XSS Flaw Impacting 100,000 Sites Patched in KingComposer

On June 15, 2020, our Threat Intelligence team was made aware of a number of access control vulnerabilities that had recently been disclosed in KingComposer, a WordPress plugin installed on over 100,000 sites. During our investigation of these vulnerabilities, we discovered an unpatched reflected Cross-Site Scripting(XSS) vulnerability.

Wordfence Premium customers received a new firewall rule the same day, protecting against the newly patched access control vulnerabilities as well as the unpatched Cross-Site Scripting vulnerability. Wordfence users still using the free version will receive this rule after 30 days, on July 15, 2020.

We attempted to contact the plugin’s developers the next day, on June 16, 2020. Since we did not receive a response after 9 days, we contacted the WordPress Plugins team on June 25, 2020. The WordPress Plugins team replied the next day and let us know that they were in touch with the developers of the KingComposer plugin, and a patch was released on June 29, 2020.

What is Reflected Cross-Site Scripting(XSS)?

We’ve written a number of articles about Stored Cross-Site Scripting(XSS) vulnerabilities in the past, and how they can be used to take over a website if an administrator accesses a page on their site containing a malicious JavaScript. We’ve also written about Cross-Site Request Forgery(CSRF) attacks, where an attacker can trick a victim into clicking a specially crafted link in order to make changes to a site.

Reflected XSS vulnerabilities have characteristics of both of these vulnerabilities. Much like a CSRF attack, exploiting a Reflected XSS vulnerability usually relies on an attacker tricking their victim into clicking a malicious link which sends the victim to the vulnerable site along with a malicious payload. This can be done in a number of ways, but it is common to first link to an intermediate site controlled by the attacker, which then sends a request containing a malicious payload to the vulnerable site on behalf of the victim.

A notable distinction between the stored XSS vulnerabilities more commonly found and reflected XSS vulnerabilities such as this, is that the malicious scripts that are used as part of the exploit are not actually stored anywhere in the database with reflected XSS vulnerabilities. Rather, the malicious scripts are reflected and executed once during the exploit.

As with Stored XSS attacks, the malicious payload will be executed in the victim’s browser. However, with reflected XSS, the vulnerable site would immediately output (reflect) the malicious JavaScript payload, which would be executed a single time in the victim’s browser instead of being stored in the database for later execution.

This could be used in a variety of attacks. For instance, if the victim was a logged-in administrator on the vulnerable site, the reflected JavaScript could be used to create a new, malicious administrator account controlled by the attacker.

In order for reflected XSS attacks to successfully exploit a user, an attacker needs to trick the user into performing an action. For that reason, we highly recommend remaining vigilant when clicking on links or attachments in comments, emails, and other communication sources unless you are sure of their integrity and legitimacy.


Description: Reflected Cross-Site Scripting(XSS)
Affected Plugin: Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
Plugin Slug: kingcomposer
Affected Versions: < 2.9.5
CVE ID: CVE-2020-15299
CVSS Score: 6.1(medium)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Fully Patched Version: 2.9.5

KingComposer is a WordPress plugin that allows Drag and Drop page building, and it registers a number of AJAX actions to accomplish this. One of these AJAX actions was no longer actively used by the plugin, but could still be used by sending a POST request to wp-admin/admin-ajax.php with the action parameter set to kc_install_online_preset.

The vulnerable function:

	public function install_online_preset(){

		$data = isset($_POST['kc-online-preset-data']) ? esc_attr($_POST['kc-online-preset-data']) : '';
		$link = isset($_POST['kc-online-preset-link']) ? esc_url($_POST['kc-online-preset-link']) : '';
		$link = str_replace( 'http://features.kingcomposer.com/', 'https://kingcomposer.com/presets/', $link);
		$callback = '
		<script type="text/javascript">
			top.kc.cfg.preset_link = "'.$link.'";
			top.kc.backbone.push(''.str_replace( "n", ''+"n"+'', base64_decode($data)).'');
			top.kc.tools.popup.close_all();
		</script>';

		echo $callback;

		exit;

	}

This function renders a JavaScript based on the contents of the kc-online-preset-link and kc-online-preset-data parameters. Since it uses the esc_attr and esc_url functions, it appears safe at first glance. Unfortunately, however, the contents of the kc-online-preset-data parameter are base64-decoded after this step.

As such, if an attacker used base64-encoding on a malicious payload, and tricked a victim into sending a request containing this payload in the kc-online-preset-data parameter, the malicious payload would be decoded and executed in the victim’s browser. The patched version of this plugin resolved the issue by removing the vulnerable function entirely.

Disclosure Timeline

June 15, 2020 – The Wordfence Threat Intelligence team discovers an unpatched vulnerability while investigating newly patched vulnerabilities in the KingComposer plugin. We release a firewall rule covering both the patched and unpatched vulnerabilities to our Premium users.
June 16, 2020 – We attempt to contact the developers of the KingComposer plugin.
June 25, 2020 – We contact the WordPress Plugins team about the vulnerability.
June 26, 2020 – The WordPress Plugins team responds and indicates that they are in touch with the developers of the KingComposer plugin.
June 29, 2020 – Patched version of KingComposer is released.
July 15, 2020 – Firewall rule becomes available to Wordfence Free users.

