CVE-2020-35489 - чушь или руки кривые?

[paulmuller]

nuclei, например, классифицирует это как критичную уязвимость:

Я решил проверить и получил тот же результат, что и товарищ-комментер из: https://blog.wpsec.com/contact-form-7-vulnerability/

Процитирую его коммент:

The PoC does not work in a test setup here. I installed the old version because a client has the old plugin on a forgotten site of theirs, but it doesn’t seem like this could ever work, at least not with something simple like a tab, newline, or null byte between the two extensions. I used a default setup (I basically did apt install wordpress and installed the plugin, no other config set).


– The upload directory has a ‘deny to all’ htaccess file, so the exploit php script could never be run by any web user.


– If we changed the uploads directory for some reason: the file is removed in the same request, presumably after emailing the admin (not that I receive an email because I didn’t configure an smtp server). Could you race it? No because it uses a random 10-digit directory name (brute-forceable offline perhaps, but over the network within about a millisecond is very implausible).


– Pretending the above is not an obstacle (I die() the request after processing so that the file is not removed): wp_unique_filename() is called which calls sanitize_file_name() which replaces \t with a harmless hyphen (-). This WordPress code hasn’t changed since the WP version that was current at the time that this blog post was released.


– Pretending the above is not an obstacle (I commented out the wp_unique_filename function): it will just write the special character literally to the filesystem, so you end up with an uploaded file named exploit.php\t.png, which the web server would not run through the PHP interpreter (i.e. it’s not executable). Alternatively, with a null byte which would be illegal on the filesystem, the hardcoded filename whitelist will trigger because exploit.php\0.png matches /\.php/i (namely in wpcf7_antiscript_file_name()).


I am left wondering whether this vulnerability was ever real, or under what circumstances this could have been exploitable. Perhaps I’m not thinking of the right character, i.e. the blog post above is purposefully broken to thwart scripkiddies and the magic character is not as simple as \t or \0 (maybe some unicode confusion, I don’t know), but even then there are multiple obstacles to this actually working.


Was this ever real? If yes, can you at least confirm that the “proof” of concept above will indeed not work and I’m not simply being stupid here? (Or even better, share the real proof of concept, since it has been more than six months now, though I understand if you think there are still too many active installs.)

Отсюда вопрос: надуманная CVE или все-таки упускаю что-то?

 

[paulmuller]

Так я не говорю про детекшн.
Я не понимаю смысла этой CVE. Взять хотя бы, что плагин удаляет заруженный файл после аплоада. Как остановить удаление? Нужно заставить плагин не удалять загруженый файл, как?

public function add_uploaded_file( $name, $file_path ) {
    if ( ! wpcf7_is_name( $name ) ) {
      return false;
    }
    if ( ! @is_file( $file_path ) or ! @is_readable( $file_path ) ) {
      return false;
    }
    $this->uploaded_files[$name] = $file_path;
    if ( empty( $this->posted_data[$name] ) ) {
      $this->posted_data[$name] = md5_file( $file_path );
    }
  }
  public function remove_uploaded_files() { //// <<<<<<<<<<<<<<<<<<<<<<<<  HERE



    
    foreach ( (array) $this->uploaded_files as $name => $path ) {
      wpcf7_rmdir_p( $path );
      if ( $dir = dirname( $path )
      and false !== ( $files = scandir( $dir ) )
      and ! array_diff( $files, array( '.', '..' ) ) ) {
        // remove parent dir if it's empty.
        rmdir( $dir );
      }
    }
  }

Далее, какuм образом я должен найти директорию под загруженный файл, ведь он загружется в рендомальную диру, хотя и под wp-contents/uploads?

И далее, с чего бы apache начал выполнять фаилы в uploads директории, да еще скрипт с расширением, в котором специальный символ, например, exploit.php\0x0.

Кто из писателей CVE смог проексплоитить столь критичный vulner?

 

[Prokhorenco]

I found a lot of these also.

Sample:

[CVE-2020-35489] [http] [critical] https://dev.allbarnone.ie/wp-content/plugins/contact-form-7/readme.txt [5.1.4]
[CVE-2020-35489] [http] [critical] https://www.allglass.ie/wp-content/plugins/contact-form-7/readme.txt [5.0.2]
[CVE-2020-35489] [http] [critical] https://www.blueberryhearing.ie/wp-content/plugins/contact-form-7/readme.txt [5.1.4]
[CVE-2020-35489] [http] [critical] https://www.buttevantmedicalcentre.ie/wp-content/plugins/contact-form-7/readme.txt [5.1.6]
[CVE-2020-35489] [http] [critical] https://www.conormcdonnell.ie/wp-content/plugins/contact-form-7/readme.txt [5.1.5]
[CVE-2020-35489] [http] [critical] https://www.cuddydentistsgalway.ie/wp-content/plugins/contact-form-7/readme.txt [5.3.1]
[CVE-2020-35489] [http] [critical] https://www.irishmarketingjournal.ie/wp-content/plugins/contact-form-7/readme.txt [5.3.1]
[CVE-2020-35489] [http] [critical] https://www.louiseyres.ie/wp-content/plugins/contact-form-7/readme.txt [4.3]
[CVE-2020-35489] [http] [critical] https://www.michaelodoherty.ie/wp-content/plugins/contact-form-7/readme.txt [5.1.4]
[CVE-2020-35489] [http] [critical] https://www.otoliftstairlifts.ie/wp-content/plugins/contact-form-7/readme.txt [4.0.2]
[CVE-2020-35489] [http] [critical] https://www.petrapsychologist.ie/wp-content/plugins/contact-form-7/readme.txt [5.1.1]
[CVE-2020-35489] [http] [critical] https://www.redemptoristsdundalk.ie/wp-content/plugins/contact-form-7/readme.txt [4.4.2]
[CVE-2020-35489] [http] [critical] https://www.smartbuyglasses.ie/wp-content/plugins/contact-form-7/readme.txt [5.1.9]
[CVE-2020-35489] [http] [critical] https://www.squarecube.ie/wp-content/plugins/contact-form-7/readme.txt [5.1.7]
[CVE-2020-35489] [http] [critical] https://www.theyogahub.ie/wp-content/plugins/contact-form-7/readme.txt [5.2.1]
[CVE-2020-35489] [http] [critical] https://www.tyrecare.ie/wp-content/plugins/contact-form-7/readme.txt [5.3]
[CVE-2020-35489] [http] [critical] https://www.warriorwavesyoga.ie/wp-content/plugins/contact-form-7/readme.txt [5.2.2]
[CVE-2020-35489] [http] [critical] https://www.zozimusbar.ie/wp-content/plugins/contact-form-7/readme.txt [5.1.7]

 

[paulmuller]

Yes, it's a very promising critical (wow, hold me strong!) vulnerability but in reality you can never exploit it.