You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -81,3 +81,4 @@ adb shell ime help
81
81
-**User/MDM**: allowlist trusted keyboards; block unknown IMEs in managed profiles/devices.
82
82
-**App-side (high risk apps)**: prefer phishing-resistant auth (passkeys/biometrics) and avoid relying on “secret text entry” as a security boundary (a malicious IME sits below the app UI).
[Patchstack's analysis](https://patchstack.com/articles/critical-arbitrary-file-upload-vulnerability-in-motors-theme-affecting-20k-sites/) showed how the Motors theme ships an authenticated AJAX helper for installing its companion plugin:
$upgrader = new Plugin_Upgrader(new Motors_Theme_Plugin_Upgrader_Skin(['plugin' => $plugin_slug]));
879
+
$upgrader->install($plugin_url);
880
+
mvl_theme_activate_plugin($plugin_slug);
881
+
}
882
+
```
883
+
884
+
- Only `check_ajax_referer()` is called; there is no `current_user_can('install_plugins')` or `current_user_can('activate_plugins')`.
885
+
- The nonce is embedded in the Motors admin page, so any Subscriber that can open `/wp-admin/` can copy it from the HTML/JS.
886
+
- The handler trusts the attacker-controlled `plugin` parameter (read from `$_GET`) and passes it into `Plugin_Upgrader::install()`, so an arbitrary remote ZIP is downloaded into `wp-content/plugins/`.
887
+
- After installation the theme unconditionally calls `mvl_theme_activate_plugin()`, guaranteeing execution of the attacker plugin's PHP code.
888
+
889
+
#### Exploitation flow
890
+
891
+
1. Register/compromise a low-privileged account (Subscriber is enough) and grab the `mvl_theme_install_base` nonce from the Motors dashboard UI.
892
+
2. Build a plugin ZIP whose top-level directory matches the expected slug `motors-car-dealership-classified-listings/` and embed a backdoor or webshell in the `*.php` entry points.
893
+
3. Host the ZIP and trigger the installer by pointing the handler to your URL:
Because the handler reads `$_GET['plugin']`, the same payload can also be sent via the query string.
905
+
906
+
#### Detection checklist
907
+
908
+
- Search themes/plugins for `Plugin_Upgrader`, `Theme_Upgrader`, or custom `install_plugin.php` helpers wired to `wp_ajax_*` hooks without capability checks.
909
+
- Inspect any handler that takes a `plugin`, `package`, `source`, or `url` parameter and feeds it into upgrader APIs, especially when the slug is hard-coded but the ZIP contents are not validated.
910
+
- Review admin pages that expose nonces for installer actions—if Subscribers can load the page, assume the nonce leaks.
911
+
912
+
#### Hardening
913
+
914
+
- Gate installer AJAX callbacks with `current_user_can('install_plugins')` and `current_user_can('activate_plugins')` after nonce verification; Motors 5.6.82 introduced this check to patch the bug.
915
+
- Refuse untrusted URLs: limit installers to bundled ZIPs or trusted repositories, or enforce signed download manifests.
916
+
- Treat nonces strictly as CSRF tokens; they do not provide authorization and should never replace capability checks.
917
+
865
918
---
866
919
867
920
## Unauthenticated SQLi via s search parameter in depicter-* actions (Depicter Slider ≤ 3.6.1)
0 commit comments