来源

关联漏洞

描述

WARNING: This is a vulnerable application to test the exploit for the Jetpack < 13.9.1 broken access control (CVE-2024-9926). Run it at your own risk!

介绍

# wordpress-jetpack-broken-access-control-vulnerable-application

This is a vulnerable application to test the exploit for the **Jetpack** < 13.9.1 broken access control (CVE-2024-9926).

## WARNING!

**This application contains serious security vulnerabilities. Run it at your own risk! It is recommended using a backed-up and sheltered environment (such as a VM with a recent snapshot and host-only networking). Do not upload this application to any Internet facing servers, as they will be compromised.**

***DISCLAIMER*: I do not take responsibility for the way in which any one uses this application. The only purpose of this application is to be a test scenario for the Jetpack < 13.9.1 broken access control (CVE-2024-9926) exploit and it should not be used maliciously. If your server is compromised via an installation of this application it is not my responsibility, it is the responsibility of the person(s) who uploaded and installed it.**

## Vulnerability info

* **CVE-ID**: CVE-2024-9926
* **Link**: [https://www.cve.org/CVERecord?id=CVE-2024-9926](https://www.cve.org/CVERecord?id=CVE-2024-9926)
* **Description**: This vulnerability could be used by any logged in users on a site to read forms submitted by visitors on the site.
* **Vendor link**: [https://jetpack.com/blog/jetpack-13-9-1-critical-security-update/](https://jetpack.com/blog/jetpack-13-9-1-critical-security-update/)
* **Fix:** [https://github.com/Automattic/jetpack-production/commit/18605ae8cdc7438c2088336c51f3db8d6a5b90fd](https://github.com/Automattic/jetpack-production/commit/18605ae8cdc7438c2088336c51f3db8d6a5b90fd)

## Usage

Here the steps to **setup** the environment:
1. Launch `./up.sh` to start composition.
2. Complete the installation of WordPress here: [https://localhost:1337/wp-admin/install.php](http://localhost:1337/wp-admin/install.php).
3. Login into WordPress.
4. Go to "*Plugins*": [https://localhost:1337/wp-admin/plugins.php](http://localhost:1337/wp-admin/plugins.php).
5. Click on "*Activate*" under the "*Jetpack*" plugin. **DO NOT UPDATE IT**, since we need the vulnerable version.
6. Go to "*Jetpack*" > "*Settings*" > "*Writing*" and, in the "*Composing*" section, enable "*Jetpack Blocks give you the power to deliver quality content that hooks website visitors without needing to hire a developer or learn a single line of code.*".
7. Create a new page in WordPress adding a "*Contact Form*" element.
8. Visit the created page and use the contact form to populate feedbacks.

The container will be called `vuln-wp-jetpack`.

To **teardown** the environment use `./down.sh` command or `./down_and_delete.sh` command to also remove images and the volume of the database.

## Root cause

Having a look at the [fix](https://github.com/Automattic/jetpack-production/commit/18605ae8cdc7438c2088336c51f3db8d6a5b90fd), it's trivial to understand that the only check performed, by both `get_items_permissions_check()` and `get_item_permissions_check()` methods, is the membership of the user to the blog.

Both methods are declared in the `Contact_Form_Endpoint` class of the `automattic/jetpack-forms/src/contact-form/class-contact-form-endpoint.php` file. As the comment at the beginning of the class says, this class is...
> Used as `rest_controller_class` parameter when `feedback` post type is registered in `\Automattic\Jetpack\Forms\ContactForm\Contact_Form`

This can be seen in the `automattic/jetpack-forms/src/contact-form/class-contact-form-plugin.php` file at line 201, where the `feedback` custom post type is registered.

The available types can be retrieved via REST APIs with a request like the following.

```
GET /?rest_route=/wp/v2/types
```

The response contains the `feedback` type.

## Exploit

To exploit the vulnerability, a request like the following is sufficient.

```
GET /?rest_route=/wp/v2/feedback
```

The request must contains an authorization header with an *Application Password* like the following.

```
Authorization: Basic eW91cl91c2VybmFtZTp5b3VyX2FwcGxpY2F0aW9uX3Bhc3N3b3Jk
```

An exploit script in Python can be found [here](https://github.com/m3ssap0/wordpress-jetpack-broken-access-control-exploit).

## Authors

* **Antonio Francesco Sardella** - *implementation* - [m3ssap0](https://github.com/m3ssap0)

## License

This project is licensed under the Unlicense - see the **LICENSE** file for details.

文件快照

 [4.0K]  /data/pocs/66dcbd14f20a52cd2214ebc2ee4544df8c9f8af7
├── [4.0K]  conf
│   └── [ 223]  my-httpd-vhosts.conf
├── [ 663]  docker-compose.yml
├── [1.0K]  Dockerfile
├── [ 246]  down_and_delete.sh
├── [  41]  down.sh
├── [1.2K]  LICENSE
├── [4.3K]  README.md
└── [  63]  up.sh

1 directory, 8 files

备注