Episode 106: Admin Password Resets, Blockchain Botnets and a Central Management RCE

WordPress 5.7 is due to be released on March 9, and it will allow administrators to send password reset emails to users. A botnet is abusing the Bitcoin blockchain for command and control, while VMWare fixes a critical remote code execution bug in all default vCenter installations. Android users now have an easy way to check password security. We talk about the ramifications of vulnerability disclosures and how last year’s File Manager vulnerability did not have long lasting effects on plugin installation base or growth. We also discuss how investor data breach fatigue has reduced the stock price impact of cybersecurity failures.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:41 Wordfence/Defiant is hiring, and we’re offering a $500 gift card for anyone who refers a successful candidate
2:30 The Wordfence K-12 site cleaning and site audit program continues to help schools around the world
3:00 WordPress 5.7 will allow administrators to send password reset emails
6:20 This botnet is abusing the Bitcoin blockchain to stay in the shadows
9:52 VMWare fixes critical RCE bug in all default vCenter installations
11:53 Android users now have an easy way to check password security
14:40 Investor data breach ‘fatigue’ reduces Wall Street punishment for cybersecurity failures

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 106 Transcript

Ram:
Welcome to Think Like A Hacker, the podcast about WordPress, security, and innovation. I am Ram Gall, threat analyst at Wordfence, and with me is director of marketing, Kathy Zant. Kathy, how are things?

Kathy:
Things are very, very good compared to last week. It’s almost like Texas has somewhat recovered. At least the weather’s recovered. I think people here-

Ram:
Do have power and water now?

Kathy:
I have power. I have water. The skies were blue yesterday. We have ping pong ball sized hail coming, apparently. What is with Texas? I don’t know. It’s interesting, though. Got to keep-

Ram:
Everything is bigger in Texas, even the hail.

Kathy:
Even the hail. It’s a crazy place. Anyway, all is well. And we have some interesting things, some big things happening with Wordfence.

Ram:
I hear we are hiring.

Kathy:
We are hiring. We’re hiring for four specific roles. These are senior roles. So we wanted to sweeten the pot for all of our listeners who are out there listening who… Come on. You guys know someone who’s amazing. Someone who’s looking for-

Ram:
And you like free money, too, right?

Kathy:
And you like free money. So we thought we’d put all of those things together, and we want you to refer someone that you think would be exceptional in one of these roles and that would enjoy the fun, fast-paced environment we have here at Wordfence.

Kathy:
We have a security operations role. We want someone who’s up on the AWS scene. We’re looking for a couple of senior PHP developers and a senior researcher who is very interested in website performance. If you know someone and you refer someone, we will give you a $500 gift card if you refer a successful candidate. And if you think you might be a successful candidate, we would love to talk to you. There are links in the show notes for these job descriptions so you can get the full details about what these jobs entail and the benefits of working here at Defiant. Benefits that even include a week off between Christmas and New Year’s, which is always a nice time. Don’t you love that, Ram?

Ram:
Yeah. Yeah. Honestly, the last few years we’ve been doing it, but they finally made it official policy instead of just a cool thing we decided to do at the last minute.

Kathy:
Yeah, exactly. It’s a nice way to end the year. Just kind of think back over the previous year and plan for the future. Always a good time.

Kathy:
We also have our K-12 school initiative, site cleaning and site audits available for any government or state funded school in the United States, in Canada, in Mexico, anywhere in the world. If you know of a school that could use some security support, send them our way. We are cleaning and auditing those sites for free, and educating the educators. That program is continuing and continues to be a success, so we just wanted to mention it. We would love your referrals. Just send those schools our way.

Kathy:
Now, we saw some interesting stuff coming in WordPress 5.7. Ram, what do you know?

Ram:
WordPress 5.7 is actually fulfilling a sort of long-requested feature to let administrators send password reset links. And this is very cool. I mean, there is some potential for abuse via social engineering, but I mean, if you think about it, an attacker can already request a password reset for a user if they know or can guess the username or email address, so it’s not like attackers can’t send password resets to people anyways.

Kathy:
Sure, sure. Now this feature is rolling out in WordPress 5.7, which is coming up pretty soon. This has been a five-year-old ticket that has been in the trac system, and it’s going to allow administrators to manually send a password reset link to users instead of having to instruct a user about what to do, how to go about doing it. The administrator can just say, “Okay, let me just send that to you,” rather than trying to explain something to maybe a user who’s just a subscriber or a user who is a student in a learning management system, to basically get that lost password link to them so that they can go ahead and reset that password.

Kathy:
But obviously that send password reset link is going to be in several places, and with anything that sending to a user, there’s a potential if that site ever is hacked that that could trigger something that an attacker could use to basically trigger a user to perform some actions.

Ram:
I mean, I’m not really worried about that. WordPress now has fairly strong cross-site request forgery protection. I think, realistically, the only potential problem we could see is that now there’s this expectation that you could get a legitimate password reset email sent by an administrator without asking for it. So, I mean, it’s conceivable that these could be spoofed and used in phishing attacks.

Ram:
You send someone something that looks like a password reset link and say, “Hey, I’m the administrator for your site. It looks like your password might’ve been compromised so I’m sending you this link,” and then get them to fill it in on a phishing site. There’s still some caveats with that, where if they log in with their new password and find it doesn’t work, will they then reset it again to the same password? I mean, I could see this being abused. I could see it being fairly difficult to abuse, but there’s always the potential.

Kathy:
Sure. Mostly we just want people to know that this new feature exists, and with any new feature that shows up there’s the potential for it to be used in a unique and never-seen-before way, so just to be aware that that feature exists. That if a password link shows up in a user’s inbox, that that user should definitely look at that if it’s unexpected and investigate further before they go haphazardly clicking links and traversing the internet, right?

Ram:
Yeah. I mean, it’s just like receiving a weird request, like something that could be a spear phishing request in your company email inbox. If you get a request for something that you weren’t expecting from someone, just verify with them via another channel. If you get a password reset link from an admin, maybe you get in touch with them and say, “Hey, did you send this on purpose?”

Kathy:
Exactly. All right, let’s move on. Let’s look at this botnet that we saw abusing Bitcoin blockchains to stay in the shadows. Now, Bitcoin is crazy in the news.

Ram:
Your favorite. That’s your favorite. I know it is.

Kathy:
It’s everywhere. Everybody’s talking about Bitcoin. I mean, when an asset performs in ways that people weren’t expecting or predictable ways, everybody starts talking about it. As soon as cryptocurrency starts increasing in value, we start seeing attackers trying to leverage any technology they can in order to either mine that cryptocurrency, to ransomware people out of cryptocurrency. It just becomes another way that we see attackers trying to monetize attacks, right?

Ram:
Yeah.

Kathy:
What are we seeing with this one?

Ram:
Okay, so one of the things about the blockchain is that effectively, it’s an immutable record of things that have happened. This is actually kind of interesting. The botnet that was using it as actually a skid map malware, which is actually used for mining other cryptocurrency. In this case, Monero, which is popular amongst threat actors, because it’s untraceable or at least it really hard to trace. And by the way, these guys aren’t actually doing a great job. Apparently, they’ve mined like $30,000 in Monero, which is not really a lot considering.

Kathy:
Yeah, come on.

Ram:
Anyways, it looks like what they were doing is the malware that was looking for C2 instructions … So here’s the thing about command and control systems, it’s they’re really easy to disrupt. If your malware is asking for new instructions from so-and-so domain or so-and-so IP, then it’s fairly easy for the hosting provider or the domain registrar to take those down at the request of governments or security researchers once they figure out there’s something malicious happening there.

Ram:
So, a lot of malware that relies on this command and control infrastructure needs a way to figure out, okay, where should I ask for instructions next, because of my current instruction feed has gone down?

Ram:
What they did was they basically added an algorithm that looks at a particular Bitcoin wallet and checks how much had been sent to it, and it used that number in Satoshi’s, which are, I forget if it’s a hundred thousandth of a Bitcoin, but very small amounts of money. It uses that number and basically breaks it up and parses it into an IP address, and that IP address is the IP address of the next server they should check.

Kathy:
That’s crazy.

Ram:
Yeah. Since it’s pretty much immutable, you can’t really shut it down, but what you can do is you can send money to that and mess up the IP address.

Kathy:
Hack the hackers.

Ram:
Pretty much. And that’s cheaper than fixing the IP address back to where it was, but the attacker probably controls that wallet. Giving them money seems like a not great way to get them to stop, especially if they can just give themselves more money to undo what you just did.

Ram:
I think we’ll be seeing a lot more of this in the future, just because it’s a novel command and control method. We’ve seen this in Twitter feeds. We’ve seen this in Instagram feeds. We’ve seen all sorts of C2 methodology happen in the past few years that’s just kind of wild.

Kathy:
Yeah, interesting, because whatever is written into the blockchain, it’s there. It’s not something that can be erased or undone, it’s just there. This’ll be interesting to watch and see how other people are using blockchain technologies in novel ways to, I don’t know, be stinkers on the internet, I guess.

Ram:
Pretty much.

Kathy:
Yeah.

Ram:
Speaking of stinkers on the internet, it turns out there was a VMWare bug, a critical remote code execution bug in all default vCenter installations. So, vCenter server is basically a central management solution for virtual machine hosts.

Kathy:
Okay. So kind of like ManageWP would be for WordPress, this is for a centralized server for VM hosts, right?

Ram:
Kind of, yeah. Yeah. Basically, it manages all the virtual machines in an organization’s network that they’ve set it up to actually use virtual machines. Anyways, the vSphere client, basically it had a remote code execution vulnerability. It was in one of the vCenter server plug-ins related to something called vRealize operations, but the thing is it was vulnerable even if you weren’t using that particular plugin.

Ram:
An attacker with network access to port 443, which is just the standard SSL port or TLS port, could exploit the issue to execute commands with unrestricted privileges on the underlying operating system that hosted the server, which would probably give them control of all the VMs it was managing, too. Which, for some organizations, would be all of their servers. Apparently, they’ve already seen this being attacked in the wild in several thousand vulnerable servers exposed on the internet. So yeah, I feel bad for those organizations. If your organization is running this, then please update.

Kathy:
Yikes. That just sent chills down my spine. Very, very frightening. So definitely update if you have anything going on with VMWare and vCenter server. Scary.

Ram:
If you’re managing multiple VM hosts using vCenter server, then this is definitely something to be aware of. If you’re just on a desktop or running VMware to run a virtual machine, you’re probably okay. I mean, you’re definitely okay, but yeah.

Kathy:
Wow. Well, it looks like Android users now have an easy way to check password security. What’s going on with this?

Ram:
I don’t know if you’ve heard of Have I Been Pwned-

Kathy:
I have.

Ram:
Which is a online service that you can use to see if your password has been exposed in any data breaches. Which is a really good thing to do, because so many data breaches are the result of passwords exposed in other data breaches, that it’s just not even funny anymore. So yeah, use a password manager with unique passwords for each service you use, please.

Ram:
Anyways, this works really similar to Have I Been Pwned. It basically uses cryptography to ensure that the password checking service never gets your password that you’re checking. Not even just the hash of the password that you’re checking. Which, if you want to know more about password hashes you can listen to our previous podcast and our Wordfence Live show on encryption.

Ram:
Anyways, basically what it does is phones or device sends the first part of the hash of a password to the service, and the service sends back an encrypted set of breached hashes and it compares them without either side ever knowing the full hash you’re checking or the full hash of the breached passwords. It’s pretty cool. If you can turn it on, please do, because that way it’ll let you know if you’re using a password that’s been breached in any of your Android apps. And most of them, if you’re not signing in directly with Google or Facebook OAuth, you probably have an account set up with a password that you’ve probably used somewhere else, too.

Ram:
I remember I got breached in the GrubHub breach a while back because I was reusing a password for that, so this is kind of important.

Kathy:
Very important. So this is resident within all Android phones.

Ram:
If you’re up-to-date, yeah.

Kathy:
It’s a project by Google. Let this be a reminder to you that you should be using a password manager. Most of the major password managers, they have both a desktop as well as a phone, iOS or Android version, and always kind of these tools have ways of letting you know that you are using passwords in multiple places, password checkups, types of features. Always good to have this running in your apps, as well, just across the board. You can’t just have the one password anymore.

Kathy:
Hey, do you want to hear the worst story? One of the first companies I ever worked at in the networking department, and one of our server passwords was Flowbee.

Ram:
Oh gosh. It sucks, and it cuts.

Kathy:
It sucks and it cuts. That should have not been a password, but back in the day you could reuse passwords and do dumb, funny things like that. No longer.

Ram:
No longer.

Kathy:
Yeah. So, let’s talk a little bit about this article you found, Ram, about data breach fatigue. What does that mean, and what does it mean for … I mean, you and Chloe and our threat intel team are constantly finding vulnerabilities and working with plugin developers, theme developers, anybody in the WordPress space, helping them to patch their code and to write more secure code. But then, of course, there comes a point once that’s patched and once firewall rules and updating has occurred, you have to publish details about what you found for educational purposes, for keeping your certifications up. And a lot of, I think, plugin developers and whatnot, is it painful for them when you guys are publishing?

