Vulnerability Impact
Arbitrary code execution with the following two conditions:

  • An attacker can upload your own configuration language file, or the file containing the language themes, plug-ins folder
  • Website attacker constructs using good language file to translate the site, themes, plugins, etc.

Here’s an example of the real scenario: the attacker change a plug-in language files, and change the plug-in code so that when the plug-in initialization file using malicious plug-language translation, and then install the plug-in to the attacker by inducing Administrator trigger the vulnerability.

Vulnerability Analysis

In the call create_function, we adopted }the original closing function, add what we want to perform before using /* the unnecessary parts commented later, even if we do not have the final call to create a good function, we add new content also remains to be carried out . This is so because the create_functioninternal use of the eval code to execute, we see that the PHP manual on:

screenshot-from-2016-11-14-01-23-19

So because of this feature, if we can control create_function the $code parameters, it is possible with the execution of arbitrary code.

Now, look at vulnerability code in wp-includes/pomo/translations.php:

screenshot-from-2016-11-14-01-31-28
PHP’s create_function() function internally performs zend_eval_stringl(), so an attacker can use } close the anonymous function and execute arbitrary code in the process of creating the anonymous function 🙂

PoC:

Plural-Forms: nplurals=1; plural=n);}eval($_GET[c]);/*;
I provide crafted .mo language file, you can set default language to English AU, then access to the following URL and the phpinfo() function will be executed.

/index.php?c=phpinfo();

 

screenshot-from-2016-11-14-01-54-38

 

The crafted .mo language file: https://drive.google.com/open?id=0B4YO1KtVWS0naVNUZ2dhaXFGb2c

Precausion

Before the official release patches recommend that administrators enhance safety awareness, do not use unsolicited font files, plugins, themes and so on.

Reference: 

https://gist.github.com/anonymous/908a087b95035d9fc9ca46cef4984e97

http://php.net/manual/en/function.create-function.php