Conclusion

In today’s blog post, we discussed a Reflected Cross-Site Scripting(XSS) vulnerability in the KingComposer WordPress plugin, and provided some background information on how Reflected XSS attacks work. This vulnerability has been fully patched in version 2.9.5 and we strongly recommend updating to this version immediately. Sites running Wordfence Premium have been protected against this vulnerability, as well as older vulnerabilities in the KingComposer plugin, since June 15, 2020. Sites still using the free version of Wordfence will receive the firewall rule update on July 15, 2020.

The post XSS Flaw Impacting 100,000 Sites Patched in KingComposer appeared first on Wordfence.

Defiant Participating in Privacy Shield Framework

Defiant, dba Wordfence, is now listed on the Privacy Shield certification list participating in both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks. The purpose of these frameworks is to allow for the lawful transfer of personal data from the European Union and Switzerland to the United States.

Two years ago when the General Data Protection Regulation (GDPR) was enacted in Europe, we painstakingly worked to ensure that Wordfence was in full compliance with these new regulations governing data protection and privacy for those located in the European Economic Area (EEA).

Defiant’s inclusion in the Privacy Shield Framework underscores our commitment to data protection standards aligned with those that meet EU legal standards for data acquisition and processing.

Our legal, operations, and compliance teams worked diligently over the last few years not only to ensure we are in compliance with GDPR, but also certified with Privacy Shield. This is no small task. Our team spent countless hours invested in the process to ensure full compliance. Meeting the requirements for any organization requires an analysis of all business processes as well as the establishment of new ones.

If you have questions about Privacy Shield and Defiant Inc, you can review our Privacy Shield Policy, and you are welcome to ask questions in the comments.

The post Defiant Participating in Privacy Shield Framework appeared first on Wordfence.

Episode 78: Targeted Phishing Bypassing Security Checks and a new DDoS Record

This week, we look at some targeted phishing attacks that are bypassing Microsoft Outlook’s protective filters, and phishing campaigns using calendar invitations to target unsuspecting recipients. We also look at some successful bitcoin scams and a new record for a massive DDoS attack that targeted an AWS customer.

Drupal pushes out some security fixes, and zero-day vulnerabilities found in numerous Netgear routers.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
2:35 Targeted phishing campaigns are bypassing Microsoft Outlook spam filters, and Wells Fargo customers targeted by calendar invites
4:48 Bitcoin scam using vanity addresses nets $2 million
5:55 AWS said it mitigated a 2.3 Tbps DDoS attack, the largest ever
7:37 Drupal patches critical security flaws
9:07 Netgear zero-day vulnerability allows full takeover of dozens of router models

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 78 Transcript

Welcome to another episode of Think Like a Hacker, the podcast about WordPress, security, and innovation. I’m your host Kathy Zant from Wordfence and today we’re going to dive into some security news.

There’s not much happening in the world of WordPress security. Even the attackers that we’ve seen ramping up some significant attacks in the recent months have been pretty quiet. Maybe it’s the doldrums of summer, or maybe the craziness in the world is hitting the hacking world. Either way, we’ll take a little bit of quietude after the frenzy of activity we had in May 2020. We hope you’re well. Let’s get into some news.

First a note about Office Hours. A couple of months ago, Tim Cantrell and Scott Miller, a couple of the Customer Service Engineers here at Wordfence, came up with an idea of doing Wordfence Office Hours to bring you a way to learn how to use Wordfence. Usually we do these types of things at WordCamps, but since we’re all quietly waiting for life to get back to normal, we figured we’d provide that value in other ways. Since our quiet start, we’ve moved to live streaming on YouTube, and it’s been pretty active. If you haven’t joined us for our Wordfence Office Hours, we invite you to come join us every Tuesday at noon Eastern, 9:00 AM Pacific. Past episodes are archived up on YouTube where you can watch us walk through some of the features of Wordfence to get the most out of the plugin. You can also look at some of our walkthroughs of Wordfence central and Wordfence login security [on our YouTube channel].

We’ve also been joined in the past few weeks by Chloe Chamberland, who’s one of our threat analysts here at Wordfence, who has discovered a number of plugin vulnerabilities over the recent months. And she showed us how hackers compromised vulnerabilities in WordPress plugins. And last week we took a look at how to clean a hacked site using Wordfence. We have some additional episodes coming up that I think you’ll find interesting. Ram Gall is going to join us to show us how hackers can compromise vulnerable plugins without capabilities checks and what plugin coders can do in order protect against these types of exploits. And we’ve also got some interactivity, so you can come play with us. We have a lot planned with Wordfence Office Hours in the coming weeks. So please come join us.

Let’s dive into some news.

Our first story is about a phishing campaign that is bypassing some spam filters in Outlook, Microsoft’s email platform. These are targeting Bank of America customers, and it’s a phishing campaign that is targeting only a few people in an organization. And because it’s only targeting a few people, this low volume is enabling these to slip past Microsoft’s email security. Also, because this phishing campaign is passing all of these security checks because it’s using a Yahoo email address rather than a Bank of America email address, it’s authenticating to the types of checks that they do on domain authentication. So technologies like SPF, DKIM, and DMARC are helping to verify if an email has been sent from the domain it claims to be originating from, and because this is coming from Yahoo, it looks okay with those checks. But in this case, the email’s originating from Yahoo.

