WordPress <= 4.6.1 RCE via specially crafted .mo language file
Vulnerability Impact
Arbitrary code execution with the following two conditions:
- An attacker can upload your own configuration language file, or the file containing the language themes, plug-ins folder
- Website attacker constructs using good language file to translate the site, themes, plugins, etc.
Here’s an example of the real scenario: the attacker change a plug-in language files, and change the plug-in code so that when the plug-in initialization file using malicious plug-language translation, and then install the plug-in to the attacker by inducing Administrator trigger the vulnerability.
Vulnerability Analysis
In the call create_function, we adopted }the original closing function, add what we want to perform before using /* the unnecessary parts commented later, even if we do not have the final call to create a good function, we add new content also remains to be carried out . This is so because the create_functioninternal use of the eval code to execute, we see that the PHP manual on:
So because of this feature, if we can control create_function the $code parameters, it is possible with the execution of arbitrary code.
Now, look at vulnerability code in wp-includes/pomo/translations.php:
PHP’s create_function() function internally performs zend_eval_stringl(), so an attacker can use } close the anonymous function and execute arbitrary code in the process of creating the anonymous function 🙂
PoC:
Plural-Forms: nplurals=1; plural=n);}eval($_GET[c]);/*;
I provide crafted .mo language file, you can set default language to English AU, then access to the following URL and the phpinfo() function will be executed.
/index.php?c=phpinfo();
https://www.youtube.com/watch?v=wKKxagqLrLM
The crafted .mo language file: https://drive.google.com/open?id=0B4YO1KtVWS0naVNUZ2dhaXFGb2c
Precausion
Before the official release patches recommend that administrators enhance safety awareness, do not use unsolicited font files, plugins, themes and so on.
Reference:
https://gist.github.com/anonymous/908a087b95035d9fc9ca46cef4984e97
http://php.net/manual/en/function.create-function.php