Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-36728: Critical Vulnerabilities Patched in Adning Advertising Plugin

The Adning Advertising plugin for WordPress is vulnerable to file deletion via path traversal in versions up to, and including, 1.5.5. This allows unauthenticated attackers to delete arbitrary files which can be used to reset and gain full control of a site.

CVE
#vulnerability#web#js#wordpress#intel#php#rce#auth

On June 24, 2020, our Threat Intelligence team was made aware of a possible vulnerability in the Adning Advertising plugin, a premium plugin with over 8,000 customers. We eventually discovered 2 vulnerabilities, one of which was a critical vulnerability that allowed an unauthenticated attacker to upload arbitrary files, leading to Remote Code Execution(RCE), which could allow complete site takeover.

The next day, on June 25, 2020, we privately disclosed these vulnerabilities to the plugin’s author, Tunafish. A patched version was made available in less than 24 hours, on June 26, 2020. We strongly recommend updating to the latest version of this plugin, 1.5.6, immediately.

Wordfence Premium users received a firewall rule protecting against these vulnerabilities on June 25, 2020. Users still running the free version of Wordfence will receive this rule on July 25, 2020.

After monitoring attacks against this firewall rule, we determined that, although these vulnerabilities were being attacked in the wild, the attacks were extremely limited in scope and scale. As such we withheld details from public disclosure for a short period of time to allow users time to update and prevent more widespread exploitation.

Description: Unauthenticated Arbitrary File Upload leading to Remote Code Execution
Affected Plugin: Adning Advertising
Plugin Slug: angwp
Affected Versions: < 1.5.6
CVE ID: N/A
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS score: 10.0(critical)
Patched Version: 1.5.6

One functionality of the Adning plugin is to allow users to upload banner images. In order to provide this functionality, it used an AJAX action, ning_upload_image. Unfortunately this AJAX action was available with a nopriv hook, meaning that any visitor to the site could make use of it, even if they were not logged in. Additionally, the function called by this AJAX action also failed to make use of a capability check or a nonce check.

public static function \_ning\_upload\_image()
{
    $\_action = isset($\_POST\['action'\]) ? $\_POST\['action'\] : '';
    $user\_id = isset($\_POST\['uid'\]) ? $\_POST\['uid'\] : 0;
    $banner\_id = isset($\_POST\['bid'\]) ? $\_POST\['bid'\] : 0;
    $max\_upload\_size = isset($\_POST\['max\_upload\_size'\]) ? $\_POST\['max\_upload\_size'\] : 100;
    $upload = isset($\_POST\['upload'\]) ?  json\_decode(stripslashes($\_POST\['upload'\]), true) : array();
    $valid\_formats = isset($\_POST\['allowed\_file\_types'\]) ? explode(',', $\_POST\['allowed\_file\_types'\]) : array('jpg');
    if( in\_array('jpg', $valid\_formats) )
    {
        $valid\_formats\[\] = 'jpeg';
    }
    
    //$max\_file\_size = 1024\*100; //100 kb
    //$max\_file\_size = 1024000\*15; // 15 MB (1 mb = 1000 kb)
    $max\_file\_size = 1024000\*$max\_upload\_size;
    
    //$upload\_path = $upload\_dir.'/'.$upload\_folder;
    //$upload\_path = $upload\_path.$upload\_folder;
    $upload\_path = $upload\['dir'\].$upload\['folder'\];
    $count = 0;

    // Create upload folder if not exists
    if(!is\_dir($upload\_path)) {
        mkdir($upload\_path, 0777, true);
    }

    if(!empty($\_FILES\['files'\])) 
    {
        $upload\_success = false;
        $upload\_error = '';
        $uploaded\_files = array();
        $unzip\_error = array();

        // Loop $\_FILES to execute all files
        foreach ($\_FILES\['files'\]\['name'\] as $f => $name) 
        {     
            if ($\_FILES\['files'\]\['error'\]\[$f\] == 4) 
            {
                continue; // Skip file if any error found
            }          
            if ($\_FILES\['files'\]\['error'\]\[$f\] == 0) 
            {              
                if ($\_FILES\['files'\]\['size'\]\[$f\] > $max\_file\_size) 
                {
                    $upload\_error = $name. " is too large!";
                    continue; // Skip large files
                }
                elseif( !in\_array(pathinfo($name, PATHINFO\_EXTENSION), $valid\_formats) )
                {
                    $upload\_error = $name." is not a valid format";
                    continue; // Skip invalid file formats
                }
                else
                { 
                    // No error found! Move uploaded files 
                    if(move\_uploaded\_file($\_FILES\["files"\]\["tmp\_name"\]\[$f\], $upload\_path.$name)){
                        $count++; // Number of successfully uploaded file
                        $src = $upload\['src'\].$upload\['folder'\].$name;

                        // Copy image to banner folder
                        /\*if(!empty($banner\_id))
                        {
                            if(!is\_dir($upload\_dir.'/'.$banner\_folder)) {
                                mkdir($upload\_dir.'/'.$banner\_folder, 0777, true);
                            }
                            copy($path.$name, $upload\_dir.'/'.$banner\_folder.$name);
                        }\*/

