WordPress Plugin Revolution Slider – Unrestricted File Upload

Details of BNVL-2018-0044

What does the BNVL label mean?

BitNinja Server Security’s BNVL identifiers are intended for use to identify publicly known information security vulnerabilities in publicly released software packages. This project was designed to collect and analyze attack information from the BitNinja network after cluster analysis by the AI-powered Attack Vector Miner. More than 100 vulnerability types have been discovered with this project so far, so we decided to publish this platform to help to keep Linux server owners up-to-date.

Important! All listed BNVL vulnerabilities are protected by BitNinja PRO, so please check your configurations if your infrastructure is affected by any of them.

Syntax for BNVL labels:

BNVL prefix + Year + Arbitrary Digits


Name :
WordPress Plugin Revolution Slider – Unrestricted File Upload
Related Links: https://github.com/googleinurl/WORDPRESS-Revslider-Exploit-0DAY 
                         https://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/ 

CVE ID: Na

Description: 

This is part of revslider_admin.php. In affected versions, the below gets called, which adds wp_ajax and wp_ajax_nopriv callbacks for the onAjaxAction function.

Since there is no check on whether the user is actually logged in or allowed to make changes to the plugin, it is possible to(among other things) upload files to the server.

revslider_admin.php:

1
self::addActionAjax(“ajax_action”, “onAjaxAction”);
This in turn calls the addActionAjax function, which creates the wp_ajax and wp_ajax_nopriv callbacks.

base_admin.class.php:

1
2
3
4
protected static function addActionAjax($ajaxAction,$eventFunction){
self::addAction(‘wp_ajax_’.self::$dir_plugin.”_”.$ajaxAction, $eventFunction);
self::addAction(‘wp_ajax_nopriv_’.self::$dir_plugin.”_”.$ajaxAction, $eventFunction);
}
As a result of this, the revslider_ajax_action action gets added, allowing for unprivileged updates. This is not terribly surprising as, at least in early versions of Revolution Slider, security and a deep understanding of wordpress do not seem to have been a concern.

Working Example
The following is a working example. On a vulnerable site, the following will print an ajax response similar to: {“success”:false,”message”:”wrong ajax action: asdf “}.

If you see something to the effect of {“success”:false,”message”:”Wrong request”}, you are probably not vulnerable, but should still verify you are running the most recent version, as there are several known vulnerabilities at this point!

1
2
3
4
5
6
<form method=’post’ action=’/wp-admin/admin-ajax.php’>
<input type=’hidden’ name=’data’ value=’asdf’ />
<input type=’hidden’ name=’client_action’ value=’asdf’ />
<input type=’hidden’ name=’action’ value=’revslider_ajax_action’ />
<input type=’submit’ />
</form>
The reason you see this response is because the switch is called and since asdf is not a recognized action, it triggers the default: self::ajaxResponseError(“wrong ajax action: $action “);

Affected Versions
As stated above, this does not appear to impact newer versions 3.0.95 of revolution slider, as well as versions 1.7.1 and below of Showbiz Pro.

In a newer version I checked, Themepunch appears to have added a nonce called revslider_actions and check that the nonce is present in onAjaxAction prior to actually executing the ajax calls.

Pattern:/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css