Contest: exploit PHP Object Injection in WordPress Get your hack on!

A few days ago, I released an example exploit in WordPress which lead to Remote Code Exection. Because of the nature of the vulnerability, the type of exploit is dependent of the class definitions available in one of the installed plugins. So basically, there is a wide range of possible exploits. Now, wouldn’t it be fun if there would be a contest where people had to search for other exploits? That’s exactly what I was thinking when I was writing my previous blog entry! A few days later my idea turned into something more concrete, i.e. the challenge I will describe next.

The Challenge

The task is quite simple: find an exploit for the PHP Object Injection vulnerability in WordPress. The exploit should work in a clean install of WordPress with just the plugin installed.

Here are some guidelines that will make finding an exploit a bit easier:

  • Try one of following WordPress versions: 3.5.1, 3.5.2 or 3.6
  • Version 3.6 does not allow NULL bytes in user meta data by default (so using private properties will not work)
  • A vast amount of plugins and themes are at your disposal (plugins and themes not listed on the WordPress site are allowed as well)
  • Information on the vulnerability and an example exploit can be found on this blog

Practical details

The contest runs for three weeks, until the very end of 2013 (i.e. 31 December 2013, 23:59 UTC-12:00). Send your findings to me <tomvangoethem[at]gmail.com>. Include at least the following information:

  • PHP script generating the payload
  • Information about the plugin: name, download link, # downloads
  • used WordPress version
  • exploitation instructions (e.g. “enter payload in field x”)

The reward

Unfortunately, I don’t have one million dollars on my bank account, so the amount I get to spend on the reward is limited. (If you do have that amount of money on your bank account, or just want to sponsor, contact me please!) There are two options for the reward:

  • $50 USD to spend on a (security related) book on Amazon
  • $100 USD to give to a (decent) charity

The three main factors I will judge the submissions on are: creativity, type of exploit (RCE, SQL Injection, XSS, …) and popularity of plugin (many bonus points if you manage to find an exploit just using the WordPress core).

If something is unclear, feel free to contact me on teh Twitterz or via mail. Good luck!