                        $uploaded\_files\[\] = array(
                            'name' => $name, 
                            'size' => $\_FILES\['files'\]\['size'\]\[$f\],
                            'upload' => $upload,
                            'path' => $upload\_path.$name,
                            'src' => $src,
                            'grid\_item' => '<div class="grid-item" data-src="'.$src.'" data-use="path"><img src="'.$src.'" /><div class="info\_btn" data-info="'.basename($src).'"><svg viewBox="0 0 448 512" style="height:18px;border-radius:2px;"><path fill="currentColor" d="M400 32H48C21.49 32 0 53.49 0 80v352c0 26.51 21.49 48 48 48h352c26.51 0 48-21.49 48-48V80c0-26.51-21.49-48-48-48zm-176 86c23.196 0 42 18.804 42 42s-18.804 42-42 42-42-18.804-42-42 18.804-42 42-42zm56 254c0 6.627-5.373 12-12 12h-88c-6.627 0-12-5.373-12-12v-24c0-6.627 5.373-12 12-12h12v-64h-12c-6.627 0-12-5.373-12-12v-24c0-6.627 5.373-12 12-12h64c6.627 0 12 5.373 12 12v100h12c6.627 0 12 5.373 12 12v24z" class=""></path></svg></div></div>',
                            'uid'  => $user\_id,
                            'action'  => $\_action
                        );
                        
                        
                        if( pathinfo($name, PATHINFO\_EXTENSION) == 'zip')
                        {
                            $zipfile = array(
                                'name' => $\_FILES\['files'\]\['name'\]\[$f\],
                                'type' => $\_FILES\['files'\]\['type'\]\[$f\],
                                'tmp\_name' => $\_FILES\['files'\]\['tmp\_name'\]\[$f\],
                                'error' => $\_FILES\['files'\]\['error'\]\[$f\],
                                'size' => $\_FILES\['files'\]\['size'\]\[$f\],
                            );
                            
                            $unzip\_error = self::upload\_and\_unzip($zipfile, array('folder' => $upload\['folder'\], 'path' => $upload\_path, 'src' => $upload\['src'\]));
                        }
                    }
                    else
                    {
                        $upload\_error = is\_writable($upload\_path) ? 'Could not move files.' : 'Folder is not writable.';
                    }
                }
            }
        }

        if(count($uploaded\_files) > 0){
            $upload\_success = true;
        }

        echo json\_encode(array("chk" => $\_FILES\['files'\], "unzip" => $unzip\_error, "upload" => $upload, "success" => $upload\_success, "files" => json\_encode($uploaded\_files), "error" => $upload\_error));
    }else{
        echo 'no files found.';
    }
    exit;
}

This function also allowed the user to supply the “allowed” file types. As such it was possible for an unauthenticated attacker to upload malicious code by sending a POST request to wp-admin/admin-ajax.php with the action parameter set to _ning_upload_image the allowed_file_types set to php, and a files parameter containing a malicious PHP file. Alternatively, an attacker could set the allowed_file_types to zip and upload a compressed archive containing a malicious PHP file, which would be unzipped after upload. It was also possible for an attacker to change the upload directory by manipulating the contents of the upload parameter – if the desired directory did not exist, the plugin would create it.

Description: Unauthenticated Arbitrary File Deletion via path traversal
Affected Plugin: Adning Advertising
Plugin Slug: angwp
Affected Versions: < 1.5.6
CVE ID: N/A
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
CVSS score: 8.7(high)
Patched Version: 1.5.6

In order to delete any uploaded images, the plugin also registered another ajax action, ning_remove_image, which also used a nopriv hook. As with the upload vulnerability, this function did not perform a capability check or a nonce check. As such it was possible for an unauthenticated attacker to delete arbitrary files using path traversal.

If an attacker were able to delete wp-config.php, the site would be reset, and an attacker could then set it up again and point it to a remote database under their control, effectively replacing the site’s content with their own content.

public static function \_ning\_remove\_image()
{
    $upload = wp\_upload\_dir();
    $upload\_dir = $upload\['basedir'\];
    $upload\_url = $upload\['baseurl'\];
    $upload\_folder = self::$upload\_folder.$\_POST\['uid'\].'/';   

    $path = $upload\_dir.'/'.$upload\_folder.basename($\_POST\['src'\]);
    $removed = 0;

    if(unlink($path)){
        $remove = 1;
    }
    echo $remove;

    exit;
}

This attack might require an extra step of preparation, which is that the wp-content/uploads/path folder would need to exist. However, since the previously mentioned arbitrary file upload vulnerability allowed for directory creation, this was not a major obstacle. Once the directory was created, an attacker could send a POST request to wp-admin/admin-ajax.php with the action parameter set to _ning_remove_image, the uid parameter set to /…/…/… and the src parameter set to wp-config.php.

Timeline

June 24, 2020 – Wordfence Threat Intelligence receives a report of a compromised website running the Adning plugin. During our investigation, we discovered two vulnerabilities.
June 25, 2020 – Firewall rule released for Premium Wordfence users. We make initial contact with plugin’s author and send full disclosure after receiving a response.
June 26, 2020 – Plugin’s author releases a patch.
July 25, 2020 – Firewall rule becomes available to Wordfence free users.

Conclusion

In today’s post, we discussed two vulnerabilities in the Adning Advertising plugin which could allow an attacker to completely take over a website. These flaws have been fully patched in version 1.5.6. If you are running this plugin, it is critical that you updated to this version as soon as possible. Sites running Wordfence Premium have been protected against these vulnerabilities since June 25, 2020, while sites still using the free version of Wordfence will receive the firewall rule on July 25, 2020.

Special Thanks to Tunafish, the author of the Adning Advertising plugin, for their excellent and timely response in releasing a patch.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907