So the email body doesn’t have any domains that can be recognized as malicious. So the phishing domain that they’re using nulledco[.]store was registered on June 1st, has a valid SSL certificate and is not in any security databases. So it is not being flagged as malicious.

What does this tell us? Well, it’s telling us that spammers and phishers can bypass some of these security tools that we have in place to identify malicious emails coming in. So the responsibility still lies with us. Any email that comes in, whether it’s from a bank or our friends, any email that ends up in your inbox still should be looked at with some scrutiny to determine whether or not that is a valid email. And when you’re going to your bank just type in the domain name yourself, don’t click links in emails, [that] would be my advice.

And in a related story, Bleeping Computer also is reporting that there is a phishing campaign targeting Wells Fargo customers that is baiting customers with calendar invites. So you’ll want to watch out for those as well.

Our next story is about Bitcoin giveaway scams. I see these on Twitter all the time, and I always wonder who falls for these. And apparently some people have. ZDNet is reporting that Elon Musk’s name is being used in vanity Bitcoin addresses, and they have been successful in scamming users out of about $2 million. Not even quite sure why Elon Musk’s name tricks people into falling for these scams, but basically these vanity addresses have Elon Musk’s name in them and they have noticed that about $2 million has been harvested by these attackers. So just to educate our friends, that Bitcoin scams exist and to not fall for them, if there is a Bitcoin giveaway, make sure that you walk the other way. Bitcoin’s like $9,000 at the moment, I’m sure that will change, it’s so volatile, but interesting to see that these vanity addresses are all it takes for people to fall for these scams.

Our next story also from ZDNet, AWS said it mitigated at 2.3 terabyte per second (Tbps) DDOS attack. And this is the largest DDOS attack ever recorded. The previous record for the largest DDOS attack was 1.7 terabytes per second, recorded in March of 2018. So this report doesn’t identify the targeted AWS customer, but it says the attack was carried out using hijacked CLDAP web servers, and caused three days of elevated threat for AWS Shield staff. So connectionless lightweight directory access protocol, it’s an alternative to the older LDAP protocol. It’s used to connect search and modify internet shared directories.

This protocol has been abused for DDOS attack for about four years and CLDAP servers are known to amplify DDOS traffic by 56 to 70 times initial size, so highly sought after protocol for attackers. And this is a common option that is being used by DDOS for hire services. And CloudFlare has reported that 92% of the DDOS attacks that it mitigated in the first quarter of 2020 were under 10 gigabytes per second (gbps). And about half of those were even smaller, under 500 megabytes per second (mbps). So a 2.3 terabytes per second DDOS attack is pretty significant. And it sounds like someone was targeted in this attack. It’ll be interesting to see if we see more of this.

Our next story comes from portswigger.net. They’re reporting that Drupal has patched a couple of critical security flaws. Drupal is a content management system, similar to WordPress. The flaws that were patched first up was a cross site request forgery or a CSRF that was in the form API. It was failing to properly handle certain form input from cross-site requests. The second critical vulnerability was an arbitrary code execution risk. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. And with that directory in place, an attacker could attempt to brute force a remote code execution vulnerability. And Windows servers were most likely to be affected by that. These critical vulnerabilities were resolved in Drupal versions 7.7.2, Drupal 8.8.8, Drupal 8.9.1, and Drupal 9.0.1. There were a few other vulnerabilities patched in these updates, but they were less critical. There are full details on the Drupal site and we’ll have a link for you in the show notes to check that out if you are managing Drupal sites along with your WordPress sites. Definitely important to keep all of your open source software patched and to keep everything safe.

Our final story is about a zero-day flaw in NETGEAR routers that allows for full takeover of dozens of router models. This is coming from ThreatPost and it was published on June 19, 2020. This unpatched vulnerability in this web server of the device firmware gives attackers root privileges, according to researchers. They discovered the zero-day vulnerability that puts 79 device models at risk for a full takeover. So the flaw stems from a memory safety issue that’s present in the firmware’s HTTPD web server. Basically, there’s a web server on your router that allows you to basically browse to that router and configure the settings that you want on a router.

Now, unfortunately, with this flaw, authentication isn’t required to exploit the vulnerability, which means that anyone can exploit it. Authenticated vulnerabilities means that you have to be an authenticated user, you have to be logged in with username, password, or some kind of credentials that logs you into the device. But with this one, you don’t need to be authenticated. Anyone can exploit it.

Now what’s kind of frightening about this is that this security researcher states that they informed NETGEAR of the vulnerability in January, but they’ve still not delivered a patch for affected devices. So this is what typically happens in the security world. Security researchers find a vulnerability, you go to the manufacturer of the device or to the plugin author in many of our cases and you disclose the vulnerability. You provide a proof of concept, show how it works, and then you work with that vendor to ensure that the vulnerability is patched.

So in this case, the researcher was asked by NETGEAR to extend their deadline for public disclosure until the end of June. And the researcher decided not to extend that deadline, it’s been six months, of course. And they discovered the flaw initially in the NETGEAR R7000 routers series, but then they eventually identified 79 different NETGEAR devices and 758 firmware images that include a vulnerable copy of this web server. So what does this mean for you? If you are using one of the affected devices and you should go check out this ThreatPost article to determine whether or not you are using a NETGEAR router with this vulnerability, you’re going to need to watch for a patch. And when that patch is released, you need to make sure your router is patched so that you have all of those security fixes in place.

