[Honeypot Alert] Wordpress Wp Symposium 14.11 - Unauthenticated Shell Upload Exploit Attempt

Our web honeypots picked up some exploit attempts for the recently released vulnerability in the WP Symposium Plugin. WP Symposium is described as:

WP Symposium is a plugin for WordPress, that will turn a WordPress site into a Social Network. And you can choose which features you want to activate, and customise them to achieve your social network features.

Uses of WP Symposium are limited only by your imagination, but some examples of how people are already using it include:

• Social networks for those who live or work together (colleges, clubs, etc…).

• Internal "intranet"s for a business or company.

• Dating sites, including those for niche groups of people.

• A social network supporting products and services.

• A social network for particular hobbies/interests (music, films, etc…).

Wordpress WP Symposium 14.11 Shell Upload Vulnerability

WP Symposium allows the user to upload different types of files and it has a pre-configured list of allowed extensions:

These restrictions are applied to the /wp-symposium/server/file_upload_form.php page, however, there are other pages that are not protected such as:

• /wp-symposium/server/php/index.php
• /wp-symposium/server/php/UploadHandler.php
• /wp-symposium/mobile-files/server/php/index.php
• /wp-symposium/mobile-files/server/php/UploadHandler.php

Exploit-DB has a vulnerability entry with Proof of Concept Python exploit code:

Honeypot Exploit Attempt

Here is an example exploit attempt that was captured by ModSecurity WAF:

--f29bb312-A--
[24/Dec/2014:20:05:21 --0600] VJtw4cCo8AoAADHxgygAAAAF 192.99.195.96 50576 XXX.XXX.XXX.XXX 80
--f29bb312-B--
POST /wp-content/plugins/wp-symposium/server/php/index.php HTTP/1.1
Host: honeypot
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------259392320121592
Content-Length: 92562--f29bb312-I--
uploader%5fuid=1&uploader%5fdir=%2e%2fsymposium&uploader%5furl=http%3a%2f%2fhoneypot%2fwp%2dcontent%2fplugins%2fwp%2dsymposium%2fserver%2fphp%2f--f29bb312-J--
4,91960,"_privacy.php","
 
  "
  
Total,91960
 

The attacker attempted to upload a PHP file called "_privacy.php". This file has various PHP backdoor code which allows the attacker to send HTTP commands through request variables. It also contains a version of the WSO web shell:

Action Items

Update WP Symposium

If you can not update, then you need to manually update the UploadHandler.php script. Update the following line from this -

// Defines which files (based on their names) are accepted for upload:
 'accept_file_types' => '/.+$/i',

To this -

// Defines which files (based on their names) are accepted for upload:
 'accept_file_types' => '/.(mp4|doc|docx|ppt|pptx|xls|xlsx|txt|pdf|gif|jpe?g|png)$/i',

Use a Web Application Firewall (WAF)

Both of Trustwave's WAF products (TW WAF and ModSecurity) can protect your sites from PHP file uploads.