Overview:
On 1st September 2020, researchers at Wordfence published a blog regarding a remote code execution vulnerability in WordPress File Manager plugin. Successful exploitation of this vulnerability allows unauthenticated remote attackers to execute commands and upload malicious files and shells on a target website. The vulnerability currently does not have any CVE assigned to it and it has a CVSSv3 score of 10.0 with severity marked as Critical.
Description:
The File Manager plugin allows website admins to edit, delete, upload files and folders directly from the back-end without having to use FTP. According to researchers, the vulnerability exists due to an open-source file manager library called elFinder used in the plugin. It was observed that the file connector.minimal.php-dist was stored in an executable format renamed to .php, which can be accessed by anyone to execute commands via a function in elFinderConnector.class.php.
As per researchers the connector.minimal.php.dist file could be used to initiate an elFinder command and was hooked to the elFinderConnector.class.php file
// run elFinder $connector = new elFinderConnector(new elFinder($opts)); $connector->run(); Source:wordfence.com
Any parameters sent in a request to connector.minimal.php was processed by the run() function in the elFinderConnector.class.php file, including the command supplied in the cmd parameter.
public function run()
{
$isPost = $this->reqMethod === 'POST';
$src = $isPost ? array_merge($_GET, $_POST) : $_GET;
$maxInputVars = (!$src || isset($src['targets'])) ? ini_get('max_input_vars') : null;
if ((!$src || $maxInputVars) && $rawPostData = file_get_contents('php://input')) {
// for max_input_vars and supports IE XDomainRequest()
$parts = explode('&', $rawPostData);
if (!$src || $maxInputVars < count($parts)) {
$src = array();
foreach ($parts as $part) {
list($key, $value) = array_pad(explode('=', $part), 2, '');
$key = rawurldecode($key);
if (preg_match('/^(.+?)\[([^\[\]]*)\]$/', $key, $m)) {
$key = $m[1];
$idx = $m[2];
if (!isset($src[$key])) {
$src[$key] = array();
}
if ($idx) {
$src[$key][$idx] = rawurldecode($value);
} else {
$src[$key][] = rawurldecode($value);
}
} else {
$src[$key] = rawurldecode($value);
}
}
$_POST = $this->input_filter($src);
$_REQUEST = $this->input_filter(array_merge_recursive($src, $_REQUEST));
}
}
if (isset($src['targets']) && $this->elFinder->maxTargets && count($src['targets']) > $this->elFinder->maxTargets) {
$this->output(array('error' => $this->elFinder->error(elFinder::ERROR_MAX_TARGTES)));
}
$cmd = isset($src['cmd']) ? $src['cmd'] : '';
$args = array();
Source:wordfence.com
Attackers can exploit this vulnerability by sending a specially crafted request to the connector.minimal.php file. Successful exploitation of this vulnerability would allow unauthenticated attackers to execute commands and upload malicious files, shells on a target website.
A proof of concept (PoC) exploit was published on a Github repository for this vulnerability. With the plugin having been installed on over 700,000 active WordPress websites, the vulnerability is actively being exploited in the wild.
Affected Versions:
File Manager plugin 6.0-6.8
Remediation:
The vendor has released a patch to address this vulnerability. Customers are recommended to update the File Manager plugin to version 6.9.
Detection:
Qualys customers can scan their network with QID 13966 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References:
https://wordpress.org/plugins/wp-file-manager/advanced/
https://github.com/w4fz5uck5/wp-file-manager-0day
https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/