Ram:
We have heard some concerns expressed that publishing the vulnerability will reduce the plugin’s market share. And, you know what? We have seen that happen in the very short term, but they almost always recover. Even the File Manager vulnerability, the one last year-

Kathy:
Yeah, that was a bad one.

Ram:
That was really bad. That was hugely impactful. That was almost a worst case scenario in everything except how they handled it. They handled it pretty quickly, but it was already a zero-day. It was already being exploited by the time it got found out and it had a lot of installations and there were a lot of sites impacted by it. Our site cleaning team is still cleaning sites that were impacted by that and didn’t have Wordfence at the time.

Ram:
So, yeah, it was a huge thing. And you know what? Their install growth dropped. It went negative for about a month and a half, and then it came back. The growth is not back to where it was, but the install count is right where it was, and growth is still positive and growth went positive again about a month and a half after it got disclosed. So, yeah, if you’re worried about the impact of vulnerability in your plugin, don’t be. It’s much better to fix it than to have people impacted and to not fix it.

Kathy:
Right. Well, there’ve been some major … I mean, Target. When was that? 2013 when Target had all of their point-of-sale cash registers basically compromised and credit card data was compromised. I didn’t stop shopping at Target, and Target’s recovered quite well. It didn’t ruin them completely, right?

Ram:
Yeah. IBM’s done some research on the cost of a data breach report, and I mean, yeah. This is outside of the WordPress plugin ecosystem, mind you, so this is a completely different context. If you’re talking how much a database breach costs a large company, enterprise sector can expect an average bill of like $3.8 million, and some of them can rise up to like $392 million to actually remedy the breach.

Ram:
But they did a study on the stock prices of companies that disclosed breaches, and back in, say 2013, there was a massive impact, but even in 2019 stock prices would drop by like maybe 7% after a data breach was disclosed. Now, it only drops by like three and a half percent. So people are getting used to data breaches just kind of happening as a cost of doing business. That doesn’t mean they shouldn’t be addressed, because they absolutely should. If they’re not addressed, then that leads to much more severe long-term consequences.

Ram:
It only took like a 100 days for prices to recover, apparently, according to this research, and general performance was only slightly poorer in the six months after a breach. So, breaches happen. Address them, fix them, take precautionary measures if you can, but the response is really one of the big things that matters.

Kathy:
Right. Well software, to me, and I think to all of us, is about trust, right? Your WordPress site, you are trusting that a plugin developer has done a good job creating not only the functionality, but the security of that code and you trust it so you install it on your site. Trust comes in a lot of different ways, right? So if you have a vulnerability and you patch it and you don’t disclose that you’re patching it, or you don’t disclose what’s happening in the next version of a site, or you don’t disclose that something might have gone wrong, that destroys trust. That secretism … That’s not the right-

Ram:
Secrecy.

Kathy:
Secrecy, that’s the word.

Ram:
Trying to hide stuff, being sneaky and shady, and “No one will ever know that I was breached.” Yeah, that’s also … In a lot of cases, the law requires you to disclose a breach. If you don’t actually take appropriate action, that’s when you run into trouble. I mean, it’s still expensive. Transparency is good.

Kathy:
Transparency is the best. So when you’re evaluating a plugin to put on your site, that’s a factor that goes into, “Am I going to install this on my site? Do I trust this developer?” You go look at their change log, and if they’ve had a celebrity bug known as a vulnerability … Mark likes to call them celebrity bugs. If they’ve had it, how did they handle it? Did they disclose that in their change log? How was it fixed? How did they work with security researchers that may have disclosed it with them? If there was a zero-day in the past, how did they handle it? You make your evaluations of whether or not you trust someone based on how their past performance has been when they’ve had to deal with anything. Celebrity bugs, functional problems? That transparency really says a lot about a plugin developer. So it’s, I think, a factor when you’re evaluating a plugin.

Ram:
It really does. If you see in someone’s change log, at least look for security issue fixed. If the change log has never fixed a security issue, then I don’t know if I would trust a plugin that’s been around for a while and never fixed a security issue.

Kathy:
Right. Everybody has celebrity bugs at one point or another, don’t they?

Ram:
Pretty much, yeah.

Kathy:
So it’s just how do you handle those issues and how do you communicate about them, which is critically important. To all of the security researchers out there, and to all of the plugin and theme developers who we work with, we’re just really excited when we see plugin developers who have a security policy on their site. Makes it very easy for us to contact you. That you work with us, share information freely so that we can help you get things fixed quickly. Proof of concepts, all of that fun stuff is incredibly important in this disclosure process.

Ram:
Yeah. If you have a security contact, that means that we can send you the full disclosure right away instead of having to go through your support department and having to wait 24 to 72 hours for them to get back to us and say, “Okay, yeah. This is totally the right place to send security issues,” or, “No, here’s who you should send it to.” So that could save you one to three days in fixing something.

Kathy:
Right. And the faster you get it fixed, the faster and better it is for your customers. That’s all I’ve got, Ram. How about you?

Ram:
That’s all I’ve got. It was great chatting with you again, Kathy, and I will see you next week.

Kathy:
See you next week. Thanks, Ram.

Ram:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 106: Admin Password Resets, Blockchain Botnets and a Central Management RCE appeared first on Wordfence.

Episode 105: The Hottest Trend in WordPress

An analysis of WordPress-related search trends found that interest in WooCommerce related results dominated during 2020. We discuss recent vulnerabilities discovered by our threat intelligence team in Ninja Forms, affecting over 1 million sites. WordPress issues a statement that pirated themes and plugins are prohibited on the repository. And a supply chain attack affects users of the once-legitimate Barcode Scanner Android app. We also discuss some career opportunities on the Wordfence team.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:31 Wordfence is hiring for numerous roles, including PHP development, and Security/Operations
1:50 Our K-12 site audit and site cleaning program continues
2:30 Our threat intelligence team discovered numerous vulnerabilities in Ninja Forms
6:25 WordPress issues a statement about pirated themes and plugins on repositories
10:00 WordPress search terms for 2020
13:51 Supply chain attack on Android Barcode Scanner app, reminiscent of Mason Soiza supply chain attacks.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 105 Transcript

Ram Gall:
Hello, and welcome to Think Like a Hacker, the podcast about WordPress security and innovation. I’m Ram Gall, Threat Analyst at Wordfence. And with me is Director of Marketing, Kathy Zant. Hey Kathy, how are things, other than very cold?

Kathy Zant:
It’s cold. I haven’t really talked a lot about my move to Texas, but I think I might need some therapy after moving to Texas and then having this historic storm basically cripple the entire state. It has been interesting times, but there’s some interesting times in WordPress security, so let’s just jump right into it. Hey, I hear we are hiring.

Ram:
That we are. We are hiring for a SecOps role. So if your OpSec is good and you’re good at Sec and Ops, please apply. Also, we’re hiring a senior PHP Dev.

Kathy:
All right. I was going to ask you to explain. Usually I’m asking you to explain things, but if you don’t know what SecOps is, it’s probably not the role for you. But if you do know what it is, we’d love to talk to you. This job comes with a number of challenges and interesting fun things to play with, as well as a great team, an amazing team, and you would be contributing to helping us to secure 4 million plus WordPress sites. So it’s a very rewarding position, as is the senior PHP role, we’ve got a lot of things going on, don’t we?

Ram:
We do. Securing our infrastructure and taking part in our operations is something that we are hoping to get some cool people for.

Kathy:
Yeah, definitely. And do you get a percussion instrument as part of your welcome package?

Ram:
You do. I got a gong, but I mean, if you want a bell or some chimes. We could maybe swing a xylophone, if depending on… I don’t know. You’d have to check with…

Kathy:
Check with HR. HR handles percussion around here.

Ram:
Yeah, it’s true.

Kathy:
We definitely have a lot of fun. We also have another initiative we want to just bring to your attention, and this is our K-12 site cleaning and site audit initiative. If you are, or you know of, a K through 12, meaning kids, school that is using WordPress, that it may need some security auditing, may have a security concern that needs a site cleaning, we will do it at no charge. Part of our initiative to educate the educators on security, and our way of giving back to schools that are using WordPress. So we will have a link to that in the show notes, but just wanted to mention that. That if you know of a school, please forward that on to them.

And it looks like Chloe found some severe vulnerabilities in Ninja Forms. Ram, what did she find?

Ram:
Okay. Well, first of all, Ninja Forms is installed on over 1 million WordPress sites.

Kathy:
1 million. Oh, that sounds…

Ram:
1 million. They’re actually pretty cool people, we love them. They have an actual security policy and an email address to email disclosures to, so they usually get on problems real quick. We found issues with their plugin the past, and they’re just very helpful, they get stuff fixed quickly. They have a great response.

Ram:
Anyways, Chloe found four vulnerabilities. So two of them we kind of have to use together. One of them was basically a flaw that let attackers redirect site administrators to arbitrary locations. So you could send a link to an administrator that looks like it’s going to their own website, but it’ll really redirect them to like maliciousdomain.com. And I mean, that’s one of the reasons you don’t click on random links in email, but there are several others.

Ram:
So the second one, this was really interesting. It made it possible for anyone with an account on the site, like a subscriber or a shopper or a customer, to install a plugin, a specific plugin that could be used to intercept all mail traffic. But this is where the third flaw comes in is that, basically, if an attacker installed that plugin and actually set it up, which they could do, they could retrieve the OAuth connection key and basically establish a connection with the Ninja Forms central management dashboard for the attacker’s account.

Kathy:
Oh wow.

Ram:
And that’s where they could actually read mail traffic coming from the site, which if you reset the password for an admin user, then you can just intercept the email and go, “Oh hey, I can click this link and reset this admin’s password to whatever I want it to be. Muahahahaha.” So yeah. I never would have considered that particular attack vector, but Chloe found a way to make it work, so I’m super impressed.

Kathy:
Wow. That’s pretty amazing. So the attacker would have to have an account with Ninja Forms in order to exploit that, so probably not a lot of attackers would be doing that.

Ram:
I mean, even the trial costs like a dollar I think, so this is something that would be reserved for high-value targets. But at the same time, it’s the sort of thing that if there’s a site that you’re specifically targeting, an attacker that’s motivated enough might find that extremely attractive to be able to read all the mail sent from that site.

Kathy:
And honestly, my site is a high-value target — to me — if it’s being attacked.

Ram:
Yes, it is, Kathy.

Kathy:
I’m putting myself in the shoes of an average site owner who maybe is doing something with WooCommerce and has a number of orders coming in. And that is a very high-value target to them if their site is compromised with something like that. Value is obviously in the eye of the valuer. If that’s even a saying.

Ram:
Yeah, there’s definitely some sites that would be worth it to an attacker to target like this. So we’re very glad that they patched it. We also have firewall rules protecting our users, of course. And there was a final flaw, where attackers could trick an administrator into clicking a link and disconnecting their own connection to Ninja Forms if they had that set up. That’s typically not going to be quite as big of a deal, mostly just a nuisance, unless of course the attacker needed to set this up in the first place and couldn’t because it was already connected.

Kathy:
So this was fully patched in version 3.4.34.1. We have firewall rules and it looks like premium customers are protected. And by the time you hear this podcast, free customers of Wordfence will be protected as well, but you should still always update your plugins.

Ram:
Update. Always update your plugins, please.

Kathy:
Definitely. All right. Looks like Search Engine Journal had an interesting story about pirated themes and plugins on the official WordPress site. That looks pretty interesting. I wouldn’t imagine that there would be pirated themes and plugins on WordPress.org, but there’s a repo of many themes and over 50,000 plugins. And so, if you are an attacker or someone who is trying to get something out to many people, you might want to pirate a theme and put some malware in it or something.

Ram:
I mean, you might. And we did do some research earlier this year about how malware from nulled pirated themes and plugins was one of the biggest threats facing WordPress. In this case, it looks like the main issues is that people were basically taking premium plugins and themes and just reposting the code verbatim onto the free repository without any changes, according to what they’re claiming. Which is basically taking credit for someone else’s work. All WordPress plugins, at least all plugins on the repo, are licensed under the GPL because they’re derivative works. So WordPress is not opposed to people reusing each other’s code if they’re making something new out of it. But this was literally just basically plagiarism. And the fact that WordPress is very much big on free software, if they’re saying it’s a problem, then it’s actually a problem.

Kathy:
Gotcha. So somebody is buying something from CodeCanyon perhaps, and then repurposing that as their own and putting it on the repo?

Ram:
Yeah. Yeah. It sounds like that is what is happening. Wouldn’t be super surprised if they’re maybe not also adding a few little extra bits of code or if they might be planning on doing that at some point in the future. We do know that WordPress does examine plugins when they’re first added, but then updates might not be monitored as widely. It’s possible that this may have been a strategy to rack up a fairly high install count and then maybe insert some sort of supply chain malware.

Kathy:
Yeah. Otherwise, I don’t really understand what the motivation is of somebody spending money to buy somebody else’s plugin off of CodeCanyon and then putting it on the repo. There has to be some other kind of motive for them to do that beyond just putting it on the repo.

Ram:
One can assume that there’s likely some sort of monetary motive, but there’s so many paths that could take. Could be someone making a competing premium plugin, trying to devalue their competitor’s plugin, who knows.

Kathy:
Sure, sure. Well, WordPress is now powering over 40% of the web. It is a huge behemoth of a community, a behemoth of a content management system. It is a target for all sorts of things, including this very odd thing.

Ram:
I just like saying behemoth.

Kathy:
It is a fun word, that and plethora, right?

Ram:
Yes.

Kathy:
So I mean, we’re going to see things like this, and it’s really great to see that the .org team is issuing a statement that they are aware that this is happening and that they’re going to ensure that if it is someone else’s code with some kind of copyright, or even if it’s GPL and it’s someone else’s code, that they’re taking a stance that this is unacceptable.

Ram:
Even if your code is allowed to be copied for derivative works, that doesn’t necessarily mean that the pictures or advertising copy is something that isn’t copyrighted. The code might be duplicable, but the person who made the original plugin still owns the pictures and the other creative work.

Kathy:
Right. Okay. Well, this’ll be interesting to watch to see what happens there. And so, I found some interesting statistics. This came from the MasterWP weekly newsletter, which is a fascinating newsletter, we’ll have a link to it in our show notes. But they were not only talking about WordPress’ market share, but they started looking at search terms and search trends for WordPress over the last year. WordPress keywords increased by 14%, plugin keywords increased 17.8%, themes only 8.7%. But guess what was 44.3%, Ram?

Ram:
I don’t know.

Kathy:
You do too know, you’re looking at the same thing I’m looking at. I was going to give the big bang to you.

Ram:
Okay, okay, okay. It’s WooCommerce. Yes, I know.

Kathy:
It’s WooCommerce. Commerce on WordPress increased 44.3%. So this is WordPress, WooCommerce, and looking for specific things for WooCommerce, but it basically is showing us that there is… Well, obviously, WordPress is a content management system. It started as a blogging platform, but now there’s over 50,000 plugins that you can plug into it. You can create a membership site, you can create newsletters, you can create a learning management system. There are tons of things you can do with WordPress, but the thing people are doing, I think, the most with WordPress looks like WooCommerce. At least that’s what the search traffic is showing us. WooCommerce and WordPress seems to be a growing use case, which means, I would assume, that security and WooCommerce… If you’re taking credit card transaction, security in WooCommerce is a huge thing as well. So for those of us in the WordPress space, I find this to be interesting.

Ram:
It makes sense to me. I think a lot of people are starting to open up online stores for side gigs these days.

Kathy:
Yeah.

Ram:
And I mean, don’t get me wrong, WooCommerce isn’t easy to use, but if you’ve tried any of the other free open source e-commerce alternatives, it’s still significantly easier than, say, Magento or any of the Joomla or Drupal add-ons that you might be able to use. The only easier alternatives are pay to play.

Kathy:
Right, right. Like Shopify is so huge. I mean, obviously, they are the e-commerce hosted solution, but you can also publish blog posts. And there are people in the Shopify world who are like, “Oh, I’m going to use this as my content management system.” But as far as getting started, open source, getting your storefront up, WordPress and WooCommerce is the easiest way to go. So some more statistics: 6,500 searches per month looking for a membership solution, 4,300 a month want to use their store for drop shipping, 3,100 a month want a point of sale solution for using WooCommerce in a physical shop, which I thought was interesting as well.

Ram:
That’s a very peculiar and weird thing considering, I mean, a lot of people are just using Square, which incidentally is one of the default payment gateways for WooCommerce.

Kathy:
Sure. Sure. Well, I mean, if you’re really thinking forward as a shop owner and you’re using just your payment processor, trying to actually take those customers and then mail to them would be many steps that you would have to go through in order to do that. But if you’re using a WooCommerce, all of your customers are right there. You can use another plugin and then access those customers for a mailing perhaps, those types of things. So either way, it’s interesting to see that so many people are using WordPress for WooCommerce.

Ram:
It is. I’m going to digress at this point and cover our next item. And it’s something that we’ve actually talked about before in the podcast and also in articles, but there’s a new supply chain attack. So the barcode scanner app for Android, which I think many of you may have downloaded. I know that at some point in the past I actually downloaded it and removed it because I don’t actually need a barcode scanner very often. But it’s the thing you use to scan the little QR codes with your phone. Anyways, it was a legitimate app, and then a company called Lavabird, basically, as I understand it they were acting as a middleman and they purchased the app and they were going to sell it to a new buyer. And apparently, this new buyer added some adware code to the app.

Ram:
So we’ve actually seen this dynamic happen before in WordPress. Where a man named Mason Soiza bought a number of plugins and added malicious spam, SEO spam, advertising code to those plugins. This is something that happens, attackers will actually spend money to buy a popular app or a popular plugin and inject malware into it, because that way you already have a user base. I think that that’s actually going to be a weird side effect of WordPress automatic updates becoming more of a thing, a sort of unanticipated knock-on effect. Is that with automatic updates being more likely to happen, I think that’s going to make WordPress plugins a more attractive target, because if you can buy a plugin that already has a lot of users, you’re more likely to get the malicious code distributed to more of them if they have automatic updates turned on.

Kathy:
Yeah. Interesting. So the software you trust today might not be the software that’s trustworthy in the future, huh?

Ram:
Exactly.

Kathy:
Yeah. Interesting. Okay. Well, we still have our recommendations. I don’t think they’re changing much about automatic updates and that…

Ram:
We do think you should still manually update your plugins all the time.

Kathy:
If you can. I mean, if you’re just sitting there and letting your site be and you’re only using trusted software from organizations that have a long history of maintaining their code, you’re good. Turn those automatic updates on. But if your plugin author is named Mason, Mason Soiza, maybe… No, I think Mason is banned, banned forever.

Ram:
From WordPress at least.

Kathy:
From WordPress, yes. Anyway, so definitely interesting story there about that Android app. Supply chain attacks seem to be the hot rage after SolarWind these days, huh?

Ram:
I mean, they’ve been going on for a while now. It’s just that all of a sudden everyone is aware that there are a bunch of ways to do this, and that some of them can be very profitable for threat actors.

Kathy:
Yeah, definitely. Well, that’s why you have security teams like Wordfence behind your site. We keep an eye on all of these things and bring you the news wherever and whenever we can. And if you want to join that team, go to the show notes and click on that employment link. We’d love to hear from you. And until next week, if you want any more news, just follow us on our social media. Come join us on Wordfence Live, we had such a fun time the other day. We talked about Wordfence Central and teams and, what else?

Ram:
Chloe demoed a lot of Wordfence Central stuff. It was pretty cool.

Kathy:
Wasn’t it cool?

Ram:
Yeah, showed how to apply templates to stuff and set event notifications. I mean, if you’ve got a bunch of sites that you’re managing, it’s super useful to be aware and to be made aware when something weird happens. You can configure it to send you an alert when an administrator logs in to one of your sites. And that way if you get that alert and it’s not you, then you know something’s weird.

Kathy:
Definitely. So that link to that Wordfence Live episode will be in the show notes as well. Definitely worth watching, and there’s timestamps and chapter links in that YouTube video, so you can jump around and get the overviews that you need. Thanks for joining me again, Ram, and I will talk to you next week.

Ram:
Yep. I will see you all next week or talk to you next week at least. Bye.

Kathy:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 105: The Hottest Trend in WordPress appeared first on Wordfence.

One Million Sites Affected: Four Severe Vulnerabilities Patched in Ninja Forms

On January 20, 2021, our Threat Intelligence team responsibly disclosed four vulnerabilities in Ninja Forms, a WordPress plugin used by over one million sites. One of these flaws made it possible for attackers to redirect site administrators to arbitrary locations. The second flaw made it possible for attackers with subscriber level access or above to install a plugin that could be used to intercept all mail traffic. The third flaw made it possible for attackers with subscriber level access to to retrieve the Ninja Form OAuth Connection Key that could be used to establish a connection with the Ninja Forms central management dashboard. The final flaw made it possible for attackers to disconnect a site’s OAuth Connection if they could trick a site’s administrator into performing an action. These flaws could be used to take over a WordPress site and redirect site owners to malicious sites.

We initially reached out to Saturday Drive, the plugin’s parent company, on January 20, 2021 through their responsible disclosure email contact and provided the full disclosure details at the time of reporting. Just a few days later, on January 25, 2021, Ninja Forms released a patch for 3 out of the 4 vulnerabilities. We followed up to let them know that one of the vulnerabilities was still present. They released a final patch on February 8, 2021.

We consider these to be severe vulnerabilities that could ultimately lead to complete site takeover, therefore, we highly recommend updating to the fully patched version, 3.4.34.1, immediately.

Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on January 20, 2021. Sites still using the free version of Wordfence will receive the same protection on February 19, 2021.


Description: Authenticated SendWP Plugin Installation and Client Secret Key Disclosure
Affected Plugin: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
Plugin Slug: ninja-forms
Affected Versions: <= 3.4.33
CVE ID: Pending.
CVSS Score: 9.9 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: 3.4.34

Ninja Forms is one of the most popular intuitive form creation plugins in the WordPress plugin repository. It provides users with the ability to create forms using drag and drop capabilities, making the design process much more simple for WordPress users.

As part of the plugin’s functionality it offers the ability to install “Add-Ons,” some of which offer services. One of these services is SendWP, which is an email delivery and logging service intended to make mail handling with WordPress simpler. From the Ninja Form plugin’s Addon dashboard, it offers the ability to set up this service with just a few clicks. In order to provide this functionality, the plugin registers the AJAX action wp_ajax_ninja_forms_sendwp_remote_install.

 add_action( 'wp_ajax_ninja_forms_sendwp_remote_install', 'wp_ajax_ninja_forms_sendwp_remote_install_handler' );

This AJAX action is tied to the function wp_ajax_ninja_forms_sendwp_remote_install_handler, that checks to see if the SendWP plugin is installed and activated. If the plugin is not currently installed, then it performs the installation and activation of the SendWP plugin.

 function wp_ajax_ninja_forms_sendwp_remote_install_handler () {

    $all_plugins = get_plugins();
    $is_sendwp_installed = false;
    foreach(get_plugins() as $path => $details ) {
        if(false === strpos($path, '/sendwp.php')) continue;
        $is_sendwp_installed = true;
        activate_plugin( $path );
        break;
    }

    if( ! $is_sendwp_installed ) {

        $plugin_slug = 'sendwp';

        include_once ABSPATH . 'wp-admin/includes/plugin-install.php';
        include_once ABSPATH . 'wp-admin/includes/file.php';
        include_once ABSPATH . 'wp-admin/includes/class-wp-upgrader.php';
        
        /*
        * Use the WordPress Plugins API to get the plugin download link.
        */
        $api = plugins_api( 'plugin_information', array(
            'slug' => $plugin_slug,
        ) );
        if ( is_wp_error( $api ) ) {
            ob_end_clean();
            echo json_encode( array( 'error' => $api->get_error_message(), 'debug' => $api ) );
            exit;
        }
        
        /*
        * Use the AJAX Upgrader skin to quietly install the plugin.
        */
        $upgrader = new Plugin_Upgrader( new WP_Ajax_Upgrader_Skin() );
        $install = $upgrader->install( $api->download_link );
        if ( is_wp_error( $install ) ) {
            ob_end_clean();
            echo json_encode( array( 'error' => $install->get_error_message(), 'debug' => $api ) );
            exit;
        }
        
        /*
        * Activate the plugin based on the results of the upgrader.
        * @NOTE Assume this works, if the download works - otherwise there is a false positive if the plugin is already installed.
        */
        $activated = activate_plugin( $upgrader->plugin_info() );

Once the plugin has been installed successfully, the function will return the registration url, along with the client_name, client_secret, register_url, and client_url. This is used to show users the sign-up page and easily connect their WordPress instance with SendWP.

 echo json_encode( array(
        'partner_id' => 16,
        'register_url' => esc_url(sendwp_get_server_url() . '_/signup'),
        'client_name' => esc_attr( sendwp_get_client_name() ),
        'client_secret' => esc_attr( sendwp_get_client_secret() ),
        'client_redirect' => esc_url(sendwp_get_client_redirect()),
        'client_url' => esc_url( sendwp_get_client_url() ),
    ) );
    exit;

Unfortunately, this AJAX action did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP plugin and retrieve the client_secret key needed to establish the SendWP connection.

How could this affect my WordPress site?
Due to the fact that the client_secret key is returned with the AJAX request, attackers with low-level access to a vulnerable WordPress site could establish a SendWP connection with their own SendWP account, thus making sites with open-registration particularly vulnerable. Once that connection is established, all mail from the WordPress site would be routed through and logged in the attackers SendWP account. At that point they can monitor all data emailed which could range from user Personally Identifiable Information (PII) from form submissions to reports generated on your site.

Further, an attacker could trigger a password reset for an administrative user account, if they could discover the username for an account. The password reset email with the password reset link would get logged in the attackers SendWP account, which they could then use to reset an administrator’s password and gain administrative access to a site. This could ultimately lead to remote code execution and site takeover by modifying theme/plugin files or uploading a malicious theme/plugin.

The SendWP service does cost $9 a month per site, with a $1 14-day trial. As such, it is less likely to be widely exploited. However, it would be a very valuable entry point for attackers seeking to compromise high-value targets.


Description: Authenticated OAuth Connection Key Disclosure
Affected Plugin: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
Plugin Slug: ninja-forms
Affected Versions: <= 3.4.34
CVE ID: Pending.
CVSS Score: 7.7 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Fully Patched Version: 3.4.34.1

Another feature of Ninja Forms is the ability to connect to the Ninja Forms “Add-on Manager” service, a centralized dashboard that allows you to manage all purchased Ninja Forms Add-Ons to provision them to a WordPress site remotely. Just like with the SendWP service, it offers capabilities to set up this service with just a few clicks from the Ninja Form plugin’s Addon dashboard. In order to provide this functionality, the plugin registers the AJAX action wp_ajax_nf_oauth which is used to retrieve the connection_url that contains the information necessary, like the client_secret, to establish an OAuth connection with the Ninja Forms Add-On Management portal.

 public function setup() {
   add_action( 'wp_ajax_nf_oauth', function(){
     wp_die( json_encode( [
       'data' => [
         'connected' => ( $this->client_id ),
         'connect_url' => self::connect_url(),
       ]
     ] ) );
   });

Unfortunately, there was no capability check on this function. Low-level users, such as subscribers, were able to trigger the action and retrieve the connection url needed to establish a connection. They could also retrieve the client_id for an already established OAuth connection.

This meant that attackers could potentially establish an OAuth Connection for a vulnerable WordPress site with their own account. However, there would be some social engineering involved as the attacker would need to trick the site administrator into clicking a link to update the client_id in the database with the nf_oauth_connect AJAX action for the connection to be fully complete. From there, they could install any purchased Add-On plugins.


Description: Administrator Open Redirect
Affected Plugin: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
Plugin Slug: ninja-forms
Affected Versions: <= 3.4.33
CVE ID: Pending.
CVSS Score: 4.8 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Fully Patched Version: 3.4.34

As part of the OAuth connection process, the plugin registers an AJAX action, wp_ajax_nf_oauth_connect, that is registered to the function connect() which is used to redirect a site owner back to the WordPress site’s Ninja Forms service page after the user has finished the OAuth connection process.

 public function connect() {
    // Does the current user have admin privileges
    if (!current_user_can('manage_options')) {
      return;
    }

    // wp_verify_nonce( $_REQUEST['nonce'], 'nf-oauth-connect' );

    if( ! isset( $_GET[ 'client_id' ] ) ) return;

    $client_id = sanitize_text_field( $_GET[ 'client_id' ] );
    update_option( 'ninja_forms_oauth_client_id', $client_id );

    if( isset( $_GET[ 'redirect' ] ) ){
      $redirect = sanitize_text_field( $_GET[ 'redirect' ] );
      $redirect = add_query_arg( 'client_id', $client_id, $redirect );
      wp_redirect( $redirect );
      exit;
    }

    wp_safe_redirect( admin_url( 'admin.php?page=ninja-forms#services' ) );
    exit;
  }

This function uses wp_safe_redirect to redirect site owners back to the admin.php?page=ninja-forms#services page by default.However, if the ‘redirect’ parameter is supplied, then it would redirect the site administrator to an arbitrary URL supplied in that parameter.

Fortunately, there was a capability check on this function so that only administrators could use it. However, there is no protection on the redirection URL validating where the redirect goes, nor was there any protection to prevent an attacker from using the function to redirect a site administrator to a malicious location. There was the use of wp_verify_nonce(),however, it was commented out and rendered unusable. This made it possible for attackers to craft a URL with the redirect parameter set to an arbitrary site. If the attacker could trick an administrator into clicking the link, then they could be redirected to an external malicious site which could infect the administrator’s computer amongst other malicious actions.

Open redirect vulnerabilities exploit the inherent trust of the vulnerable domain to assist in getting someone to click on the open redirect link. For example, an attacker could craft a link with the redirect parameter containing a shortened URL and then ask a site owner to check out the link saying that the page was responding weirdly on their site. This would likely cause the site owner to click on the link and check out what the “inquiry” is referring to, and ultimately result in them being redirected to an external and malicious site.


Description: Cross-Site Request Forgery to OAuth Service Disconnection
Affected Plugin: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
Plugin Slug: ninja-forms
Affected Versions: <= 3.4.33
CVE ID: Pending.
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
Fully Patched Version: 3.4.34

An additional feature of the Ninja Forms Add-Ons Manager was the ability to easily disconnect an established OAuth connection with just a few clicks. In order to provide this functionality, the plugin registered an AJAX action wp_ajax_nf_oauth_disconnect tied to the function disconnect(). The disconnect() function would simply disconnect an established connection by deleting the options associated with the connection settings in the database.

add_action( 'wp_ajax_nf_oauth_disconnect', [ $this, 'disconnect' ] );

Unfortunately, this feature did not have nonce protection. This made it possible for attackers to craft a legitimate request, host it externally, and if successful in tricking an administrator into clicking a link or attachment, send a request to disconnect the current OAuth connection. Though there would be no critical harm being exploited by this vulnerability, it could be a puzzling experience for a site owner.

 public function disconnect() {

  // Does the current user have admin privileges
  if (!current_user_can('manage_options')) {
    return;
  }

  do_action( 'ninja_forms_oauth_disconnect' );

  $url = trailingslashit( $this->base_url ) . 'disconnect';
  $args = [
    'blocking' => false,
    'method' => 'DELETE',
    'body' => [
      'client_id' => get_option( 'ninja_forms_oauth_client_id' ),
      'client_secret' => get_option( 'ninja_forms_oauth_client_secret' )
    ]
  ];
  $response = wp_remote_request( $url, $args );

  delete_option( 'ninja_forms_oauth_client_id' );
  delete_option( 'ninja_forms_oauth_client_secret' );
  wp_die( 1 );
}

Disclosure Timeline

January 20, 2021 – Conclusion of the plugin analysis that led to the discovery of the four vulnerabilities. We develop firewall rules to protect Wordfence customers and release them to Wordfence Premium users. We make our initial contact and send full disclosure via the Security Disclosure contact listed on the Ninja Forms website.
January 21, 2021 – We receive a response confirming that Saturday Drive received our information and will begin working on a fix.
January 25, 2021 – The first patched version of the plugin is released as version 3.4.34
January 26, 2021 – We check to see if the release addresses all reported issues. We discover one endpoint is still vulnerable and follow-up with our contact at Saturday Drive. We receive confirmation the same day that they will send the details to the developers to work on a fix.
February 4, 2021 – We follow up to check on the status of a fix, and we are informed that it should be released in the next couple of days.
February 8, 2021 – A final patched version of the plugin is released as version 3.4.34.1. We verify again that the vulnerabilities have been patched.
February 19, 2021 – Free Wordfence users receive firewall rules.

Conclusion

In today’s post, we detailed four flaws in the Ninja Forms plugin that granted attackers the ability to obtain sensitive information while also allowing them the ability to redirect administrative users. These flaws have been fully patched in version 3.4.34.1. We recommend that users immediately update to the latest version available, which is version 3.5.0 at the time of this publication.

Wordfence Premium users received firewall rules protecting against this vulnerability on January 20, 2021, while those still using the free version of Wordfence will receive the same protection on February 19, 2021.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as these are considered critical severity issues that can result in remote code execution.

Special thanks to the creators of Ninja Forms, Saturday Drive, for working quickly to quick patches out and for providing a contact for responsible disclosure directly on their website.

The post One Million Sites Affected: Four Severe Vulnerabilities Patched in Ninja Forms appeared first on Wordfence.

Episode 104: Cryptography Demystified

This week, the Wordfence team discusses cryptography in depth, including the basics, a brief history, hashing, and the Crypto Wars. We also go over current news, including 2 new findings by the Wordfence Threat Intelligence team, a new milestone for WordPress, and a recent attack on a Florida Town’s water supply.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:17 New findings by the Wordfence Threat Intelligence team
1:08 New Milestone for WordPress
2:40 An attack on a Florida Town’s water supply
5:52 Introduction to Cryptography
7:49 History of Cryptography
13:45 The Crypto Wars
24:30 Hashing
37:26 Symmetric Cryptography
39:26 Asymmetric Cryptography

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 104 Transcript

Ram:
Hello, and welcome to Think Like a Hacker, the podcast about WordPress security and innovation. I’m Ram Gall, threat analyst and QA engineer at Wordfence, and with me is our CEO Mark Maunder. How’s it going, Mark?

Mark:
Pretty good, Ram. How are you doing?

Ram:
Not too bad. It’s been a long day, but I feel like it’s been pretty productive.

Mark:
Yeah. Didn’t you just find a bug?

Ram:
Actually, Chloe and I both published a couple of critical vulnerabilities in some fairly popular plugins. Chloe found a couple of file upload vulnerabilities that could be used for remote code execution and the responsive menu plugin and a CSRF settings update. I also found a couple of CSRF… That stands for cross-site request forgery, it’s where you trick someone into clicking a link, and then the attacker can basically make them do whatever they want on their own site.

Mark:
Very cool. Vulnerabilities, which are really just celebrity bugs, right?

Ram:
Pretty much. Yes. I mean, they’ve gotten a decent amount of coverage. Mine was in NextGEN Gallery, which is a fairly popular image plugin for WordPress. It also allowed file upload, but yeah, I think we’re doing some good research. We’re keeping up the pace in the new year.

Mark:
Yeah. Most definitely.

Ram:
Something else that came up is that WordPress now officially accounts for 40% of the top 10 million sites on the internet, according to a new study by W3 Technology Surveys.

Mark:
I remember, I think it was earlier today, our team was chatting about that. I was just remembering what that 40% number means. I guess it’s the top 10 million as defined by… Was it Alexa combined with some other lists or cross-referenced?

Ram:
Yeah. Yeah. It was mostly the Alexa top 10 million. They’ve been keeping track of internet statistics for quite some time now, so.

Mark:
Yeah, but I mean, Alexa, not to go and excavate this from ancient history, but they used to have really accurate traffic on sites based on a browser tool bar that was in… I think it was like back in IE6 or something, and then those toolbars went away, and somehow they still have data. I’m just curious how accurate it is.

Ram:
Apparently, they’re fairly well-trusted by most of the organizations that do internet research, but it would be fun to look into at least.

Mark:
Yeah, for sure. One of my favorite resources is BuiltWith that we’ve been playing with, and I think you might’ve as well.

Ram:
Yeah. Yeah. I’ve played with BuiltWith a little bit. It has given us some interesting data on some topics that we’ve been researching, like nulled plugins.

Mark:
Definitely.

Ram:
But we don’t want to get too far off of track, but we’re going to be discussing one of the most important technologies to the internet’s continued existence today. We’re going to be following up on our Wordfence Live show this week. Just wanted to cover one of the biggest things in the news this week, which is that an attacker gained access to a computer controlling the water treatment plan for Oldsmar, Florida. I guess they tried to dump a bunch of lye into the water supply.

Mark:
Yeah, I commented about that on Twitter, but I don’t know about you, Ram, but I don’t remember a kinetic attack that targeted civilians that has had this much impact. When I say civilians, I’m thinking of Natanz, the Iranian uranium refinement plant that was targeted by the U.S. military cooperating with the Israelis. I also think about the Israeli F-15s that targeted a facility after the Israeli cybersecurity team disabled the radar system that would have detected the attack.

Mark:
Those things have happened, and they’re kinetic and they’re exciting and that kind of thing, but this is hackers going after a civilian facility dumping orders of magnitude more lye in the water supply than should be there and an operator seeing it actually happen and catching it just in time, which is very lucky, I think.

Ram:
Yeah, well, they were using TeamViewer, weren’t they? Apparently, this was a fairly low-sophistication attack. They believe that it was credential stuffing that lead to it.

Mark:
Oh, wow. No, I didn’t read the details on this. What is TeamViewer exactly?

Ram:
TeamViewer is basically a remote desktop management application, something where if you want to help someone out on their computer, you can get an invite to take actions on their computer using TeamViewer. It’s a lot like remote desktop Microsoft bundles, or with Windows server.

Mark:
Some attacker… and you said it was credential reuse?

Ram:
That’s the running theory. Yes.

Mark:
Oh, wow. Oh, man. I think that’s by far the most common vector for just about everything these days is password reuse, something gets breached, the list of hashed passwords gets out on the internet, someone cracks the list or as many of the hashes as they can, they make it available to everyone else, and you’ve got the username/password combination, and the username’s usually an email address, and so once that’s out there, they just reuse that credential somewhere else and get in, and Bob’s your uncle, huh?

Ram:
Pretty much. Yeah. That’s one of the reasons why cryptographic salts are so important, which is something we are actually going to get to a little bit. Apparently, the operator caught it because the attacker moved the mouse. That’s kind of eerie if you see your mouse moving on your screen and you’re not the one moving it. I feel like that speaks to the relatively low sophistication level of the attacker.

Mark:
I just hope it wasn’t some kid. Was this done in Florida where this happened?

Ram:
Yeah, this was in Florida.

Mark:
Oh, man. There’s something about Florida. We have a mutual friend who you know of, and we’ll chat about that after the podcast, but he got prosecuted when he was much younger for making silly choices and going after government websites. I hope this isn’t the same thing, some teenager who’s gone exploring and made some really bad choices because it’s not going to turn out well for them.

Ram:
Definitely not, especially not with something that could have impacted that many civilians.

Mark:
Yeah. Yeah. For sure. All right. Should we talk crypto?

Ram:
Yeah, let’s talk crypto. I guess the question is what is cryptography?

Mark:
Just some background here, as Ram was saying, we had a really nice chat on Wordfence Live, which feels like it was last week for both of us because so much has happened since then, but it was actually yesterday morning on Tuesday morning. We’re recording this on a Wednesday evening, February 10th. Wordfence Live is every Tuesday around… Is it 9:00 a.m. Pacific, Ram?

Ram:
I know that it’s noon Eastern, so.

Mark:
Yeah. Yeah. All right, so 9:00 a.m. Pacific, we did a segment yesterday on cryptography, and we wanted to do that on the podcast as well. I’m going to condense this so that it’s a little bit less in-depth and kind of like a compact introduction to cryptography for most folks. If you’re a little more technical, I suspect there’ll be some fun items in here for you as well.

Mark:
But my goal here is really to get our listeners thinking about cryptography in a way where they have an understanding of some of the basics. By the basics, I really mean where cryptography comes from, why it’s useful, the history of the crypto wars, what is a hash, what symmetric cryptography, what is asymmetric cryptography, what is key escrow and why is it problematic? Then we’ll talk about the future.

Mark:
If you are less technical and you’re listening to this, I’m going to make this as accessible as I possibly can. Some of those words that I threw out might sound a little bit intimidating, but they’re not. They’re actually fairly easy concepts, and you don’t need to be a mathematician to have some fun with this stuff. I think once you’ve got a basic understanding of what these various things are, you can then listen to news reports about the evolution of policy with regards to privacy and cryptography and even things like blockchain with more of an educated ear. That’s my goal here. I suspect that’s yours too, Ram.

Ram:
That is. Should we dive into the history a little bit?

Mark:
Yeah. Why not? I guess we can go back to the Caesar cipher, which is one of the earlier forms of cryptography, and chat about that. The Caesar cipher, it’s a really basic form of crypto that is just shifting letters by a fixed number, so-

Ram:
ROT13, right? The thing-

Mark:
Exactly.

Ram:
… that people always used to post spoilers on the internet.

Mark:
Yeah, exactly. Now, in the case of ROT13, what they’ve done is they’ve said every letter becomes the letter that is 13 places away. I think A is probably… Is it M or N? B as the next letter on after that. Maybe A becomes M, B becomes N, and so on. When you get the message, all you do is you reverse the process. You shift it 13 letters back or two letters back or whatever you’ve agreed on. What’s interesting about that kind of algorithm is that it’s cryptography where you have a shared algorithm, and all an algorithm means is just a piece of logic.

Ram:
It’s just a way of doing stuff. It’s the way of performing operations, right?

Mark:
I like that. I actually like that better than a piece of logic. It’s a way doing something. In early cryptography, it was a shared algorithm. I’m shifting it forward by 13 spaces, and you’re shifting all the letters back by 13, for example. Then you had other early forms of cryptography, like the scytale where you had a… It’s kind of like a belt, if you can imagine like a belt that you would use to hold your jeans up when you’ve lost too much weight. You wrap a belt around a cylinder so that it covers the whole cylinder, and then you write your message on that. When you unwrap it, what will you see as a bunch of letters when you’re looking at the belt, and it doesn’t really make much sense. The way you decode it is you just take the belt and you wrap it around a cylinder of the same diameter, and you can end up actually seeing the message.

Mark:
Again, it is a shared algorithm that the two people have. I know that I need to wrap the belt around a cylinder of 100 millimeters in diameter and you receive the belt that the courier has transported across the country on their horse avoiding the enemy, and you know that you need to wrap it around a cylinder of 100 millimeters in diameter. We share that logic, and there you go. One of the first kinds of cryptography where it was no longer a shared algorithm or a shared piece of logic, but they actually separated the logic or the algorithm from the key was… What the heck’s it called, Ram?

Ram:
Vigenère cipher. Yeah. That was the one where they basically used every Caesar cipher in a sort of table, right?

Mark:
Exactly. Yeah. Yeah. Vigenère was the first cryptographic algorithm or method that had logic. It also had a shared key between the sender and the receiver. The key is you plug that into the table, as Ram was saying, and you can then decode the message. What’s interesting about that is it begins to introduce this concept of Kerckhoffs’s principle, which is that for any good cryptographic algorithm, that algorithm should… You should be able to make that completely public and make it available to your adversary, your enemy, or the other team, and it doesn’t matter if they have the algorithm as long as they don’t have the key.

Mark:
That’s the importance in cryptography of separating the algorithm or the logic from the key. Kerckhoffs’s principle is used still today by the NSA, and the inside joke at NSA is that if we produce a device that does cryptography, the very first device, the one with serial number one is sent to the Kremlin. What they’re really doing is just illustrating this idea that you can have the device or the algorithm or the logic as long as you don’t have the key. If you have the device or you understand the logic or the algorithm or the math, it doesn’t help you as long as you don’t have the key to unlock the cryptography.

Ram:
Most of the really strong ciphers we use today are very public, aren’t they?

Mark:
Yeah.

Ram:
Like I’m sure the NSA has a few in their back pocket that they’re not sharing, but most of the ones that are considered extremely secure, the algorithms are all public.

Mark:
Exactly, exactly. I mean, it used to be that they try to keep these things trade secret. You know, RC4 was actually a trade secret until it was, it was leaked on a cypherpunk forum. Cypherpunks are, are hackers that are interested in cryptography. But RC4 was actually leaked and it eventually became, you know, public knowledge and so on.

Mark:
But these days when cryptographic algorithms are developed, they’re generally made very public based on Kirchhoff’s principle and debated to death among mathematicians and pounded upon until they’re like, okay, we’re at a good place where it doesn’t matter who knows the algorithm. As long as they don’t have the key, it’s as secure as we need it to be. I’m not using the word unbreakable on purpose for reasons that I’m- I’m, Ram, I’m sure you understand.

Ram:
Schneider said that usually when the NSA tries to break these things, they don’t try to actually break the math. They just try to break the implementation. Right? And that’s, that’s-

Mark:
Yeah.

Ram:
… where it’s usually easiest to go wrong. It’s much easier to find some sort of side channel of like, oh, hey, this chip leaks way more power when, you know, the first few bites are zero of the, of the key-

Mark:
Yeah.

Ram:
That kind of thing.

Mark:
Yeah, exactly. I think sometimes the math is vulnerable. But most often you’re able to target cryptographic algorithms using side channel attacks much more successfully.

Mark:
All right. So we’ve chatted about the, the sort of brief history of cryptography. I’m going to bring us into roughly the seventies.

Ram:
The height of the Cold War.

Mark:
Right? So around the 1970s, in my opinion, and other folks will disagree with me, the, what we call the crypto war started. And that’s where the US government, and the NSA in particular, were doing their best to make cryptography unavailable to the general public and to their adversaries, like other countries and so on. And, you know, as we’re, we’re obviously at the height of the Cold War there. And so the, the big adversary for the US was Russia.

Mark:
And so one of the events that I, I think clearly illustrates the, the Crypto Wars is that IBM in the 1970s was developing DES or the digital encryption standard and they wanted to use 128 bit key. Now in cryptography, the longer the key you use, generally, the more secure the, the cryptography is, the harder it is to break. And so IBM wanted to use 128 bit key.

Mark:
And when I say 128 bits, if you don’t know binary, it just defines the length of a number. And you can have numbers in binary or hex or octal or decimal. In this, in, you know, most cases, that’s what we’re used to. But in binary, 128 bit key is just a number that is 128 binary digits long.

Mark:
And so IBM wanted to use 128 bit key. And the NSA started lobbying them to only use a 48 bit key because they wanted the digital encryption standard that IBM was developing to be more easily breakable. They didn’t want secure cryptography to be available to the general public and to IBM customers, including customers that were overseas. And what they settled on is a key length of 56 bits, which was vulnerable at the time to brute force attack, and to being broken. And, and so that’s kind of the, one of the earlier events.

Mark:
And if we fast forward to 1991, you saw something similar happen where Phil Zimmerman released pretty good privacy, which was an implementation of a public key encryption. And I’m going to explain what that is in a few minutes. but what that did is it made very strong public key encryption available to the general public. And, and he actually used 128 bit encryption. If you remember, the longer the key, the more secure it is.

Mark:
And they actually went after Phil and they tried to prosecute him. And eventually they kind of dropped the case. But what happened was Phil was not able to legally export pretty good privacy because it fell under the ITAR regulations at the time, which were the regulations that export munitions. And strong cryptography was considered ammunition by the US government, the same as missiles and so on.

Mark:
And so he could only export a weak version of PGP. But with the way they got around it eventually was Phil partnered with the MIT press. And they actually printed out the entire source code of PGP as a hardcover book. And you could buy that book and you could take it overseas. And the reason you could do that is because it was protected speech under the First Amendment of the US Constitution. And so they actually managed to export it that way. Someone took the book overseas, they yanked off the cover and they used optical character recognition to scan the code back in and they compiled it. And they had strong encryption that had legally been exported from the US. And that was around ’91.

Mark:
And then just a little, little later that decade, around the mid nineties, Netscape implemented SSL in their browser. And they, because of the ITAR regulations, they had to provide weak cryptography to international users of their browser.

Ram:
That seems like a terrible idea for e-commerce,

Mark:
Right? So Netscape only allowed 40 bit encryption internationally. And you could have 128 bit encryption if you’re in the US. And what the- what happened is Verisign, at the time, was selling all of the SSL certificates. And they were selling 128 bit certificates to US customers and 40 bit for the rest of the market. And a little company in South Africa, where I’m- where I come from called Thawte, which was started by Mark Shuttleworth, started selling 128 bit SSL certificates. Because they could, because they were not in the US, and they were not governed by the ITAR restrictions.

Mark:
And so Mark and, and Thawte cornered the, the other half of the global market in SSL certificates and Thawte ended up owning 50% of the market and Verisign owned the other 50%, which was in the US. And eventually the ITAR restrictions were, were lowered. Verisign bought Thawte for just under 600 million US dollars. And Mark became a very wealthy person and became the second space tourist ever. And then used his hundreds of millions to launch Ubuntu, which is a Linux variant. That is, I think, Ram, the most popular Linux flavor these days?

Ram:
Uh, by quite a bit, I believe. Yes.

Mark:
Yeah. And Ubuntu’s actually brilliant. I mean, everyone uses it, who, who is, uh- everyone sensible uses it. (laughs) No, I’m just kidding. I’m going to get, I’m going to get killed by some of our listeners. Cause there’s a, there’s a lot of other great Linux flavors out there, including Kali, which is used by us penetration testers and security researchers. So lots to choose from. But Ubuntu is, is huge and has made a huge contribution.

Mark:
And that’s the, that is how Ubuntu came about. And you can thank the, the US government and their restrictions on exporting strong cryptography for helping bootstrap Ubuntu Linux into existence.

Mark:
And then, you know, we’re still chatting about the Crypto Wars, right? I mentioned IBM in the seventies, you know, Netscape and the story of Mark Shuttleworth and Thawte and so on. Well, the Clipper chip was developed by the National Security Agency in the 1990s. And that included the, Ram, I think he told me about the Skipjack algorithm.

Ram:
Yeah. I remember there being a controversy about the Clipper chip as well.

Mark:
Yeah. So Clipper included what they call a key escrow, which is this absurd idea that the- a government, in this case, the US government, should hold a key that is a back door to a certain kind of cryptography. And so Clipper was supposed to be used in all phones, cell phones, landlines, that kind of thing. And it would give you the illusion of secure communications. When in fact, someone out there has a key. In this case, it’s the US government. And the idea is that they’ll be able to keep that key secure.

Ram:
They would never ever lose it. Right? That has never happened.

Mark:
Right.

Ram:
Right?

Mark:
Right. Well, so the a- if, if you know anything about the OPM breach, the office of personnel management, which is a division of the US government, holds files on everyone in the country who has clearance.

Mark:
Clearance, if you’re not a, a US person means that you can look at secret government stuff. And there’s various levels. There’s secret, top secret, top secret SCI and so on. And so if you work on a military base in this country, you generally have clearance of some kind, and there’s a process that you go through. They attach a polygraph to you and they ask you a bunch of awkward questions. And there’s a process called adjudication where you’re supposed to tell them that you’re, you know, an alcoholic who dances every midnight when it’s a full moon around the streets naked. And you’ve done all this other naughty stuff. And that way they’ve got all your naughty stuff on file. And no one can blackmail you saying, well, I’m going to tell everyone about the naughty stuff, unless you tell me the government secrets.

Mark:
And so OPM had that data on file along with biometric data for all of these folks with clearance, like fingerprints and so on. And that was breached. And it’s an absolute disaster. In my opinion, it’s one of the most important breaches in the history of this country, anyway, because you don’t get a lot of that data back. And you can’t change a lot of that data. You know, if it was passwords that were breached, sure. You know, change your passwords, no big deal. Biometric data is a password that you can never change unless you somehow are able to change your fingerprints or your, your iris. Uh-

Ram:
It should be a username really.

Mark:
(laughs) Right. And yeah, that’s an interesting idea actually. And then, you know, the adjudication data is obviously very, very sensitive data and, and that’s now out there. And so if, if they couldn’t protect the OPM’s data, the idea that they would be able to protect a key that has- that they’re storing under key escrow is utterly absurd.

Mark:
And it just really highlights the need for strong cryptography that isn’t back-doored in my humble opinion. Ram, what do you think?

Ram:
I definitely agree. I feel like back door crypto is a disaster waiting to happen because as soon as that happened, that escrow key is going to become the number one target of literally every adversary and every light crime syndicate, and everyone who has good hackers who-

Mark:
Right.

Ram:
… aren’t interested in the public good.

Mark:
Yep. That’s right. Giant bullseye. And so, you know, the Crypto Wars are still going on. We have a, an act that is the EARN IT Act of 2020, and it provides for a 19 member national commission, which will develop a set of “best practice guidelines” to which technology providers will have to conform in order to “earn immunity” to liability for child sexual abuse material that’s been posted by their users on their platforms.

Mark:
And the thing about that is that earning immunity probably means providing back doors into things like end to end encryption if you’re providing a service like WhatsApp or Signal. And WhatsApp is relevant because it’s owned by Facebook. And so if Facebook wants to “earn immunity” from people posting illegal material to Facebook, they would have to conform to the EARN IT act and potentially back door WhatsApp.

Mark:
And just to be clear, traditionally, content providers, social media platforms, that kind of thing have had automatic immunity thanks to Section 2-30 of the Communications Decency Act. And so they’re kind of like rolling that back and providing a way for the US government to put tremendous pressure on platforms and social networks and so on to back door their cryptography with the threat of well, we’ll prosecute you for child pornography content that is posted onto your platform.

Mark:
And, and so the way that they framed this is this kind of choice between the safety of children or strong cryptography. And it’s a false, it’s a false choice in my opinion.

Ram:
There are very, very, very many legitimate uses for a strong cryptography. Honestly, I feel like it’s a much stronger argument, even than the old VCR debate. If you recall, the main reason VCRs were allowed to have a record functionality is that there were legitimate use cases that weren’t copying copyrighted material, even though that’s what most people use them for.

Mark:
Yeah, yeah-

Ram:
Whereas with cryptography, almost all of the use cases are legitimate, and the illegitimate uses are edge cases.

Mark:
Yeah, exactly. I would say it’s the inverse of that; I totally agree. All right, so let’s dive into some educational stuff over here-

Ram:
Yeah, you were going to talk about hashing, right? Which is pretty big on the blockchain. It’s kind of the thing that makes that work, but-

Mark:
Yeah, so let’s start off with hashing as you suggested Ram. It’s one of the easier concepts. A hash is simply a machine that you can feed data into of any length, it that can be just a single byte or it can be a petabyte, which is a lot. And at the other end, it’ll spit a fixed length number that’ll uniquely identify that data. If you feed the same data and again, you get exactly the same number, and that’s it. Now you know what hashing is.

Mark:
And hashing is super useful for all kinds of things. I was teaching my colleague in our film department the other day about hashing, because what he can do is take a huge film, a complete film that is multiple gigabytes, run it through a hashing algorithm on his Apple computer, which includes the MD5 hashing algorithm, he can get a hash that represents the data. He can then send that huge file via courier, or via network, or via pigeon to the visual effects company that he’s going to be collaborating with, and when they get it, he can also just email them the hash, they’ll run it through the same algorithm, and if it doesn’t generate the same hash, it means the data has been changed in transit; it’s been corrupted, or someone has added a scene into the film that we don’t want-

Ram:
Or the NSA has tampered with the film.

Mark:
Right. For some reason, I thought of Fight Club. If they had hashing then Tyler Durden wouldn’t have been able to put his little little hidden frame into the films, but let’s not go there. This is a family podcast, and we probably shouldn’t go into that territory.

Mark:
But that’s the basics of what hashing is. And it’s used in cryptographic algorithms or crypto systems all over the place to uniquely identify data. And hashing is also used for authentication. So when you register on a website, what it does is you enter your password, it creates a hash of that password to uniquely identify it, and it stores that hash. And the next time you sign in it just hashes the password that you enter again-

Ram:
But not with MD5 anymore?

Mark:
Well hold on, you’re getting ahead of me here. So it hashes your password again, and compares that output with the hash that it’s stored, and if the two match, then it lets you in. And the benefit of doing that is you don’t have to store a plain text password in the database anymore. You can now just store a representation of that password.

Mark:
And the thing about hashes is it’s very difficult, and in some cases impossible, to reverse that hash back into the original data. And so that’s the basic idea there.

Mark:
Now, if you wanted to crack passwords, because you’ve managed to, let’s say hack into some WordPress website and you’ve downloaded all the hashes, and you want to turn them into passwords, well the way you do it is you just take a whole bunch of words, turn them into hashes, compare that list of hashes you came up with the list of hashes that you stole, and ones that match, well now you know what the password is because you used that password to create that hash, and it matches a hash in the database, and so it must be the same word that they’ve used.

Mark:
And so this begins to help you to understand why you want to choose a long password that is not an English word, or made up of English words, and that contains random characters, and that those characters should be upper and lower case, and numbers, and some symbols. Because if I’m trying to crack your password by throwing a dictionary at a hashing algorithm-

Ram:
You’re going to try the easy ones first, right?

Mark:
I’m going to try to use the ones first. And I’m going to try dictionary words first. If I have to do, let’s say 20 character passwords that are completely random, it’ll take me the rest of my natural life multiplied by a thousand to actually crack your password.

Mark:
Some hashing algorithms are a little more computationally-intensive than others, and those are better for this particular application, which is storing hash passwords.

Mark:
Now, crazy story, right?

Ram:
Yeah, yeah.

Mark:
I’m going go on a tangent over here Ram just for fun. This is not something we chatted about on Live yesterday, and I wish we had.

Mark:
Adler-32, does that sound familiar?

Ram:
Yeah, that’s the CRC, cyclic redundancy check algorithm, right?

Mark:
Yeah. And Adler-32 now, the reason I want to go on this tangent is I was saying that if you’re using a hashing algorithm for storing representations of passwords, you want to use something that does actually consume quite a few CPU cycles when you’re generating the hash, because it’s harder to crack. If you do a thousand guesses with that algorithm, it’s going to take a lot longer than with, say MD5, which is incredibly fast.

Mark:
But Adler-32 is funky. It was designed by Mark Adler. He worked at either JPL or NASA at the time, and it was designed for spacecraft. And that is an algorithm that’s designed to not be computationally intensive, because it’s running on a spacecraft that has a limited amount of power available. It’s running off solar cells, and you don’t want to consume a huge number of CPU cycles, and therefore watts when you’re using this algorithm.

Mark:
So it’s actually a very computationally-efficient algorithm. And Matt Barry, who’s our lead developer, our most senior developer here at Wordfence, he discovered a weakness in the wordpress.org infrastructure that would have potentially allowed an attacker to compromise the servers where you download WordPress from, and that send out the plugin updates and all that stuff. And the mistake that they had made is they were using Adler-32 for a certain, I think it was authentication or authorization step.

Ram:
Yeah. They let you choose your own algorithm, right?

Mark:
Right, that was it!

Ram:
And you could even choose Adler-32.

Mark:
Yes!

Ram:
And at that point you can just generate something else, it’s called a collision where you have two values that generate the same identical hash, which can only happen in really small, short hashes, right?

Mark:
Yeah. So that was an absolutely brilliant piece of research by Matt. And you can find that on the Wordfence blog, it’s a few years old now. The WordPress security team managed to fix that quite quickly, working confidentially with Matt. And then we went ahead and published the research when the all clear was given.

Mark:
But that’s an example of why it is very important to choose the appropriate hashing algorithm for whatever your application is. If you’re launching spacecraft, choose something that’s computationally not that intensive to save some power with your solar cells; if you’re doing password hashing, you want to choose something like bcrypt That’s a little bit more computationally intensive than let’s say MD5. How are we doing so far Ram? Making sense?

Ram:
I think we’re pretty good. Yeah, I think we probably want to cover salts, but I’m not going to spend too much time on them. When Mark was discussing about how you can basically just precompute the hashes of a bunch of passwords, that doesn’t work so great if when you’re storing the password you append a random bit of data to it, called a salt, because then that turns it into a completely different hash. Unless the person who’s attacking your database knows the salt, they’re not going to be able to generate a hash that actually matches your password no matter what list they run.

Mark:
Okay, so I’m going to unpack that a little bit because I’m assuming that we’re dealing with folks who are not programmers here and not necessarily mathematicians.

Mark:
So if you are a bad person, and you’re going around regularly stealing databases of hashed passwords, and you want to crack those, and you want to do it in a way that’s computationally more efficient, what you’ll do is you’ll take, let’s say a bunch of dictionaries of words in English and various other languages, and you’ll use that as the beginning of your word list. And then you’ll take some other sources of passwords, commonly used passwords, you’ll take passwords that have been breached, and you’ll dump that all into a long word list. And let’s say you’ve got around a billion words, well you got two choices when you want to crack your breached password database, you can turn those words into hashes, and then compare those hashes against the hashes in the database and where they match you know that you’ve cracked it, and you know what word it was.

Mark:
And you can do that for every single breached password database that you want to crack. Or you can just do the computation once, and store the hashes alongside what the original plain text was, and then just compare the hashes to each hash in your various breached password databases. And that allows you to only do those competitions once, and then just do that comparison, which is much faster than computing a hash every time.

Mark:
And so that attack is called a rainbow table, and a rainbow table is simply a long list of precomputed hashes and the words that that created those hashes. And there’s big lists of rainbow tables that you can download that are precomputed hashes, and they massively speed up the process of cracking hashes.

Mark:
And so back in the seventies already, they came up with this idea of using salts. And what a salt is, is when you take a user’s password and you’re going to turn it into a hash for the first time, let’s say they’re registering for your service, you want to turn that password that they just entered into a hash, you don’t just run it through the hashing algorithm. You actually append, or prepend, a random piece of text to that password, and then you compute your hash. And what you store is the hash, as well as the little random piece of text.

Mark:
And what that means is that whenever someone signs in now, instead of just taking the password that they enter and running it through the hashing algorithm and doing the comparison, you have to take the salt, prepended or appended, to the password that they entered, run it through their hashing algorithm, and then compare it to what was stored.

Mark:
And what that means is it defeats the rainbow tables attack. Because the hacker can no longer use their rainbow table of precomputed hashes, because they’re forced to take that little piece of text and prepend it to every single word that they’re guessing you might’ve used as your password, create the hash, and then compare that. So you’re forcing them to compute the hashes when you use salts. That’s why salts are useful, is because it defeats a rainbow tables attack.

Ram:
That sounds incredibly useful, and WordPress uses them too, right?

Mark:
Yeah. WordPress, when I started coding was using MD5, and MD5 was a fairly computationally-fast hashing algorithm, therefore it’s easy to crack. And so what WordPress did is they, instead of just using straight MD5, they did 8,000 rounds of MD5. In other words, you hash the password the user entered, and then you create a hash, of a hash, of a hash, of a hash 8,000 times, and then look at that output.

Mark:
And so when they sign in and they enter their password, you just do the same process. Again, hash, of a hash, of a hash, of a hash 8,000 times; sorry, I can’t say that very fast. But WordPress also incorporated a salt, so that they could defeat rainbow tables attacks. And that was back in the olden times of 2011, 2012 when I started diving into WordPress security. Now they’ve moved over to bcrypt. And if you have old MD5 hashes in your database, there’s a migration process right Ram?

Ram:
Yep. If you put an MD5 hash password in a database, and that user logs in, then the password will be changed over to bcrypt, I believe, next time they log in. I mean, you have to log in, but yeah.

Mark:
Yeah, for sure. And the reason they have to do the migration when you log in is because they need to actually know your plain text password to be able to do the migration. So they’re authenticating you by taking your plain text password, using the old algorithm, comparing the output with what stored in the database, which is an MD5 hash. And then if they authenticate you, they’ll say, “Okay, now let’s migrate him to bcrypt,” and they’ll take that password that you entered, which is in memory and use bcrypt to hash it along with a salt, and then replace the MD5 password in the database with a bcrypt password. And that’s how the migration works.

Mark:
So chatting about hashing, and hashing is just used with all kinds of things. It is an integral part of what is called a blockchain. You may have heard of a blockchain and hashing as an integral part of that. The chain element of a blockchain is actually created with hashes where you have a series or a sequence of events, and maybe those are transactions in the case of Bitcoin or maybe they are interactions with a file or a journey of a piece of data or whatever, but it’s essentially a kind of ledger or a sequence of events, and that are tied together using a hashing algorithm. I’m not going to dive into it any more than that because that is beyond the scope of what we’re trying to do on this podcast. But let’s chat about symmetric crypto.

Ram:
Symmetric crypto, that’s just where if I want to send a message to you, then we have to establish a single secret key. You were discussing in the history where the algorithm can be public, but as long as there’s shared secret that we both have, we can use it to encrypt and decrypt data very quickly.

Mark:
Exactly. Symmetric cryptography has been around for quite a while. It’s been around since… I keep wanting to say Wassenaar, but of course, it’s a Wassenaar Arrangement. What is the algorithm called again?

Ram:
Vigenère

Mark:
Vigenère, there we go. So with Vigenère, you had a shared key, and essentially that was a kind of symmetric cryptography where I have the same key that you have, maybe we’ve decided on the name of my dog, and when you receive the message from me, you use that same key to decrypt the message. Now that’s the basis of symmetric cryptography. Symmetric cryptography is very fast, but there’s a major, major problem with it. And that is that if you, audience member, and I want to communicate, and Ram is listening in. And we’re not able to get together, I’m never going to meet you. I don’t know what your name is, maybe it’s John or Mary or whatever your name is, but you and I know each other via this podcast, we chat via DM on Twitter. Ram has managed to hack into a fiber optic cable outside my house and is monitoring everything that we say. We’re on an insecure channel and we want to establish a secure channel.

Mark:
Well, we can’t use symmetric cryptography because I would have to send you my dog’s name as the key over that insecure channel and Ram will get the key, and he’ll just decrypt anything that I send you and vice versa. And that’s the trouble with symmetric cryptography. This challenge had baffled cryptographers for… I don’t know if I’m just making any assumptions about historical cryptographers, but I suspect it baffled mathematicians for a very, very long time. And around the 1970s, there was a major breakthrough in cryptography by RSA, which is the initials of three famous cryptographers.

Ram:
Rivest, Shamir, and Adelman.

Mark:
And what they developed was a way to separate the key that you use to encrypt data from the key that you use to decrypt that data. This is a massive breakthrough, and the reason why is because, again, let’s use our analogy where Ram is sitting outside my house in a van, and he’s got the fiber optic cable running into the van and running back out again, and he’s listening into everything that we say.

Ram:
For some reason no one has spotted me yet.

Mark:
Right. Even though it’s a white van with blacked out windows and all kinds of weird bumper stickers on the back. But okay, moving swiftly on. So I want to communicate with you dear listener, and Ram’s listening in, and the way I do that with asymmetric cryptography, which is this major breakthrough, is that I send you my public key and you receive it. The only thing you can do with that public key is encrypt the data that you want to send me. And the only thing Ram can do with it sitting in his van is he can also encrypt messages and send it to me, but he’s not interested in encrypting messages and sending them to me. He wants to decrypt our stuff, right?

Mark:
So you get the key, you get my public key, you encrypt a message, you send it to me. And I use my secret key, my private key to decrypt that message, and I’ve never sent that private key across the wire. It’s safe in my house. I’m behind locked doors. I know he’s sitting out there in his van, but all my doors are locked. Sorry, Ram. Ram’s actually a really nice guy by the way, but-

Ram:
I promise I’m not actually in a van outside of Mark’s house, listening into, hacking into his fiber optic cable.

Mark:
Or are you?

Ram:
Or am I?

Mark:
All right. So you can use my public key to encrypt data and send that to me and I decrypt it with my private key. And I want to send you some data, I want to send you a reply. So what you do is you send me your public key. I use your public key to encrypt information. I send that back to you across this insecure channel that Ram’s listening in on, and you use your secret key or your private key, those two terms I used interchangeably, to decrypt the data that I’ve sent you. And again, you’ve never sent your secret key or your private key across the wire. Ram doesn’t have it. The only thing he now has is your public key and my public key, and the only thing he can do with those is send me encrypted messages and send you encrypted messages. He can not use those to decrypt messages.

Mark:
And that is the amazing, amazing thing about asymmetric cryptography, is that it provided a way to establish a secure communications channel over a communications medium that’s being monitored by the adversary or the enemy or some hacker. It was a major breakthrough. And so asymmetric cryptography is used extremely widely. It’s used in SSL, now called TLS, which is how we communicate with websites securely. When you’re buying something on Amazon, you are using TLS. And the way that works is that TLS will establish a secure communications channel using asymmetric cryptography, exchanging those public keys, and then decrypting with the private keys that never crossed the wire. Once that secure communications channel has been established, TLS will switch to symmetric cryptography, because as I mentioned, it is more efficient. It’s more computationally efficient that uses less resources. It’s faster in other words. And that is what symmetric cryptography and asymmetric cryptography are, and why they matter.

Ram:
Asymmetric cryptography is kind of one of those world changing things, and it’s kind of something that’s enabled the internet as we know it to sort of flourish, right?

Mark:
Yeah. I mean, for me, I just go back to the wonderful story of Turing breaking the Enigma machine. And of course it was a team at Bletchley Park in the UK and so on, but the Enigma machine was an encryption machine developed by the Germans and used by the Axis powers to communicate with their ships and submarines over an insecure channel, which was HF radio, in other words, shortwave radio. And they would have to set up the shared key before those submarines and before their ships left the Harbor. Now I just think about how excited those, whether it was the Germans, the Axis powers, or the allies, either party, how excited they would have been about a way to establish a secure communications channel over an insecure link. I mean, it would have blown their minds, and that was only invented around the 1970s.

Ram:
It’s a very good thing it wasn’t around back then.

Mark:
Well, it’s interesting, right? Because it really brings up that debate because it is around now. The United States has adversaries around the world. Those adversaries in a lot of cases would consider the United States an adversary. We still have a fair amount of tension floating around the world and the potential for war and actual wars going on. And yet this is now in a world where public key cryptography does exist. You can use key lengths of 2048 bits or 4096 bits which are way longer than 128 bits. That stuff may or may not be crackable by NSA based on the amount of noise that they’ve been making. We think that the stronger cryptographic algorithms with longer keys are actually not trackable by them.

Ram:
Considering they still really, really want that backdoor. Yeah, probably.

Mark:
Yeah. And so, now that everyone out there knows what cryptography is and a little bit of the history, and the crypto wars, and what symmetric cryptography is and what asymmetric cryptography is and why that’s such a breakthrough, and why key length matters, and how NSA in particular has been trying to lobby for smaller key lengths and so on, now, hopefully our audience can think about cryptographic or the cryptography debates and the privacy debate in an informed way. And you can kind of make your own decisions about where you land on it and go from there. And Ram, I think that’s probably a good place to leave it. What do you think?

Ram:
Yeah, I think we’ve covered a lot of ground today. As always, it’s been a pleasure having you on the show. Come and subscribe to us, and listen to us on your favorite podcasting app, whether that’s iTunes or Spotify, or I don’t know what else we have for podcasting.

Mark:
Yeah, absolutely. So Ram-

Ram:
Kathy usually does this part.

Mark:
I know, right. We hijacked her podcast because she’s got the last two days of the week off.

Ram:
Yeah.

Mark:
So hopefully she has a good break there, but Ram, if folks want to follow you on Twitter, what’s your username there?

Ram:
That is Ramuel Gall. I’m pretty boring on Twitter. Mostly all I do is talk about vulnerabilities I or Chloe found.

Mark:
That is definitely not boring. You guys do some amazing research. If you folks want to follow me, I try to stay on message and talk about things Wordfence and security related. My Twitter handle is mmaunder. So you can follow me there. Definitely check out the Wordfence blog at wordfence.com/blog. That is where you’ll find all of Ram and Chloe’s research. And I think you can scroll to the bottom of the page and subscribe to the WordPress Security mailing list, which we run, which has a huge number of subscribers. It’s extremely popular among WordPress site owners. So if you haven’t already subscribed, definitely do that. It’s a very, very high signal to noise ratio mailing list. We don’t spam you with all kinds of product pitches. It’s really just hardcore WordPress Security research made accessible, courtesy of Ram and Chloe. Right, Ram?

Ram:
Yep. Anytime we find a new vulnerability or a find out about a new attack, you’re going to be the first people to hear about it, except for the plugins developer who actually has to fix the plugin.

Mark:
For sure. All right. And then of course you can follow Wordfence on Twitter, @Wordfence. All right, everybody, thanks so much for listening. It’s been an absolute pleasure. Next week, I think we’ll be back to our regularly scheduled programming with Kathy and Ram. Have a wonderful weekend. Bye, everyone.

Ram:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 104: Cryptography Demystified appeared first on Wordfence.

Multiple Vulnerabilities Patched in Responsive Menu Plugin

On December 17, 2020, our Threat Intelligence team responsibly disclosed three vulnerabilities in Responsive Menu, a WordPress plugin installed on over 100,000 sites. The first flaw made it possible for authenticated attackers with low-level permissions to upload arbitrary files and ultimately achieve remote code execution. The remaining two flaws made it possible for attackers to forge requests that would modify the settings of the plugin and again upload arbitrary files that could lead to remote code execution. All three vulnerabilities could lead to a site takeover, which could have consequences including backdoors, spam injections, malicious redirects, and other malicious activities.

We initially attempted to reach out to the team at Responsive Menu through their parent company ExpressTech on December 17, 2020 . After receiving no response for a few weeks, we tried reaching out through the contact form on the Responsive Menu site on January 4, 2021, and again received no response after a week. At that point we felt it best to escalate the issue to the WordPress Plugins team on January 10, 2021. We received a response from the plugins team and the plugin’s founder thereafter on January 11, 2021. Once contact was established, they were very quick to resolve the issues and released a patch on January 19, 2021.

All three patched flaws are considered medium and critical severity vulnerabilities. Therefore, we highly recommend updating to the patched version, 4.0.4, immediately.

Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on December 17, 2020. Sites still using the free version of Wordfence received the same protection on January 16, 2021.

Description: Authenticated Arbitrary File Upload
Affected Plugin: Responsive Menu
Plugin Slug: responsive-menu
Affected Versions: < = 4.0.0 – 4.0.3
CVE ID: Pending.
CVSS Score: 9.9 (Critical)
CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: 4.0.4

Responsive Menu is a plugin designed to create highly responsive and customizable menus for WordPress sites. It contains several features that allow users to easily create a beautiful menu interface with different colors and designs. As part of the plugin’s functionality, site owners have the option to import themes from zip files that can either by custom creations or downloaded from the Responsive Menu site. In order to provide this functionality, the plugin registered an admin_post action, admin_post_rmp_upload_theme_file, tied to the function rmp_upload_theme.

 add_action('admin_post_rmp_upload_theme_file', array( $this, 'rmp_upload_theme' ) );

The rmp_upload_theme function takes a zip file supplied by the admin_post request and extracts its contents to the /rmp-menu/themes/ directory.

    public function rmp_upload_theme() {
		status_header(200);
		$theme = $_FILES['file']['tmp_name'];
		WP_Filesystem();
		$upload_dir = wp_upload_dir()['basedir'] . '/rmp-menu/themes/';
		$unzip_file = unzip_file( $theme , $upload_dir );
		if ( is_wp_error( $unzip_file ) ) {
			$status = ['danger' => $unzip_file->get_error_message() ];
		} else {
			$status = [ 'success' => 'Theme Imported Successfully.'];
		}
		return $status;
	}

Unfortunately, there were no capability checks on this function, and due to the fact that it used admin_post, any user logged into a vulnerable WordPress site could execute this action to trigger the file upload and zip extraction. This included subscribers and other low level users, making sites with open registration particularly vulnerable. The admin_post action does not check to see whether a user is an administrator, but rather if the user is sending a request to the administrative page /wp-admin/admin-post.php while authenticated.

