpreted) and saved as evil.jpg?cropped-shell.php.jpg. This should not matter, as the goal of this step is to place the file in a location where the file is interpreted as PHP.

In the proof of concept (PoC) displayed by RIPS Technologies, it was possible to compromise a server using the remote code execution vulnerability found.

Impact

The vulnerability has been present in WordPress for over 6 years. While there are no reports of the vulnerability being exploited, the possible impact is wide. By controlling a WordPress site, a malicious person could alter existing links and references to identical spoofed sites as a phishing attack for credentials. With the wide market share that WordPress has on the Internet as a content manager, a good number of WordPress users were susceptible to this exploit.

Mitigation

Current versions of WordPress, 4.9.9 and 5.0.1 have implemented patches to the vulnerability found by RIPS Technologies. If possible, update your WordPress to the latest version. If this is not possible, scrutinize the accounts who have author permissions to the WordPress page. Revoke access to users who have not been active, and enforce a stronger password policy. https://wordpress.org/plugins/minimum-password-strength/

Sources

https://secure.php.net/manual/en/intro-whatis.php

https://thehackernews.com/2019/02/wordpress-remote-code-execution.html

https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/

https://w3techs.com/

https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion

https://phocean.net/2013/09/29/file-upload-vulnerabilities-appending-php-code-to-an-image.html