This is not the first problem with security for NETGEAR. In March, NETGEAR patched a critical remote code execution bug that could allow unauthenticated attackers to take control of wireless AC router Nighthawk, the R7800. So NETGEAR is no stranger to some security issues. It’s really important. You think about patching your computer and making sure that that’s all updated. Obviously you think about your WordPress website and want to ensure that that is updated. But you have to consider every device that’s on your network, including the router that allows you to access the internet, that needs to be patched as well.

So, yeah, not much going on in WordPress security, which is nice, but there’s a lot going on in the security world as a whole. Obviously staying on top of all of these security stories is our beat. And if we think it’s relevant to you, we will cover it. If there’s a story you would like us to cover, we will take that little tip, send it to us at press@wordfence.com and our researchers will get on it. If there’s a story you’d like us to cover in WordPress that is beyond security, we’d love to take a look at that as well.

And join us on the office hours, every Tuesday at noon on the East coast of the United States, 9:00 AM on the West coast. We have a few of us coming from the East coast and a few of us here in Arizona, and we look forward to showing you some secure coding practices coming up next.

We will talk to you soon again on the podcast. Hope if it is after the 4th of July, that you have a safe holiday, if you are here in the United States. And if you are elsewhere, we hope that your summer is peaceful and that things are well for you. Stay safe and we’ll talk to you again on Think Like a Hacker.

Please give us a like or give us a review on Apple podcasts. Definitely join us over on YouTube. Follow me on Twitter and I’ll let you know what the whole Wordfence team is up to. Of course, if you’re not following Wordfence on your favorite social media, we are Wordfence everywhere, whether it is Instagram or Facebook or Twitter.

The post Episode 78: Targeted Phishing Bypassing Security Checks and a new DDoS Record appeared first on Wordfence.

Malware Detection: Measuring Recall to Catch Them All

At Wordfence, we take performance seriously on all levels. While speed is one way to measure performance, there are other metrics that are equally important. Over the past year, our Threat Intelligence team has improved our malware scan by leaps and bounds. We wanted to share some of the metrics we use and what they mean for our customers. We’ll also take a brief look at the new Jetpack Scan and see how it compares.

Measuring Recall to catch them all

Wordfence currently has more than 1.5 million malware samples on file, ranging from backdoors and shells to SEO spam. At any given time we use several thousand “signatures” to detect these malicious files. A signature is a pattern that is used to algorithmically match malware. Our signatures use regular expressions that are optimized to be highly performant and compatible with a range of platforms, from PHP regex to server-based pattern engines.

One of the most important metrics we use is Recall. Simply put, Recall is the percentage of known malicious files that are detected by our signatures.

Over the past year we have continuously improved this recall rate, and currently our signatures detect over 98% of known malicious content. Our Threat Intelligence team is constantly adding to and improving on these signatures, in order to detect emerging threats.

Keeping False Positives low

It’s just as important to make sure that our scanner doesn’t mistake legitimate software for malware. This is a situation known as a False Positive. We have a number of ways to prevent our customers from experiencing False Positives, and very few customers will ever see one.

Preventing False Positives starts with the malware detection signatures themselves, and we test them against millions of examples of legitimate web application code, ranging from popular plugins to home-brewed contact forms.

Over the past year we have improved the False Positive rate of our malware signatures from 1.1% to less than 0.03%. That is, our signatures mistakenly detect less than 3 in 10,000 known good files.

Speed is still critical

We measure each malware detection signature to ensure it doesn’t slow down the Wordfence scanner, replacing slow signatures with faster ones that detect even more malware. Over the past year, the combined speed of our malware detection signatures has increased by over 70%, which means Wordfence can scan your site faster than ever before.

How the competition measures up

We recently had an opportunity to test the performance of the new Jetpack Scan. Similar to the Vaultpress scan that was previously available as a Jetpack upgrade, Jetpack Scan uploads a helper file to your site and downloads any files it finds to their servers in order to scan them for malware.

For each of our malware detection signatures, we placed a malicious file that was detected by that particular signature on a test server in the wp-content/uploads folder. After running the Jetpack Scan, we found that it had a recall rate of 11.5%. We used a total of 2982 malware samples in the test from our collection of over 1.5 million samples. That means that for a total of 2982 malware samples, 342 were detected by Jetpack in our testing.

It’s worth noting that our scan had a 100% recall rate on these samples, but that is because these are samples that we know of. So there is a case of selection bias here in that we are choosing samples that we already detect. While our collection of 1.5 million malware samples is substantial, we do not know the size of Jetpack’s own malware collection, and how their recall rate compares against their own collection. It is possible their collection contains malware that we don’t know about, and that their scanner has an enormously high detection rate for malware that is simply not on our radar.

Much of our own malware database comes from our site cleaning business, where we analyze sites that have been hacked, and where we collect indicators of compromise, including malware samples, malicious IP addresses, and malicious domains. Having a constant flow of customers that have encountered a real-world intrusion provides us with a continuous portrait of emerging threats.

We were unable to test Jetpack Scan’s False Positive rate since this would have required a much larger number of files to be scanned.

Conclusion

In this article, we have covered some of the ways we measure malware scan performance, how our performance has changed over time, and how Jetpack Scan compares. Knowing how to measure performance is important, but it is only the first step. The large and rapid improvements we have made in malware detection have been the result of a concerted and ongoing effort by the Wordfence team. We improved because we made it a priority, and it is a priority because we have a team that is dedicated to making WordPress safer.

The post Malware Detection: Measuring Recall to Catch Them All appeared first on Wordfence.

Critical Vulnerabilities Patched in Adning Advertising Plugin

On June 24, 2020, our Threat Intelligence team was made aware of a possible vulnerability in the Adning Advertising plugin, a premium plugin with over 8,000 customers. We eventually discovered 2 vulnerabilities, one of which was a critical vulnerability that allowed an unauthenticated attacker to upload arbitrary files, leading to Remote Code Execution(RCE), which could allow complete site takeover.

The next day, on June 25, 2020, we privately disclosed these vulnerabilities to the plugin’s author, Tunafish. A patched version was made available in less than 24 hours, on June 26, 2020. We strongly recommend updating to the latest version of this plugin, 1.5.6, immediately.

Wordfence Premium users received a firewall rule protecting against these vulnerabilities on June 25, 2020. Users still running the free version of Wordfence will receive this rule on July 25, 2020.

After monitoring attacks against this firewall rule, we determined that, although these vulnerabilities were being attacked in the wild, the attacks were extremely limited in scope and scale. As such we withheld details from public disclosure for a short period of time to allow users time to update and prevent more widespread exploitation.


Description: Unauthenticated Arbitrary File Upload leading to Remote Code Execution
Affected Plugin: Adning Advertising
Plugin Slug: angwp
Affected Versions: < 1.5.6
CVE ID: N/A
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS score: 10.0(critical)
Patched Version: 1.5.6

One functionality of the Adning plugin is to allow users to upload banner images. In order to provide this functionality, it used an AJAX action, _ning_upload_image. Unfortunately this AJAX action was available with a nopriv_ hook, meaning that any visitor to the site could make use of it, even if they were not logged in. Additionally, the function called by this AJAX action also failed to make use of a capability check or a nonce check.

	public static function _ning_upload_image()
	{
		$_action = isset($_POST['action']) ? $_POST['action'] : '';
		$user_id = isset($_POST['uid']) ? $_POST['uid'] : 0;
		$banner_id = isset($_POST['bid']) ? $_POST['bid'] : 0;
		$max_upload_size = isset($_POST['max_upload_size']) ? $_POST['max_upload_size'] : 100;
		$upload = isset($_POST['upload']) ?  json_decode(stripslashes($_POST['upload']), true) : array();
		$valid_formats = isset($_POST['allowed_file_types']) ? explode(',', $_POST['allowed_file_types']) : array('jpg');
		if( in_array('jpg', $valid_formats) )
		{
			$valid_formats[] = 'jpeg';
		}
		
		//$max_file_size = 1024*100; //100 kb
		//$max_file_size = 1024000*15; // 15 MB (1 mb = 1000 kb)
		$max_file_size = 1024000*$max_upload_size;
		
		//$upload_path = $upload_dir.'/'.$upload_folder;
		//$upload_path = $upload_path.$upload_folder;
		$upload_path = $upload['dir'].$upload['folder'];
		$count = 0;

		// Create upload folder if not exists
		if(!is_dir($upload_path)) {
		    mkdir($upload_path, 0777, true);
		}

		if(!empty($_FILES['files'])) 
		{
			$upload_success = false;
			$upload_error = '';
			$uploaded_files = array();
			$unzip_error = array();

			// Loop $_FILES to execute all files
			foreach ($_FILES['files']['name'] as $f => $name) 
			{     
			    if ($_FILES['files']['error'][$f] == 4) 
			    {
			        continue; // Skip file if any error found
			    }	       
			    if ($_FILES['files']['error'][$f] == 0) 
			    {	           
			        if ($_FILES['files']['size'][$f] > $max_file_size) 
			        {
			            $upload_error = $name. " is too large!";
			            continue; // Skip large files
			        }
					elseif( !in_array(pathinfo($name, PATHINFO_EXTENSION), $valid_formats) )
					{
						$upload_error = $name." is not a valid format";
						continue; // Skip invalid file formats
					}
			        else
			        { 
			        	// No error found! Move uploaded files 
			            if(move_uploaded_file($_FILES["files"]["tmp_name"][$f], $upload_path.$name)){
			            	$count++; // Number of successfully uploaded file
							$src = $upload['src'].$upload['folder'].$name;

			            	// Copy image to banner folder
			            	/*if(!empty($banner_id))
			        		{
			        			if(!is_dir($upload_dir.'/'.$banner_folder)) {
								    mkdir($upload_dir.'/'.$banner_folder, 0777, true);
								}
			        			copy($path.$name, $upload_dir.'/'.$banner_folder.$name);
			        		}*/

