[WordPress] Real 3D Flipbook Plugin Exploit

flipbook2

Introduction

Real 3D Flipbook is a wordpress plugin which uses Web Graphics Library to create 3D flip books. We can upload PDF files or JPEG images and it will automatically make an interactive flipbook for wordpress posts and pages. At the time of writing this post, the plugin costs $32 with $9.60 for extended 12 months support. You can find further details on the official codecanyon page.

Vulnerabilities

The company I work for, bought this plugin few days ago and decided to use it on our wordpress blog for the company featured magazine. We don’t install the plugins directly on our wordpress instance. We usually audit the code and add some tweaks first. That’s where I come in.

While auditing this plugin, I found some critical vulnerabilities which can be exploited by an unauthenticated user and do some real damage to our wordpress installation. Here’s the list of vulnerabilities:

  • Delete any file or directory from the server (Unauthenticated)
  • Upload images in Root directory (Unauthenticated)
  • Cross Site Scripting (XSS) vulnerability

Let’s take a look at these vulnerabilities individually.

1) Delete Files or Directories (Unauthenticated)

This vulnerability exists in a file wp-content/plugins/real3d-flipbook/includes/process.php. Here’s a code snippet from the file.

This file was meant to be called within the scope of wordpress admin panel but it doesn’t check for user authentication at all so, an unauthenticated user can call this file and parse POST parameters. On line 55, POST parameter deleteBook is assigned to a variable $bookName which further gets concatenated to $dirPath. Lines 58 – 60 make sure that the resulting path is a valid directory. On line 64, PHPs glob() function returns an array of filenames and directories matching the given pattern in $dirPath. From line 65 to 72, it loops through all the file paths and deletes them one by one. At the end of the loop, it deletes the parent directory by rmdir($dirPath).

An end user can exploit this vulnerability and delete any wordpress file or directory by simply making a POST request to process.php with the POST data deleteBook=../../../wp-includes/css or deleteBook=../../../wp-includes/customize.  self::deleteDir() on line 67 may create some problem for us, as we’re calling this file outside the class scope. So, we need to make sure that we never land on line 67, the best way is to delete the files in this specific order wpFiles.json. This order starts from the deepest directory with no other directories in it and then gradually moves to the parent directory thus always landing on unlink() or rmdir() on lines 69 and 72 respectively.

2) Upload Images in Root Directory

This vulnerability also exists in file wp-content/plugins/real3d-flipbook/includes/process.php. Here’s the code snippet.

On line 5, the POST parameter imageBase expects the Base64 encoded image data. Something like data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADIA.... On line 6, POST parameter bookName determines the upload directory path. From line 14 to 26, it processes the image data, decodes it and creates the upload directories. It takes a POST parameter pageName which is used as the image filename and copies the image data to a JPG file on line 35. An end user can upload images directly in the root directory by simply making a POST request to process.php. For example, this payload will upload an image makman.jpg in the root directory of the website imgbase=data:image/png;base64,iVBORw0KGgoAAA...&bookName=../../../&pageName=makman, and not to mention, with out any user authentication.

If the webserver is running PHP version prior to PHP 5.3, we can also leverage this vulnerability to code execution by uploading PHP files. PHP < 5.3 was vulnerable to Null Bytes injection/truncation attacks. In that case, we can upload PHP files by changing our payload to imgbase=data:image/png;base64,iVBOAAA..&bookName=../../../&pageName=makman.php%00, which will result in makman.php created in the root directory with our input data imgbase as the file contents.

3) Cross Site Scripting (Reflected XSS)

This vulnerability exists in wp-content/plugins/real3d-flipbook/includes/flipbooks.php where unsanitized user input is directly echoed on the page. An end user can exploit this vulnerability by simply making a GET request to flipbooks.php with GET parameters action=delete&bookId=<script>alert(/makman/)</script>.

Exploit Code

A simple search for Google dork "wp-content/uploads/real3dflipbook" resulted in 13K websites using Real 3D Flipbook plugin.

flipbook3

Here comes the fun part, I’ve coded a POC in Python which exploits all these vulnerabilities for the given website. It deletes all the  important files in wp-content/ and wp-admin/ thus breaking the wordpress installation. Then, it uploads an image makman.jpg in the root directory of the website and finally checks the XSS payload. Here’s the code.

[+] GitHub Repository

After executing this exploit, the wordpress site doesn’t load because the exploit deletes all the files in wp-includes/.

flipbook9

flipbook4

flipbook5

flipbook6

flipbook7

flipbook8

.
Vulnerability Timeline

Vulnerability Found: 2016-07-01

Reported to Vendor: 2016-07-03

Public Disclosure: 2016-07-03

References
[1] https://www.exploit-db.com/exploits/40055/
[2] https://wpvulndb.com/vulnerabilities/8536

.

Not that I care but .. I hereby take no responsibility for the loss/damage caused by this article. It has been shared for educational purpose only.