Ready to exploit environments for individual CVEs
The CVE requires two-factor authentication to be enabled which is disabled by default (even in this github repository). To enable:
- Plugins > Really Simple Security > Settings > Settings > Login Protection > Enable Two-Factor Authentication
- Then click the slide button to enable 2FA
Steps you need to reproduce:
- Clone the repo and start the container using the command provided there
- Navigate wordpress and enable 2FA
- Obtain cookies using a script or Burp Suite
- Set the cookies using Burp Suite or simply using chrome or firefox dev tools
- go to wp-admin and it will let you in!
Detailed instruction to reproduce is given in the repo
After cloning the repo, use the commands in the Quick Installation (via Docker) section to start roundcube and then run the command given in the Run: section to test the exploit.
When someone from machine A is connected to machine B with agent forwarding enabled (i.e., ssh -A), an environment variable SSH_AUTH_SOCK which is blindly followed by SSH tools like ssh-add will be set to a fake socket that talks to the ssh-agent on machine A. Thus any ssh-add command on machine B will take effect on machine A. Now, ssh-add -s is meant to load PKCS#11` providers which come in the form of shared libraries. However, if a malicious user on machine B issues command to load a malicious library (instead of a legitimate PKCS#11 provider), the constructor of the library will execute anyway. This constructor may be leveraged to make the stack executable and eventually execute a shell code from there.