slavco
slavco
Jun 3 · 2 min read

Repetitio est mater studiorum

and it is that way, but when we talk about infosec, isn’t good practice. Today I’m going to write about the bug (0day RCE in WooCoomerce) almost the same as the one that was fixed here and here. From my experience with tech. people behind WooCommerce/WordPress, my conclusions by observations in the past that team never check/understand the impact, neither the root cause of already reported bugs, seems to be true.

The Bug

Issue exists in the woocommerce/includes/class-wc-post-data.php method edited_term on line 169 and it is the following DB query:

"UPDATE {$wpdb->postmeta} SET meta_value = REPLACE( meta_value, %s, %s ) WHERE meta_key = '_default_attributes'",      serialize( self::$editing_term->taxonomy ) . serialize( self::$editing_term->slug ),      serialize( $edited_term->taxonomy ) . serialize( $edited_term->slug )

As we can see there is modification of serialized content (meta value) outside of the meta api routines / functions. This results with RCE in the WooCommerce by shopmanager user role by default, but this attack could be performed from contributor user role (here evil payload could be planted and in case of action from shopmanager exploit to be made effective) due nature of WordPress as PHP/MySQL application.

How to verify the issue

  • Install the latest versions of WP & Woo
  • Create product attribute test
  • Click Configure terms and create new term bazinga
  • Create postmeta DB entry (any post_id) with meta_key
    _default_attributes and meta_value [any_data_here]s:4:"test";s:7:"bazinga";[any_data_here]
  • Edit the term slugbazinga into anything
  • Check the _default_attributes meta value

Issues from the past

In order to be fixed current issue, everything needed in the past was simple grep trough code base about REPLACE in update DB queries against meta tables (or any another table that hold serialized value).

WP is so scotch and Woo is a mix

Not like scotch and Coke, but… :D

Promo

If you are wp developer or wp host provider or wp security product provider with valuable list of clients, we offer subscription list and we are exceptional (B2B only).

websec

Attack sources + web application security

slavco

Written by

slavco

websec

websec

Attack sources + web application security

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade