Ostorlab · 3asm · Dec 2, 2024 · Dec 2, 2024
@@ -0,0 +1,45 @@
+"""Agent Asteroid implementation for CVE-2024-8672"""
+
+import re
+
+from packaging import version
+
+from agent import definitions
+from agent import exploits_registry
+from agent.exploits import webexploit
+
+VERSION_PATTERN = re.compile(r"Stable tag:\s(\d+\.\d+(?:\.\d+)*)")
+MAX_VULNERABLE_VERSION = version.parse("4.0.7")
+VULNERABILITY_TITLE = (
+    "Widget Options Plugin <= 4.0.7 - Authenticated Remote Code Execution"
+)
+VULNERABILITY_REFERENCE = "CVE-2024-8672"
+VULNERABILITY_DESCRIPTION = (
+    "The Widget Options – The #1 WordPress Widget & Block Control Plugin is "
+    "vulnerable to Authenticated Remote Code Execution in all versions up to, and "
+    "including, 4.0.7 via the display logic functionality that extends several page "
+    "builders. This vulnerability allows users with contributor-level access or higher "
+    "to execute arbitrary PHP code on the server due to input being passed to eval() "
+    "without proper sanitization or filtering."
+)
+RISK_RATING = "CRITICAL"
+
+
+@exploits_registry.register
+class CVE20248672Exploit(webexploit.WebExploit):
+    accept_request = definitions.Request(
+        method="GET", path="/wp-content/plugins/widget-options/readme.txt"
+    )
+    check_request = definitions.Request(
+        method="GET", path="/wp-content/plugins/widget-options/readme.txt"
+    )
+    accept_pattern = [re.compile("Widget Options - Add Context To WordPress Widgets")]
+    version_pattern = VERSION_PATTERN
+    vuln_ranges = [definitions.VulnRange(None, MAX_VULNERABLE_VERSION)]
+
+    metadata = definitions.VulnerabilityMetadata(
+        title=VULNERABILITY_TITLE,
+        description=VULNERABILITY_DESCRIPTION,
+        reference=VULNERABILITY_REFERENCE,
+        risk_rating=RISK_RATING,
+    )
@@ -0,0 +1,89 @@
+"""Unit tests for Agent Asteroid: CVE-2024-8672"""
+
+import requests_mock as req_mock
+from ostorlab.agent.mixins import agent_report_vulnerability_mixin as vuln_mixin
+
+from agent import definitions
+from agent.exploits import cve_2024_8672
+
+
+def testCVE20248672_whenVulnerable_reportFinding(
+    requests_mock: req_mock.mocker.Mocker,
+) -> None:
+    """CVE-2024-8672 unit test: case when target is vulnerable."""
+    requests_mock.get(
+        "http://localhost:80/wp-content/plugins/widget-options/readme.txt",
+        text="""
+        === Widget Options - Add Context To WordPress Widgets ===
+        Contributors: expresstech, phpbits, flowdee
+        Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FMKC2SLPTULP8
+        Requires at least: 4.0
+        Tested up to: 5.5
+        Requires PHP: 5.6
+        Stable tag: 3.7.7
+        """,
+        status_code=200,
+    )
+    exploit_instance = cve_2024_8672.CVE20248672Exploit()
+    target = definitions.Target("http", "localhost", 80)
+
+    accept = exploit_instance.accept(target)
+    vulnerabilities = exploit_instance.check(target)
+
+    assert accept is True
+    assert len(vulnerabilities) > 0
+    vulnerability = vulnerabilities[0]
+    assert (
+        vulnerability.entry.title
+        == "Widget Options Plugin <= 4.0.7 - Authenticated Remote Code Execution"
+    )
+    assert vulnerability.technical_detail == (
+        "http://localhost:80 is vulnerable to CVE-2024-8672, Widget Options Plugin <= 4.0.7 - Authenticated Remote Code Execution"
+    )
+    assert vulnerability.risk_rating == vuln_mixin.RiskRating.CRITICAL
+
+
+def testCVE20248672_whenSafe_reportNothing(
+    requests_mock: req_mock.mocker.Mocker,
+) -> None:
+    """CVE-2024-8672 unit test: case when target is safe."""
+    exploit_instance = cve_2024_8672.CVE20248672Exploit()
+    requests_mock.get(
+        "http://localhost:80/wp-content/plugins/widget-options/readme.txt",
+        text="""
+            === Widget Options - Add Context To WordPress Widgets ===
+            Contributors: expresstech, phpbits, flowdee
+            Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FMKC2SLPTULP8
+            Requires at least: 4.0
+            Tested up to: 5.5
+            Requires PHP: 5.6
+            Stable tag: 4.0.8
+            """,
+        status_code=200,
+    )
+    target = definitions.Target("http", "localhost", 80)
+
+    accept = exploit_instance.accept(target)
+    vulnerabilities = exploit_instance.check(target)
+
+    assert accept is True
+    assert len(vulnerabilities) == 0
+
+
+def testCVE20248672_whenTargetNotLiteCleanTalk_reportNothing(
+    requests_mock: req_mock.mocker.Mocker,
+) -> None:
+    """CVE-2024-8672 unit test: case when target is safe."""
+    exploit_instance = cve_2024_8672.CVE20248672Exploit()
+    requests_mock.get(
+        "http://localhost:80/wp-content/plugins/widget-options/readme.txt",
+        text="""Not Found""",
+        status_code=404,
+    )
+    target = definitions.Target("http", "localhost", 80)
+
+    accept = exploit_instance.accept(target)
+    vulnerabilities = exploit_instance.check(target)
+
+    assert accept is False
+    assert len(vulnerabilities) == 0