24 Jun 2021

WordPress Fancy Product Designer exploit

Today in my web server logs I noticed repeated scans for "fancy-product-designer" - a WordPress plugin which I most definitely don't have installed.

Few Google searches later, I found an article by Wordfence titled "Critical 0-day in Fancy Product Designer Under Active Attack". As usual, all the important details were missing from their article, so I decided to fill-in the gaps. smile

Vulnerability details

There are plenty of different ways how to find the vulnerable code. But since the vulnerability is already fixed, the easiest way is to see what code was changed. So, I set out to find a vulnerable version of the plugin and the fixed version.

It turns out, fancy-product-designer\inc\custom-image-handler.php is a full-featured file uploader.

Goddamit, when will people stop adding vulnerable file uploaders to every PHP project?! angry

The vulnerable code is located in another file - fancy-product-designer\inc\fpd-image-utils.php, function sanitize_filename:

Can you see the issue? smile If you can't, don't worry, I'll show it later when crafting exploit.

As for the fix, it consists of a single line. Fixed version looks like this:

Crafting exploit

Now that we know where the vulnerability lies, let's see what obstacles attacker needs to overcome to achieve arbitrary file upload...

1) check for file extension.

As we already established, sanitize_filename function is/was flawed.

Sanitization will create a new filename $sanitize_name consisting only of lowercase letters, numbers and dots. But forbidden extensions are matched against original filename!
For example, filename evil.p[hp will get "sanitized" to evil.php. However, regex will check evil.p[hp and will not flag that as malicious.

2) check for valid image data.

PHP function getimagesize is used to verify that uploaded file is actually an image. So, you can't just upload a pure PHP file, it will not be accepted.

Luckily for us, PHP interpreter is very forgiving - it will check the entire file looking for valid <?php tag. So, it's really easy to put PHP code in the image metadata or even after the actual image data.

Files that are valid forms of multiple different file types are called "polyglot files" and they have been known for decades. You can read more about them, for example, in Polyglot Files: a Hacker’s best friend or Hiding Webshell Backdoor Code in Image Files.

Attackers exploiting this vulnerability appended their webshell after the image data:

Crafting polyglot file for this exploit is left as an exercise for the reader.

3) check for mime type

The same line of code also verifies that sent MIME type is one of the whitelisted ones. I have no idea why it's being done, as MIME type has only informational value. And it's trivial to bypass, just instruct curl to send the correct one! smile

Putting it all together, we get this one-liner:

or, if you prefer to access image uploader directly:

Yes, that's all you need to exploit this vulnerability. smile

Key takeaway

If you're writing any sort of code handling user input - do not make your own sanitization routines. You'll most likely fail. Just find whatever methods your framework offers and use those. It's much safer that way.

Have fun and stay safe!

14 thoughts on “WordPress Fancy Product Designer exploit

  1. I'm newbie. Wanna understand the part

    -F "file[]=@evil.p]hp;type=image/jpeg"

    is it will use the evil.p]hp file in LOCAL disk in current working directory?

    • Yes, it will.

      You can read about CURL parameters in the manual (https://curl.se/docs/manual.html), it's actually really good! :)

      -F accepts parameters like -F "name=contents". If you want the contents to be read from a file, use @filename as contents. When specifying a file, you can also specify the file content type by appending ;type=<mime type> to the file name

  2. Hello kao,

    I was wondering how you would recommend learning reversing and what resources to use.

      • Hi Kao, Thank you for your reply. I will make sure to try the resources you sent. I saw in an earlier article that you recommended Lena151's tutorials as well. Would you still recommend them as a good resource or are they too outdated?

Leave a Reply to kao Cancel reply

  • Be nice to me and everyone else.
  • If you are reporting a problem in my tool, please upload the file which causes the problem.
    I can`t help you without seeing the file.
  • Links in comments are visible only to me. Other visitors cannot see them.

Your email address will not be published.

1  +   =  eight