Finding WordPress plugin vulnerabilities is like shooting fish in a barrel.  Like taking candy from a baby.  Like… you get the idea.  Quick wins are good wins and there’s nothing like easy remote code execution to put a smile on your face.  WordPress plugins are the gifts that keep on giving.

The internet runs on WordPress

With nearly a quarter of all websites on the internet using WordPress, attacks against WordPress are common.  Security consultant Iain Wallace (@strawp) decided to leverage all of that lovely attack surface by developing a tool called ZeroPress that uses a minimal effort/maximum impact approach to vulnerability identification.

Introducing ZeroPress

ZeroPress is designed to uncover previously unidentified high impact vulnerabilities.  Unlike more comprehensive static code analysis tools, ZeroPress attempts to find vulnerabilities by looking for simple patterns in files. For example, if a line of code contains something resembling HTML markup which is directly joined to a variable inside the $_GET array (containing request parameters) then there’s a reasonable chance that the line presents a Cross Site Scripting vulnerability. If a variable called $sql is being directly joined with a variable, there’s a good chance that the code is vulnerable to SQL injection.  WordPress plugins are often so riddled with flaws that this approach is still very effective; you just don’t need to be particularly cunning.

Zeropress

ZeroPress in action

One of the most serious vulnerabilities that a web application can suffer from is remote code execution, which allows an attacker to run their own code on the target. As with the XSS and SQLi checks, ZeroPress looks for function calls capable of executing code: exec, popen, passthru, etc. If these are being used with a variable then they are a good starting point for finding remote code execution vulnerabilities. If the offending line also contains a reference to the $_GET array then this could mean that users can supply input directly to the script in order for it to be executed on the server.

From ZeroPress to CVE

Here’s an example of what ZeroPress can help with, using the “Landing Pages” plugin as an example.  By using basic pattern matching and analysis, ZeroPress identified a rogue line of code – apparently accidentally left in the application path of the plugin – which contained the following:

$result = shell_exec('phantomjs --web-security=false --ssl-protocol=any server.js ' . $_GET['url'] );

The problem is obvious; arbitrary operating system commands can simply be appended to the url parameter in order for them to be executed by the web server.

The code existed in a script which was not protected by any authentication, i.e. it presented unauthenticated operating system level access to any attacker. This would result in not just the entire WordPress installation being compromised, but the web server as well. If this code was present on a corporate web server hosted on domain infrastructure, it would offer an easy to achieve foothold on the internal network.

This issue was present in versions 1.8.8 to 1.9.0 of the “Landing Pages” plugin and has now been resolved in the current version. We advise all users of the “Landing Pages” plugin to upgrade to version 1.9.2 or above.

This vulnerability shows that even by taking a “dumb” approach to finding security vulnerabilities, the WordPress plugin ecosystem can still readily provide examples of dangerous coding errors.

Download ZeroPress

You can download the latest version of ZeroPress from here:

github GitHub: https://github.com/nettitude/zeropress