WordPress Arbitrary File Deletion Vulnerability Exploit

Exploiting this vulnerability grants an attacker the capability to delete any file of the WordPress installation (and any other file on the server on which the PHP process user has the proper permissions to delete). Besides the possibility of erasing the whole WordPress installation, which can have desastrous consequences if no current backup is available, an attacker can make use of the capability of arbitrary file deletion to circumvent some security measures and to execute arbitrary code on the webserver.

The experts published a video PoC of the attack showing how to delete the wp-config.php file in order to trigger the WordPress installation process on the next visit to the website. The WordPress install acts as if it hasn’t been installed yet and the attacker could abuse this status to execute arbitrary code.

RIPS Technologies reported the vulnerability to WordPress in November 2017, through the bug bounty program via HackerOne, even if the WordPress team estimated the availability of a patch in six months, no fix has been released to date.

“The vulnerability was reported 7 months ago to the WordPress security team but still remains unpatched.” reads a blog post published by RIPS Technologies. Thus, the vulnerability can be used to escalate privileges attained through the takeover of an account with a role as low as Author, or through the exploitation of another vulnerability/misconfiguration,” 

Temporary Hotfix

The described vulnerability remains unpatched in the WordPress core as the time of publication. Because of this, a fix has been developed as a temporary fix provided in the snipped below. The fix can be integrated into an existing WordPress installation by adding it to the functions.php file of the currently active theme/child-theme.

add_filter( 'wp_update_attachment_metadata', 'rips_unlink_tempfix' );

function rips_unlink_tempfix( $data ) {
    if( isset($data['thumb']) ) {
        $data['thumb'] = basename($data['thumb']);
    }

    return $data;
}

All the provided Hotfix does is to hook into the wp_update_attachement_metadata() call and making sure that the data provided for the meta-value thumb does not contain any parts making path traversal possible. Thus, no security relevant files can be deleted.

The provided fix shall ultimately be seen as a temporary fix in order to prevent attacks. The script writer cannot oversee all possible backwards compatibility problems with WordPress plugins and advise to make any modifications to your WordPress files with caution.

Read the full report here – https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/

Duncan

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.