A subscriber could upload zip archives containing malicious PHP files that would get extracted to the /rmp-menu/themes/ directory. These files could then be accessed via the front end of the site to trigger remote code execution and ultimately allow an attacker to execute commands to further infect a WordPress site.

In addition, there were no nonce checks on this function making it vulnerable to Cross-Site Request Forgery attempts as well.

This feature was introduced in version 4.0.0 of the plugin, therefore, only site running versions 4.0.0 – 4.0.3 of this plugin are considered vulnerable.

Description: Cross Site Request Forgery to Arbitrary File Upload
Affected Plugin: Responsive Menu
Plugin Slug: responsive-menu
Affected Versions: < = 4.0.3
CVE ID: Pending.
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Fully Patched Version: 4.0.4

Prior to the major overhaul of the plugin in version 4.0.0, the theme import function was integrated within the settings area instead of using standalone functionality. The plugin received a POST request with the responsive-menu-import-theme parameter and file contents in the responsive-menu-import-theme-file parameter on the responsive-menu page.

              elseif(isset($_POST['responsive-menu-import-theme'])):
                    $file = $_FILES['responsive-menu-import-theme-file'];
                    $theme = isset($file['tmp_name']) && $file['tmp_name'] ? $file['tmp_name'] : null;

                    echo $controller->import_theme($theme);

If the responsive-menu-import-theme parameter was sent in a request, it triggered the import_theme function to start a theme import. This involved uploading and extracting the files from the supplied zip archive to the /responsive-menu-themes folder.

    public function import_theme($theme) {
        if($theme):
            WP_Filesystem();
            $upload_folder = wp_upload_dir()['basedir'] . '/responsive-menu-themes';

            $unzipfile = unzip_file($theme, $upload_folder);

            if(is_wp_error($unzipfile)) {
                $alert = ['danger' => $unzipfile->get_error_message()];
            } else {
                $alert = ['success' => 'Responsive Menu Theme Imported Successfully.'];
            }

Though there was a permission check on this functionality that made it so that only administrators could trigger a theme import, there were no nonce checks to verify that a request came from a currently authenticated administrator’s session. This meant that attackers could craft a request and trick an administrator into uploading a zip archive containing malicious PHP files. The attacker could then access those files to achieve remote code execution and further infect the targeted site.

Since this plugin underwent a major overhaul, this is considered a legacy feature. Only sites running versions older than 4.0.0 or running in legacy mode on versions 4.0.0 – 4.0.3 are considered vulnerable.

Description: Cross Site Request Forgery to Setting Modification
Affected Plugin: Responsive Menu
Plugin Slug: responsive-menu
Affected Versions: < = 4.0.3
CVE ID: Pending.
CVSS Score: 5.4 (Medium) 
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Fully Patched Version: 4.0.4

In addition to the theme import functionality, the plugin contained the ability to import new settings. The plugin checks for a POST request with the responsive-menu-import parameter and file contents in the responsive-menu-import-file parameter on the responsive-menu page.

            elseif(isset($_POST['responsive-menu-import'])):
                    $file = $_FILES['responsive-menu-import-file'];
                    $file_options = isset($file['tmp_name']) ? (array) json_decode(file_get_contents($file['tmp_name'])) : null;
                    echo $controller->import($file_options);

If the responsive-menu-import-file parameter was sent in a request, it would trigger the import function to start a settings import. This would then trigger the updateOptions function to update any of the options set for the plugin stored in the responsive_menu table.

   public function import($imported_options) {
        $errors = [];
        if(!empty($imported_options)):

            $validator = new Validator();
            if($validator->validate($imported_options)):
                try {
                    unset($imported_options['button_click_trigger']);
                    $options = $this->manager->updateOptions($imported_options);
                    $task = new UpdateOptionsTask;
                    $task->run($options, $this->view);
                    $alert = ['success' => 'Responsive Menu Options Imported Successfully.'];

Again, although there was a permission check on this functionality restricting settings import to administrators, there were no nonce checks to verify that a request came from a currently authenticated administrator’s session. This meant that attackers could craft a request and trick an administrator into importing all new settings. These settings could be modified to include malicious JavaScript, therefore allowing an attacker to inject payloads that could aid in further infection of the site.

Since this plugin underwent a major overhaul, this is considered a legacy feature. Only sites running versions older than 4.0.0 or running in legacy mode on versions 4.0.0 – 4.0.3 are considered vulnerable.

Disclosure Timeline

  • December 17, 2020 – Conclusion of the plugin analysis that led to the discovery of the three vulnerabilities. We develop firewall rules to protect Wordfence customers and release them to Wordfence Premium users. We make our initial contact attempt via the ExpressTech.io contact form.
  • January 4, 2021 – We make a second contact attempt, this time via the contact form on the Responsive Menu website.
  • January 10, 2021 – We escalate the issue to the WordPress plugins team and provide full details at the time of reporting.
  • January 11, 2021 – We receive a response from the WordPress plugins team and the founder of Responsive Menu. They verify that they will begin working on a fix.
  • January 15, 2021 – Responsive Menu provides us with a copy of the intended patch to test. We verify it is sufficient and request additional security enhancements to be added.
  • January 16, 2021 – Free Wordfence users receive firewall rules.
  • January 18, 2021 – A patched version of the plugin is released as version 4.0.4. We verify again that the vulnerabilities have been patched.

Conclusion

In today’s post, we detailed three flaws in the Responsive Menu plugin that granted attackers the ability to achieve remote code execution through arbitrary file uploads and to change settings. These flaws have been fully patched in version 4.0.4. We recommend that users immediately update to the latest version available, which is version 4.0.4 at the time of this publication.

Wordfence Premium users received firewall rules protecting against this vulnerability on December 17, 2020, while those still using the free version of Wordfence received the same protection on January 16, 2021.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as these are considered critical severity issues that can result in remote code execution.

Note: We have requested that the plugin’s owner add further security hardening to the import of zip files. Though we received confirmation from the plugin owner that they would work on implementing this, it has been nearly a month with no visible progress on this request. Given the severity of the vulnerabilities already patched, we are publishing this advisement now so that site owners can update and protect their sites. We consider the remaining issue of significantly lower impact, as it would only affect very rare WordPress installations. We anticipate that they will soon resolve this issue, and we will update this post when completed.

The post Multiple Vulnerabilities Patched in Responsive Menu Plugin appeared first on Wordfence.

Severe Vulnerabilities Patched in NextGen Gallery Affect over 800,000 WordPress Sites

On December 14, 2020, the Wordfence Threat Intelligence team finished researching two Cross-Site Request Forgery (CSRF) vulnerabilities in NextGen Gallery, a WordPress plugin with over 800,000 installations, including a critical severity vulnerability that could lead to Remote Code Execution(RCE) and Stored Cross-Site Scripting(XSS). Exploitation of these vulnerabilities could lead to a site takeover, malicious redirects, spam injection, phishing, and much more.

We initially reached out to the plugin’s publisher, Imagely, the same day, and provided full disclosure the next day, on December 15, 2020. Imagely sent us patches for review on December 16, and published the patched version, 3.5.0, on December 17, 2020.

Wordfence Premium users received firewall rules protecting against these vulnerabilities on December 14, 2020. Sites still running the free version of Wordfence received these rules 30 days later, on January 13, 2021.

Description: Cross-Site Request Forgery (CSRF) leading to XSS and RCE via file upload and LFI
Affected Plugin: WordPress Gallery Plugin – NextGEN Gallery
Plugin Slug: nextgen-gallery
Affected Versions: < 3.5.0
CVE ID: CVE-2020-35942
CVSS Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Fully Patched Version: 3.5.0

NextGEN Gallery is a popular WordPress plugin designed to create highly responsive image galleries. It is clear the plugin’s developer took care to integrate security in the code of the plugin. NextGen Gallery has a single security function, is_authorized_request, that is used to protect most of its settings:

    function is_authorized_request($privilege = NULL)
    {
        $retval = TRUE;
        if (!$privilege) {
            $privilege = $this->object->get_required_permission();
        }
        // Ensure that the user has permission to access this page
        if (!M_Security::is_allowed($privilege)) {
            $retval = FALSE;
        }
        // Ensure that nonce is valid
        if ($this->object->is_post_request() && (isset($_REQUEST['nonce']) && !M_Security::verify_nonce($_REQUEST['nonce'], $privilege))) {
            $retval = FALSE;
        }
        return $retval;
    }

This function integrated both a capability check and a nonce check into a single function for easier application throughout the plugin. Unfortunately, a logic flaw in the is_authorized_request function meant that the nonce check would allow requests to proceed if the $_REQUEST[‘nonce’] parameter was missing, rather than invalid.

This opened up a number of opportunities for attackers to exploit via Cross-Site Request Forgery. One feature of NextGen Gallery is the ability for administrators to upload custom CSS files to be used to style galleries. While the file uploaded had to end with the .css extension, it was possible to upload arbitrary code with double extensions, (e.g., file.php.css). While these files would only be executable on certain configurations, such as Apache/mod_php with an AddHandler directive, this could still result in remote code execution on any vulnerable configurations.

Unfortunately, it was also possible to achieve code execution even on configurations not vulnerable to double extensions. NextGen Gallery has a separate feature that allows users to specify how galleries are viewed via a “Legacy Templates” feature, which also uses the is_authorized_request function for security. Thus, it was possible to set various album types to use a template with the absolute path of the file uploaded in the previous step, or perform a directory traversal attack using the relative path of the uploaded file, regardless of that file’s extension, through a CSRF attack.

This would result in Local File Inclusion (LFI) and Remote code Execution (RCE), as the uploaded file would then be included and executed whenever the selected album type was viewed on the site. Any JavaScript included in the uploaded file would also be executed, resulting in Cross-Site Scripting (XSS).

As a reminder, once an attacker achieves Remote Code Execution on a website, they have effectively taken over that site. XSS can likewise be used to take over a site if a logged-in administrator visits a page running a malicious injected script.

This attack would likely require some degree of social engineering, as an attacker would have to trick an administrator into clicking a link that submitted crafted requests to perform these actions. Additionally, performing these actions would require 2 separate requests, though this would be trivial to implement and we were able to do so during our testing. Finally, the site would require at least one album to be published and accessible to the attacker.

Description: Cross-Site Request Forgery (CSRF) leading to file upload
Affected Plugin: WordPress Gallery Plugin – NextGEN Gallery
Plugin Slug: nextgen-gallery
Affected Versions: < 3.5.0
CVE ID: CVE-2020-35943
CVSS Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Fully Patched Version: 3.5.0

NextGen Gallery also used a separate security function, validate_ajax_request, for various AJAX actions including those used to upload images:

    function validate_ajax_request($action = NULL, $token = false)
    {
        if ($token === TRUE) {
            $token = isset($_REQUEST['nonce']) ? $_REQUEST['nonce'] : FALSE;
        }
        // TODO: Remove !$action condition. Necessary for Proofing at the moment
        return (!$action || M_Security::is_allowed($action)) && (!$token || M_Security::verify_nonce($token, $action));
    }

This function had a similar logic flaw that would allow requests to proceed if the $_REQUEST[‘nonce’] parameter was missing, rather than invalid.

This made it possible to trick an administrator into submitting a request crafted to upload an arbitrary image file. While the uploaded file had to be a valid image file, it is possible to hide a webshell or other executable PHP code within such an image file.

This could also be combined with the previous vulnerability, and the image file could be set as a “Legacy Template”, at which point it would be included and the code within would be executed. Again, this would require some degree of social engineering, as an attacker would have to trick an administrator into clicking a link that resulted in these requests being sent.

Timeline

December 14, 2020 – The Wordfence Threat Intelligence team finishes researching vulnerabilities in NextGen Gallery. We deploy firewall rules and reach out to Imagely.
December 15, 2020 – Imagely replies and we provide full disclosure.
December 16, 2020 – Imagely sends us a patched version of the plugin to review.
December 17, 2020 – A patched version of NextGen Gallery is made available to the public.
January 13, 2021 – Sites running the free version of Wordfence receive firewall rules.

Conclusion

In today’s post, we covered two vulnerabilities in NextGen Gallery, including a Critical Severity Cross-Site Request Forgery (CSRF) that could be used to take over a site via Remote Code Execution (RCE). These vulnerabilities have been fully patched in version 3.5.0, and we strongly recommend that site owners immediately update to the latest version available at this time, which is 3.5.0.

Wordfence Premium users received firewall rules protecting against these vulnerabilities on December 14, 2020. Sites still running the free version of Wordfence received these rules on January 13, 2021.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as these are critical and high severity vulnerabilities that can lead to full site takeover.

Special thanks to Threat Analyst Chloe Chamberland, who helped analyze this vulnerability, as well as to the plugin’s publisher, Imagely, for their fast and professional response.

The post Severe Vulnerabilities Patched in NextGen Gallery Affect over 800,000 WordPress Sites appeared first on Wordfence.

Pin It on Pinterest