WordPress CP Polls 1.0.8 Malicious File Download

2016.03.03
Credit: Joaquin Ramirez Martinez
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A
Dork: Index of /wp-content/plugins/cp-polls/

# Exploit Title: WordPress CP Polls 1.0.8 - Reflected file download (.bat file) # Date: 2016-02-22 # Google Dork: Index of /wp-content/plugins/cp-polls/ # Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ] # Plugin URI: http://wordpress.dwbooster.com/forms/cp-polls # Version: 1.0.8 # Demo: https://www.youtube.com/watch?v=uc6P59BPEkU ============= Description ============= With **CP Polls** you can publish a poll into a page/post and optionally display statistics of the results. You can receive email notifications every time a vote is added or opt to receive Excel reports periodically. The Polls can have dependant questions, this means that some questions are displayed depending of the selection made on other questions. (copy of README.txt) =================== Technical details =================== CP Polls plugin for wordpress is prone to file download issue. A hacker is able to attack an administrator by exploiting a CSRF in the 'change cp poll name' converting the downloadable report file (csv) to a malicious .bat file. Because there is not restriction in the cp poll name the CSRF exploit can change the name to ... malicious.bat; The semicolon (;) character must be restricted because the header 'Content-Disposition' uses this characteer as a parameter delimitation. For example, when we change the name of a cp poll to 'malicious.bat;' when an administrator download the report (thinking that is a csv file) the response header turns: "" Content-Disposition: attachment; file=malicious.bat;.csv "" the csv is ignored and the administrator gets a .BAT file So, how to exploit this vulnerability to execute commands on the victim's machine? Whe have an option. If the cp_poll is added in a post we can vote them and we can inject our malicious payload into a votation. ============================== Proof of Concept CSRF (html) ============================== https://www.youtube.com/watch?v=uc6P59BPEkU ========================== If the csrf attack is succesful, we only need to inject our commands in votations. In fieldnames post parameter we can inject our commands. ========== CREDITS ========== Vulnerability discovered by: Joaquin Ramirez Martinez [i0 security-lab] joaquin.ramirez.mtz.lab[at]gmail[dot]com https://www.facebook.com/I0-security-lab-524954460988147/ https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q ======== TIMELINE ======== 2016-02-10 vulnerability discovered 2016-02-22 reported to vendor 2016-03-01 released cp polls v1.0.9 2016-03-01 public disclousure

References:

https://www.facebook.com/I0-security-lab-524954460988147/
https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q
https://www.youtube.com/watch?v=uc6P59BPEkU


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top