From 36e9f19bf3a4d1fc9de5a27d991697b0667b59b7 Mon Sep 17 00:00:00 2001 From: pirahnasa Date: Fri, 13 Dec 2024 12:05:29 +0100 Subject: [PATCH 1/2] Add version detection for Wpforms plugin --- agent/exploits/cve_2024_11205.py | 50 +++++++++++++++ tests/exploits/cve_2024_11205_test.py | 89 +++++++++++++++++++++++++++ 2 files changed, 139 insertions(+) create mode 100644 agent/exploits/cve_2024_11205.py create mode 100644 tests/exploits/cve_2024_11205_test.py diff --git a/agent/exploits/cve_2024_11205.py b/agent/exploits/cve_2024_11205.py new file mode 100644 index 0000000..5dd419c --- /dev/null +++ b/agent/exploits/cve_2024_11205.py @@ -0,0 +1,50 @@ +"""Agent Asteroid implementation for CVE-2024-8672""" + +import re + +from packaging import version + +from agent import definitions +from agent import exploits_registry +from agent.exploits import webexploit + +VERSION_PATTERN = re.compile(r"Stable tag:\s(\d+\.\d+(?:\.\d+)*)") +MAX_VULNERABLE_VERSION = version.parse("1.9.2.1") +MIN_VULNERABLE_VERSION = version.parse("1.8.4") +VULNERABILITY_TITLE = ( + "WPForms Lite Plugin 1.8.4 - 1.9.2.1 - Missing Authorization to Authenticated " + "(Subscriber+) Payment Refund and Subscription Cancellation" +) +VULNERABILITY_REFERENCE = "CVE-2024-11205" +VULNERABILITY_DESCRIPTION = ( + "The WPForms Lite plugin for WordPress is vulnerable to unauthorized modification " + "of data due to a missing capability check on the 'wpforms_is_admin_page' function " + "in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it " + "possible for authenticated attackers, with Subscriber-level access and above, to " + "refund payments and cancel subscriptions." +) +RISK_RATING = "HIGH" + + +@exploits_registry.register +class CVE202411205Exploit(webexploit.WebExploit): + accept_request = definitions.Request( + method="GET", path="/wp-content/plugins/wpforms-lite/readme.txt" + ) + check_request = definitions.Request( + method="GET", path="/wp-content/plugins/wpforms-lite/readme.txt" + ) + accept_pattern = [ + re.compile("Contact Form by WPForms - Drag & Drop Form Builder for WordPress") + ] + version_pattern = VERSION_PATTERN + vuln_ranges = [ + definitions.VulnRange(MIN_VULNERABLE_VERSION, MAX_VULNERABLE_VERSION) + ] + + metadata = definitions.VulnerabilityMetadata( + title=VULNERABILITY_TITLE, + description=VULNERABILITY_DESCRIPTION, + reference=VULNERABILITY_REFERENCE, + risk_rating=RISK_RATING, + ) diff --git a/tests/exploits/cve_2024_11205_test.py b/tests/exploits/cve_2024_11205_test.py new file mode 100644 index 0000000..71687b9 --- /dev/null +++ b/tests/exploits/cve_2024_11205_test.py @@ -0,0 +1,89 @@ +"""Unit tests for Agent Asteroid: CVE-2024-11205""" + +import requests_mock as req_mock +from ostorlab.agent.mixins import agent_report_vulnerability_mixin as vuln_mixin + +from agent import definitions +from agent.exploits import cve_2024_11205 + + +def testCVE202411205_whenVulnerable_reportFinding( + requests_mock: req_mock.mocker.Mocker, +) -> None: + """CVE-2024-11205 unit test: case when target is vulnerable.""" + requests_mock.get( + "http://localhost:80/wp-content/plugins/wpforms-lite/readme.txt", + text=""" + === Contact Form by WPForms - Drag & Drop Form Builder for WordPress === + Contributors: wpforms + Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FMKC2SLPTULP8 + Requires at least: 5.0 + Tested up to: 5.8 + Requires PHP: 7.0 + Stable tag: 1.8.4 + """, + status_code=200, + ) + exploit_instance = cve_2024_11205.CVE202411205Exploit() + target = definitions.Target("http", "localhost", 80) + + accept = exploit_instance.accept(target) + vulnerabilities = exploit_instance.check(target) + + assert accept is True + assert len(vulnerabilities) > 0 + vulnerability = vulnerabilities[0] + assert ( + vulnerability.entry.title + == "WPForms Lite Plugin 1.8.4 - 1.9.2.1 - Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation" + ) + assert vulnerability.technical_detail == ( + "http://localhost:80 is vulnerable to CVE-2024-11205, WPForms Lite Plugin 1.8.4 - 1.9.2.1 - Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation" + ) + assert vulnerability.risk_rating == vuln_mixin.RiskRating.HIGH + + +def testCVE202411205_whenSafe_reportNothing( + requests_mock: req_mock.mocker.Mocker, +) -> None: + """CVE-2024-11205 unit test: case when target is safe.""" + exploit_instance = cve_2024_11205.CVE202411205Exploit() + requests_mock.get( + "http://localhost:80/wp-content/plugins/wpforms-lite/readme.txt", + text=""" + === Contact Form by WPForms - Drag & Drop Form Builder for WordPress === + Contributors: wpforms + Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FMKC2SLPTULP8 + Requires at least: 5.0 + Tested up to: 5.8 + Requires PHP: 7.0 + Stable tag: 1.9.2.2 + """, + status_code=200, + ) + target = definitions.Target("http", "localhost", 80) + + accept = exploit_instance.accept(target) + vulnerabilities = exploit_instance.check(target) + + assert accept is True + assert len(vulnerabilities) == 0 + + +def testCVE202411205_whenTargetNotWPFormsLite_reportNothing( + requests_mock: req_mock.mocker.Mocker, +) -> None: + """CVE-2024-11205 unit test: case when target is not WPForms Lite.""" + exploit_instance = cve_2024_11205.CVE202411205Exploit() + requests_mock.get( + "http://localhost:80/wp-content/plugins/wpforms-lite/readme.txt", + text="""Not Found""", + status_code=404, + ) + target = definitions.Target("http", "localhost", 80) + + accept = exploit_instance.accept(target) + vulnerabilities = exploit_instance.check(target) + + assert accept is False + assert len(vulnerabilities) == 0 From 48ad0d0eacc1c142ed6db4b1d2e82645eff2a814 Mon Sep 17 00:00:00 2001 From: pirahnasa Date: Fri, 13 Dec 2024 12:05:57 +0100 Subject: [PATCH 2/2] Add version detection for Wpforms plugin --- agent/exploits/cve_2024_11205.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agent/exploits/cve_2024_11205.py b/agent/exploits/cve_2024_11205.py index 5dd419c..1be60fe 100644 --- a/agent/exploits/cve_2024_11205.py +++ b/agent/exploits/cve_2024_11205.py @@ -1,4 +1,4 @@ -"""Agent Asteroid implementation for CVE-2024-8672""" +"""Agent Asteroid implementation for CVE-2024-11205""" import re