CVE-2017-14530: CSRF in Crony Cronjob Manager Plugin

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A cross-site request forgery vulnerability was identified on the WordPress plugin crony cronjob manager before 0.4.4. The specific flaw exists via the name parameter in an action=manage&do=create operation requests because of failure to validate a CSRF token before handling a POST request.

Vendor: Crony
Affected Product: Crony_Cronjob_Manager
CVE: CVE-2017-14530
Securin ID: 2015-CSW-10-1011
Status: Fixed
Date: August 28, 2015
Severity: High
CVSS Score: 8
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

ScopeUnchanged

ImpactC:H / I:H / A:H

SeverityHigh

PoC · Exploitation Steps▲ trigger

01Visit the following page on a site with this plugin installed.02http://yourwordpresssite.com/wordpress/wpadmin/admin.php?page=crony&action=manage&do=create and modify the value of the name variable with<script>alert(‘Vulnerable2CSRF&XSS’) </script> payload and send the request to the server after generating CSRF request to the victim. Now, the added XSS payload is executed on the victim’s system, which can be compromised.03Note: XSS payload tried with the application once after implementing unfiltered Html Settings as defined to the wp-config.php file.04define( ‘DISALLOW_UNFILTERED_HTML’, true );05Issue 1: The POST Request of the variable name in the URL http://yourwordpresssite.com/wordpress/wpadmin/admin.php?page=crony&action=manage&do=create is vulnerable to XSS, and the plugin is also exploitable using CSRF vulnerability.06Figure 01: Cronjobs list before CSRF code & XSS payload gets executed.07Figure 02: Name variable input field, which is vulnerable to XSS.08Figure 03: Capturing the HTTP request in the intercept proxy.09Figure 04: Created a crafted HTML page with XSS input and CSRF Request.10Note: After creating the CSRFT HTML page, the user logs out, then again log in, and now, the HTML page is executed. In this case, we executed it from the local machine.11Figure 05: XSS Payload gets executed in the browser once the link sent by the attacker has been clicked.12Figure 06: XSS payload gets executed, and a new cronjob is created.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

An attacker can exploit this by persuading a user of the interface to follow a malicious link, to allow the attacker to perform arbitrary actions with the privilege level of the affected user.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the latest updated version from vendor advisory and update.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2017-14530, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Aug 28, 2015

Discovered in Crony Cronjob Manager Version 0.4.4.

Aug 28, 2015

Reported to the vendor

Aug 28, 2015

Vendor acknowledged the report

Sep 27, 2015

Issues fixed in version 0.4.6.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2017-14530

nvd.nist.gov/vuln/detail/CVE-2017-14530 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Vendor: Crony
Affected Product: Crony_Cronjob_Manager
CVE: CVE-2017-14530
Securin ID: 2015-CSW-10-1011
Status: Fixed
Date: August 28, 2015
Severity: High
CVSS Score: 8
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

ScopeUnchanged

ImpactC:H / I:H / A:H

SeverityHigh

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

An attacker can exploit this by persuading a user of the interface to follow a malicious link, to allow the attacker to perform arbitrary actions with the privilege level of the affected user.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the latest updated version from vendor advisory and update.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2017-14530, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Aug 28, 2015

Discovered in Crony Cronjob Manager Version 0.4.4.

Aug 28, 2015

Reported to the vendor

Aug 28, 2015

Vendor acknowledged the report

Sep 27, 2015

Issues fixed in version 0.4.6.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2017-14530

nvd.nist.gov/vuln/detail/CVE-2017-14530 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Cross-Site Scripting & Cross-Site Request Forgery in Crony Cronjob Manager

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in Crony Cronjob Manager Version 0.4.4.

Reported to the vendor

Vendor acknowledged the report

Issues fixed in version 0.4.6.

Cite, verify, go deeper.

NVD — CVE-2017-14530

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Cross-Site Scripting & Cross-Site Request Forgery in Crony Cronjob Manager

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in Crony Cronjob Manager Version 0.4.4.

Reported to the vendor

Vendor acknowledged the report

Issues fixed in version 0.4.6.

Cite, verify, go deeper.

NVD — CVE-2017-14530

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Cross-Site Scripting & Cross-Site Request Forgery in Crony Cronjob Manager

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in Crony Cronjob Manager Version 0.4.4.

Reported to the vendor

Vendor acknowledged the report

Issues fixed in version 0.4.6.

Cite, verify, go deeper.

NVD — CVE-2017-14530

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Cross-Site Scripting & Cross-Site Request Forgery in Crony Cronjob Manager

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in Crony Cronjob Manager Version 0.4.4.

Reported to the vendor

Vendor acknowledged the report

Issues fixed in version 0.4.6.

Cite, verify, go deeper.

NVD — CVE-2017-14530

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.