			        		$uploaded_files[] = array(
			        			'name' => $name, 
								'size' => $_FILES['files']['size'][$f],
								'upload' => $upload,
								'path' => $upload_path.$name,
			        			'src' => $src,
			        			'grid_item' => '<div class="grid-item" data-src="'.$src.'" data-use="path"><img src="'.$src.'" /><div class="info_btn" data-info="'.basename($src).'"><svg viewBox="0 0 448 512" style="height:18px;border-radius:2px;"><path fill="currentColor" d="M400 32H48C21.49 32 0 53.49 0 80v352c0 26.51 21.49 48 48 48h352c26.51 0 48-21.49 48-48V80c0-26.51-21.49-48-48-48zm-176 86c23.196 0 42 18.804 42 42s-18.804 42-42 42-42-18.804-42-42 18.804-42 42-42zm56 254c0 6.627-5.373 12-12 12h-88c-6.627 0-12-5.373-12-12v-24c0-6.627 5.373-12 12-12h12v-64h-12c-6.627 0-12-5.373-12-12v-24c0-6.627 5.373-12 12-12h64c6.627 0 12 5.373 12 12v100h12c6.627 0 12 5.373 12 12v24z" class=""></path></svg></div></div>',
			        			'uid'  => $user_id,
			        			'action'  => $_action
							);
							
							
							if( pathinfo($name, PATHINFO_EXTENSION) == 'zip')
							{
								$zipfile = array(
									'name' => $_FILES['files']['name'][$f],
									'type' => $_FILES['files']['type'][$f],
									'tmp_name' => $_FILES['files']['tmp_name'][$f],
									'error' => $_FILES['files']['error'][$f],
									'size' => $_FILES['files']['size'][$f],
								);
								
								$unzip_error = self::upload_and_unzip($zipfile, array('folder' => $upload['folder'], 'path' => $upload_path, 'src' => $upload['src']));
							}
						}
						else
						{
							$upload_error = is_writable($upload_path) ? 'Could not move files.' : 'Folder is not writable.';
						}
			        }
			    }
			}

			if(count($uploaded_files) > 0){
				$upload_success = true;
			}

			echo json_encode(array("chk" => $_FILES['files'], "unzip" => $unzip_error, "upload" => $upload, "success" => $upload_success, "files" => json_encode($uploaded_files), "error" => $upload_error));
		}else{
			echo 'no files found.';
		}
		exit;
	}

This function also allowed the user to supply the “allowed” file types. As such it was possible for an unauthenticated attacker to upload malicious code by sending a POST request to wp-admin/admin-ajax.php with the action parameter set to _ning_upload_image the allowed_file_types set to php, and a files parameter containing a malicious PHP file. Alternatively, an attacker could set the allowed_file_types to zip and upload a compressed archive containing a malicious PHP file, which would be unzipped after upload. It was also possible for an attacker to change the upload directory by manipulating the contents of the upload parameter – if the desired directory did not exist, the plugin would create it.


Description: Unauthenticated Arbitrary File Deletion via path traversal
Affected Plugin: Adning Advertising
Plugin Slug: angwp
Affected Versions: < 1.5.6
CVE ID: N/A
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
CVSS score: 8.7(high)
Patched Version: 1.5.6

In order to delete any uploaded images, the plugin also registered another ajax action, _ning_remove_image, which also used a nopriv_ hook. As with the upload vulnerability, this function did not perform a capability check or a nonce check. As such it was possible for an unauthenticated attacker to delete arbitrary files using path traversal.

If an attacker were able to delete wp-config.php, the site would be reset, and an attacker could then set it up again and point it to a remote database under their control, effectively replacing the site’s content with their own content.

	public static function _ning_remove_image()
	{
		$upload = wp_upload_dir();
		$upload_dir = $upload['basedir'];
		$upload_url = $upload['baseurl'];
		$upload_folder = self::$upload_folder.$_POST['uid'].'/';	

		$path = $upload_dir.'/'.$upload_folder.basename($_POST['src']);
		$removed = 0;

		if(unlink($path)){
			$remove = 1;
		}
		echo $remove;

		exit;
	}

This attack might require an extra step of preparation, which is that the wp-content/uploads/path folder would need to exist. However, since the previously mentioned arbitrary file upload vulnerability allowed for directory creation, this was not a major obstacle. Once the directory was created, an attacker could send a POST request to wp-admin/admin-ajax.php with the action parameter set to _ning_remove_image, the uid parameter set to /../../.. and the src parameter set to wp-config.php.

Timeline

June 24, 2020 – Wordfence Threat Intelligence receives a report of a compromised website running the Adning plugin. During our investigation, we discovered two vulnerabilities.
June 25, 2020 – Firewall rule released for Premium Wordfence users. We make initial contact with plugin’s author and send full disclosure after receiving a response.
June 26, 2020 – Plugin’s author releases a patch.
July 25, 2020 – Firewall rule becomes available to Wordfence free users.

Conclusion

In today’s post, we discussed two vulnerabilities in the Adning Advertising plugin which could allow an attacker to completely take over a website. These flaws have been fully patched in version 1.5.6. If you are running this plugin, it is critical that you updated to this version as soon as possible. Sites running Wordfence Premium have been protected against these vulnerabilities since June 25, 2020, while sites still using the free version of Wordfence will receive the firewall rule on July 25, 2020.

Special Thanks to Tunafish, the author of the Adning Advertising plugin, for their excellent and timely response in releasing a patch.

The post Critical Vulnerabilities Patched in Adning Advertising Plugin appeared first on Wordfence.

