WordPress + WooCommerce Plugin Design Flaw to RCE
Earlier this month (November 2018), RIPS Technologies blogged about a design flaw within WordPress that allows privilege escalation. WordPress is one of the most commonly used Content Management System (CMS) and is used by over 32% of the websites. WooCommerce is the most commonly used ecommerce plugin for WordPress and is used by 28% of all online stores.
The flaw discovered in WordPress combined with a vulnerability in WooCommerce allows an authorized non-privileged user to escalate privileges and take over an administrator account.
Vulnerabilities
- The first vulnerability exists within WordPress. WooCommerce contains multiple user roles and every user role has different privileges.
Figure 1: WordPress user roles available after installing the WooCommerce plugin
These roles are stored within the same user table where WordPress users are stored. This means that even after WooCommerce plugin has been removed/disabled from a WordPress installation, the roles would continue to exist within WordPress. WordPress contains 10 different privilege levels with level 10 being the highest privilege.
Figure 2: Shop Manager is assigned Administrator level privileges. WooCommerce plugin checks to ensure Shop Manager cannot edit an Administrator
Figure 3: Privileges of a Shop Manager
An administrator has the highest privilege (level 10) which allows it to add new users, change passwords, etc.
A user with a shop manager privilege (level 9) is technically an administrator and is allowed to edit profiles of other users. A shop manager, however, does not have the right to edit an admin’s account, the only thing preventing this is a check done by the WooCommerce plugin.
Figure 4: Validation done by WooCommerce to prevent Shop Managers editing or deleting users
- The second vulnerability exists within WooCommerce. WooCommerce allows authorized users to view and delete log files. WooCommerce, however, does not properly validate that the user is only restricted to deleting log files. A malicious user can edit the path for the file that should be deleted by the application.
Figure 5: WooCommerce allows users with the Shop Manager role to delete log files
Exploit
A skilled attacker can combine these two vulnerabilities to escalate privileges. Once a user has logged in as a Shop Manager (internal attacker, stealing cookies, etc.), the attacker can edit the file path for log deletion and instead delete woocommerce.php. Since WordPress would not be able to load the WooCommerce plugin, it would disable it. Once the plugin has been disabled, a user with Shop Manager role would be able to edit an administrator’s account (privilege check was handled by WooCommerce).
Figure 6: Log file delete request manipulated by the attacker in attempt to delete the WooCommerce plugin main PHP file
Mitigating the vulnerability with BIG-IP ASM
BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing “Directory traversal” attack signatures.
- 200000190 : Directory Traversal attempt (Parameter)
- 200101550 : Directory Traversal attempt (Content)
Figure 7: Exploit blocked with attack signature 200101550
Figure 8: Exploit blocked with attack signature 200000190