Seven months ago, security experts discovered a critical file deletion vulnerability that affects all WordPress versions, currently, the issue is still unpatched.
The vulnerability could be exploited to complete takeover of the websites running the popular CMS and gain arbitrary code execution. The issue is severe if we consider the potential impact, WordPress is the most popular CMS and according to w3tech, it is used by approximately 30% of all websites
A pre-requisite to exploit the vulnerability is that the attacker would have to gain privileges to edit and delete media files. The vulnerability cannot be exploited in massive attacks because it requires a user account.
“The vulnerability was reported 7 months ago to the WordPress security team but still remains unpatched.” reads a blog post published by RIPS Technologies.
“Thus, the vulnerability can be used to escalate privileges attained through the takeover of an account with a role as low as Author, or through the exploitation of another vulnerability/misconfiguration,”
An attacker could exploit the file deletion vulnerability to delete any file of the WordPress installation, as well as any other file on the server on which the PHP process user has the proper permissions to delete.
An arbitrary file deletion flaw occurs when it is possible to pass unsanitized input to a file deletion function.
In PHP an arbitrary file deletion occurs when the unlink() function is called and user input can affect parts of or the whole parameter $filename, which is the path of the file to delete, without undergoing proper sanitization.
The flaw resides in the WordPress Core, the code to trigger it was found in the wp-includes/post.php file:
In the wp_delete_attachement() function the content of $meta[‘thumb’] is used to invoke the unlink() without undergoing any sanitization.
The purpose of this snippet of code is to delete the thumbnail of an image alongside its deletion.
The exploitation of the flaw could allow the deletion of the entire WordPress installation and could allow circumventing security measures to execute arbitrary code on the server.
The experts highlighted that the attacker can delete the following files:
- .htaccess that could include in some occasions security-related constraints (e.g., access constraints to some folders).
- index.php files used to prevent the attacker listing files in WordPress folders.
- wp-config.php that contains the database credentials.
RIPS Technologies reported the vulnerability to WordPress in November 2017, through the bug bounty program via HackerOne, even if the WordPress team estimated the availability of a patch in six months, no fix has been released to date.
The experts published a video PoC of the attack showing how to delete the wp-config.php file in order to trigger the WordPress installation process on the next visit to the website. The WordPress install acts as if it hasn’t been installed yet and the attacker could abuse this status to execute arbitrary code.
“Deleting this file of a WordPress installation would trigger the WordPress installation process on the next visit to the website. This is due to the fact that wp-config.php contains the database credentials, and without its presence, WordPress acts as if it hasn’t been installed yet.” continue the analysis. “An attacker could delete this file, undergo the installation process with credentials of his choice for the administrator account and, finally, execute arbitrary code on the server.”
The researchers provided a hotfix that can be integrated by admins into existing WordPress installations by adding it to the functions.php file of the active theme.
The fix checks that the data provided for the meta-value thumb does not contain code that would make path traversal possible, in this way the attacker cannot delete any file.
“The provided fix shall ultimately be seen as a temporary fix in order to prevent attacks. We cannot oversee all possible backwards compatibility problems with WordPress plugins and advise to make any modifications to your WordPress files with caution,” RIPS Technologies concludes.
(Security Affairs – file deletion vulnerability, hacking)