Episode 77: WordPress 5.4.2 Released, Fake Ransomware Bitcoin Scams

This week, we look at the WP 5.4.2 release and a ransomware bitcoin scam targeting site owners with a “You’ve Been Hacked” email. We also look at an FBI warning about online banking app malware, the Verizon data breach report and what is says about WordPress, and how some white hat hackers are becoming millionaires responsibly disclosing vulnerabilities via HackerOne.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:20 WordPress 5.4.2 security release fixes multiple XSS vulnerabilities
1:47 High Severity Vulnerabilities in PageLayer Plugin Affect Over 200,000 WordPress Sites
3:05 Ransomware Bitcoin scam claiming sites are hacked
5:40 FBI warns of increased hacking risk if using mobile banking apps
8:08 $100 million in bounties paid by HackerOne to ethical hackers
10:00 Verizon data breach report: Web application attacks rise to account for almost half of all data breaches
11:17 Owners of DDoS for hire service get community service

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 77 Transcript

Welcome to Think Like a Hacker, the podcast about WordPress, security, and innovation. It’s been a few weeks, a lot going on here at Wordfence, including a couple of very well attended live events on YouTube. More on that later. First let’s get into the news.

Our top story, WordPress 5.4.2 was released on Wednesday, June 10th. WordPress’ latest release contains 23 fixes and enhancements, including patches for six moderate-risk cross site scripting and other security bugs.

Wordfence Threat Analyst and Senior QA Engineer Ram Gall took a deeper look at the release. He found that most of the security patches were fixing vulnerabilities only exploitable in rather specialized cases. One of the cross-site scripting issues addressed by the update meant authenticated users with low privileges were able to add JavaScript to posts in the block editor. A separate issue gave authenticated users with upload permissions, the ability to add JavaScript to media files. And the release also had another bug, not cross site scripting, that resolved an open redirect issue in the wp_validate_redirect function. An issue where comments from password protected posts and pages could be displayed under certain conditions was also resolved. Special shout out and a thank you to the security researchers that found these vulnerabilities and responsibly disclosed them to the core team, and a shout out, of course, to the core team who got this release out.

Our next story is about high severity vulnerabilities that were patched in the Page Layer plugin. This affected over 200,000 WordPress sites. Chloe Chamberland posted this on the Wordfence official blog a few weeks ago. At the time of this writing, these vulnerabilities have already been patched. If you’re using Wordfence, the firewall is protecting against exploits. Both free and premium users are protected against this being exploited. One of the flaws allowed any authenticated user with subscriber level and above permissions, the ability to update and modify posts with malicious content amongst other things.

The second flaw allowed attackers to forge requests on behalf of a site administrator to modify the settings of the plugin, which could allow for a malicious JavaScript injection. Chloe demonstrated this both on the video that is included on the blog post, as well as during Wordfence Office Hours on June 9th. These are available on the Wordfence YouTube channel. I suggest checking those out. There are links in the show notes. Chloe really makes understanding these exploits easy and makes it easy for all of us to understand how to protect our sites better.

Our next story is about fake ransomware Bitcoin scams. Now I’m sure we’ve all received one of these at one point or another. We have been seeing these in email inboxes for quite a while. Last year, they were claiming to have video of people accessing rather questionable and embarrassing content, and were basically trying to get people to pay Bitcoin so that those videos would not be exposed. Of course, it was all a scam. Now they’re taking aim at site owners, claiming that your site is hacked, and the only way to save the personally identifiable information from your site’s database is to pay a ransom. So the scammer sends an email to the site owner with the subject “your site has been hacked” and the body of the email claims hackers have exploited vulnerabilities to gain access to the site’s database, and that they have “moved to the information to an offshore server.”

The email then threatens to ruin the site owners reputation by selling the site database or notifying customers that their information was compromised, and they are also threatening to de-index the site from the search engines by using black hat techniques. Now, this is all stuff that could happen, but much like the previous scams that we have seen in inboxes, it’s a scam and it’s not true, and you may be receiving these emails without your site actually hacked.

There is actually a Bitcoin abuse database on what you can look up what’s happening with an individual Bitcoin address. So you can enter in that Bitcoin address and it will report what the owner of that address has been up to. So if you put in the Bitcoin address of any of these email scams that people are getting, you’ll see that other people are receiving similar types of email scams trying to target sites, even some sites that don’t even have a database. So far, it appears that these campaigns have not been very successful. Yay. People are deleting them and they are not convincing site owners to pay the ransom. I’m sure these scammers will move on to another scam. We just need to be aware that anything that shows in your inbox may or may not be true, and if anyone ever threatens you online requesting Bitcoin or any other cryptocurrency, or even money, to really look deeper at those types of ransom types of requests, because they are most likely a scam.

Our next story comes from Bleeping Computer. They are reporting that the FBI is warning of increased hacking risks if you are using mobile banking apps on your smartphone. So the FBI is reporting that financial technology providers are estimating more than 75% of Americans are using mobile banking in some form, and the studies of U.S. financial data are indicating a 50% surge in mobile banking since the beginning of 2020, most likely due to all of the lockdowns and COVID-19. So the FBI is anticipating that these malicious actors will try to exploit new mobile banking customers who are unaware of how these banking apps work, and they may be using things such as fake banking apps and app based banking trojans. One thing that is important to remember is if you download an app, it is going to ask you to give it permissions that it will require an order to steal your information, to steal your usernames and passwords.

This malware does not go snooping around in Android or iOS, but it will actually stay dormant and only surface when you open a legitimate banking app and then it will ask for information. So then these Trojans will create a false version of the bank’s login page and overlays it on top of a legitimate app. Once you enter your credentials into that Trojan app, obviously you are exposing your credentials to an attacker.

So what can we do? Obviously be very careful when you’re on your smartphone. In the cryptocurrency space, security has been an issue for a very long time. And I’ve known people who are big into trading cryptocurrency, and they actually have a separate laptop, a separate machine, that they do all of their banking on, and that’s the only thing they do with that specific laptop. Maybe it’s time for us to start applying some of these more stringent controls for our other financial institutions and only have one browser, for an example, that you use for banking or transferring of funds or cryptocurrency trading, or stock trading, whatever you’re doing with your money. And just functionally isolate what you’re doing with your financial institutions in order to mitigate these types of risks.

Our next story is from PortSwigger, portswigger.net, and they are reporting on the Verizon 2020 data breach investigation report, and they are stating that web application attacks rise to account for almost half of all data breaches. So the actual number is 43% of breaches trace back to attacks against web applications. Of course, your WordPress website is a web application. This is double the results from last year, and the vast majority of those data breaches were motivated, of course, by the prospect of illicit financial gain. This is up from 71% in 2019.

Now, how does this affect WordPress? Attacks on content management systems that include WordPress, Joomla, Drupal, NoneCMS accounted for about 20% of all cyber attacks. And more than 28% of attacks targeted technology platforms supporting websites, such as ColdFusion and Apache Struts. Now, what can we take from this data? I mean, I don’t find this to be entirely too surprising.

Your website is the easiest thing for an attacker to attack. It is your front door on the internet for your business. It’s much easier for them to target your website than say your email systems or your accounting systems, though if they had that kind of information, they’d probably target that as well. Obviously with any front door, it’s good to have a lock and key and maybe a security camera or security system preventing these types of attacks on the front door, which is why Wordfence exists. Good to have a firewall on that front door and make sure those malicious attacks cannot occur, and a malware scanner to tell you if indeed it happened.

Our next story is also from Bleeping Computer and this was published on May 27th. They reported that a hundred million dollars in bounties had been paid via HackerOne to ethical hackers. This is a feel good story, hacking being profitable, white hat hacking being profitable. Always good to put some attention on that. They’re reporting that over 700,000 ethical hackers are using the bug bounty platform to get paid for security bugs in the products of over 1900 HackerOne customers. Of course, it’s impossible for us to know how many cyber breaches have been averted by responsible disclosure of security vulnerabilities, but with the average cost of breaches around $8 million, the savings to businesses who are running websites and other applications are probably in the tens of billions.

So HackerOne announced that eight of the hackers using their platform had become millionaires with 19-year-old Santiago Lopez being the first white hat hacker to earn over a million dollars by reporting security vulnerabilities responsibly to HackerOne. Kind of exciting.

Our final story from June 7th, from Krebs on Security is about a DDoS for hire service that got six months of community service. This company was called vDOS and the co-owners operated this for four years, basically taking money from customers and launching over 2 million DDoS or distributed denial of service attacks, knocking many internet users and websites offline. They’ve been sentenced to six months of community service by an Israeli court. Now it looks like vDOS was responsible for a majority of the DDoS attacks that had clogged up the internet between 2012 and 2016. Their subscription packages were sold on how many seconds the DDoS attack would last, and in four months between April and July 2016, vDOS was responsible for launching over 277 million seconds of attack time. It was kind of hard to get all of this data because after they would perform these attacks, they would wipe their servers. Pretty scary stuff.

Now, obviously, operating this type of service is illegal in numerous municipalities; purchasing these types of services is also illegal in numerous jurisdictions. A commenter on Krebs article stated that one of the defendants had actually turned his life around and is working for a legitimate company now. Let’s hope that both of them do and let’s hope more of the malicious attackers that exist out on the web find ways to maybe become ethical hackers, go look for vulnerabilities on applications and submit their bugs to places like HackerOne for bug bounties. There are ways that some of this cyber crime can get turned around.

The news for today. I would like to invite you to join us for Office Hours on YouTube. You can find us on the Wordfence channel every Tuesday at noon Eastern time on the East coast of the United States, and 9:00 AM Pacific time. Next week, we will be fixing a hack. So we’ve been doing some live hacking over the past couple of weeks with Chloe Chamberland, and now we’re going to take one of those hacked sites and show you how to use Wordfence to clean it up. So join us over there.

As always, thank you for listening to Think Like a Hacker. Might have a couple of weeks where I am off doing some interesting things in my life that I’ll talk about later, but we will come back with all of the news in WordPress security and innovation, just as soon as we can. Stay safe and we will talk to you soon.

Go ahead and give us a like or give us a review on Apple podcasts. Definitely join us over on YouTube. Follow me on Twitter and I’ll let you know what the whole Wordfence team is up to. Of course, if you’re not following Wordfence on your favorite social media, we are Wordfence everywhere, whether it is Instagram or Facebook or Twitter.

The post Episode 77: WordPress 5.4.2 Released, Fake Ransomware Bitcoin Scams appeared first on Wordfence.

Pin It on Pinterest