Episode 107: Two Plugin Vulnerabilities Target File Upload Capabilities

The Wordfence Threat intelligence team finds vulnerabilities in two plugins, the User Profile Picture plugin and the WooCommerce Upload Files plugin. WordPress 5.7 is set to release on Tuesday, March 9 with numerous enhancements for the block editor, a new robots.txt API, and a stay of execution on jQuery-migrate. A zero day affecting Microsoft Exchange Server allows attackers to steal emails. And Brave buys a search engine to add to their growing privacy-oriented portfolio.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:15 Defiant is hiring, we have great benefits!
1:58 Medium Severity Vulnerability Patched in User Profile Picture Plugin
3:48 Critical Vulnerability Patched in WooCommerce Upload Files
5:51 WordPress 5.7 to be released March 9; Wordfence Live livestream
9:50 Microsoft fixes actively exploited Exchange zero-day bug
10:55 Brave buys a search engine

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 107 Transcript

Ram:
Welcome to Think Like a Hacker, the podcast about WordPress, security, and innovation. I am Ram Gall, Threat Analyst at Wordfence, and with me is Director of Marketing, Kathy Zant. Kathy, how are things?

Kathy:
Things are well, Ram. Things are very well. Hey, did you hear we’re hiring?

Ram:
I did hear we’re hiring. We’re hiring for a sec ops role. So, if you know AWS and like securing infrastructure, apply. We’re also hiring two senior PHP developers and a senior researcher to do website performance research using our Fast or Slow tool. And if you are not thinking of applying, but know someone who might, a $500 gift card could be yours if you refer a successful candidate. We actually added a cool new benefit where we now get the entire week between Christmas and New Year’s off.

Kathy:
You’re way too excited about that for March, because we’ve got so many months for that week off. But it’s coming, it’s coming and-

Ram:
It is, and there’s a reason I mentioned it. I’m leading into something, okay, Kathy?

Kathy:
Yeah.

Ram:
I’m leading into something.

Kathy:
Teasing something. Well, our benefits here at Defiant, the maker of Wordfence, are exceptional. We will put a link to our benefits in the show notes, and that will either encourage you to apply or make you incredibly jealous. We are very well taken care of by this organization. We work hard and we are cared for in that work. Not only do we get ample time off, we get tuition reimbursement, security certification, study time, as well as paying for those certifications, and some great health benefits for wellness, things that I personally enjoy, as well as all the standard great benefits. So, we’ll leave you those in the show notes, if you’d like to go over them. And if you know somebody who can help us out in these four roles that we have open, definitely send them our way. Again, $500 gift card for a successful candidate.

Let’s jump into our first story. What do we have, Ram? We’ve got a medium severity vulnerability in the User Profile Picture plugin. What do you know?

Ram:
Yeah. So, this was one of Chloe’s finds. It’s a plugin that lets users upload profile pictures, which you’d think that’d be safe. And it has 60,000 installs, so it’s not a small plugin. Anyways, turns out that any user that was allowed to upload a profile picture could access a rest API end point, and do stuff like usernames, email addresses, and password hashes of every single user on the WordPress site.

Kathy:
Oh, wow. Yeah, whenever I see upload with a plugin, it makes me a little bit nervous. Now we have a firewall rule in place for premium customers at this time?

Ram:
Yep. We do, in fact, have a firewall rule in place for premium customers, and that should become available to free users 30 days afterwards.

Kathy:
It looks like March 17th.

Ram:
Yep. There is a caveat here. Only authors by default or higher level user roles can exploit this. So, the plugin developers actually promoted their other plugin by saying, “Hey, you should check out our other plugin that you can use to give other users this upload files capability, if you want to.”

Kathy:
Oh, wow.

Ram:
So, it’s like, hey, why don’t you make your site less secure?

Kathy:
But they fixed this in the-

Ram:
They did fix it, so I shouldn’t be too mean to them. They did seem to have a pretty good response on this.

Kathy:
Yeah. It’s always good when we have plugin developers that are very responsive to our inquiries when we have an issue with a plugin. So, this is all patched up. Make sure you update to the latest, fully patched version, which is 2.5.0. And we also have another vulnerability. You found this one, didn’t you, Ram?

Ram:
This one is a story. So, on December 29th, during that holiday break, we actually do have, did have a holiday break last year, but I volunteered to keep an eye out for any vulnerabilities. We got alerted to a potential zero day in WooCommerce Upload Files, which is not actually WooCommerce, but it’s a separate add-on plugin that you can use to upload files. Say you want to buy a shirt with a custom logo on it, or a mug with a picture of your kid on it, that kind of thing. Anyways, we got alerted to a potential zero day. I took a look at it, found out that, hey, yes, there is a vulnerability that lets me upload PHP shells and achieve remote code execution. So, yeah, it was critical. So, we got in touch with the plugin’s author, got him to fix it, and got a firewall rule out all the same day. So, Wordfence threat intelligence never sleeps. Okay. We do sleep, but we still will usually get stuff taken care of, even if it’s over the holidays.

Kathy:
Yeah. Okay. So, this affected 5,000, well, there’s about 5,000 sites that use this particular plugin. And this doesn’t look like it’s available on the repo. Are people buying this one?

Ram:
Yeah. This one is an Envato Market CodeCanyon premium plugin.

Kathy:
Okay. And it has that word in the title, upload. That always makes me nervous.

Ram:
It does. I got to say that the plugin developer was really helpful. Even though it was, as we said, at a time when a lot of people are having holiday hours, he’s still got it fixed within a matter of hours.

Kathy:
Right. Yeah. I’m looking at the timeline on your post, and it looks like you contacted early in the morning, and then by the end of the day, everything was set.

Ram:
Yeah. We even got the roll out by the end of the day. We had to do some fairly extensive testing on it, because well, pretty much any time we release a firewall rule, we do have to do testing on it, but we got everything pretty much set by end of day.

Kathy:
Gotcha. And it looks like free users of the Wordfence plugin received a firewall rule January 28th?

Ram:
January 28th. Yeah.

Kathy:
Great. Okay, excellent. What do we have next?

Ram:
Well, I hear there are a bunch of upcoming features in the WordPress 5.7 release, which is due on March 9th.

Kathy:
Hey, wow. That’s Tuesday. That’s coming up pretty quick.

Ram:
That is.

Kathy:
Awesome.

Ram:
We will cover it in a livestream.

Kathy:
That makes sense. Stay tuned. Just head over to our YouTube channel and you’ll get a notification of our weekly livestream. We cover everything from WordPress, to security, to the latest in WordPress releases, and what you can expect, and just make things very easy for you to transition into a new WordPress version. But there’s a lot of cool things coming. In terms of security, the number one thing that’s coming, and we talked about this on a previous episode, but let’s revisit it. It looks like WordPress 5.7 is offering a one-click HTTP to HTTPS site upgrade feature. What do you know about this, Ram?

Ram:
Just that this is going to make life easier for so many WordPress users. So, there are a few third party plugins that do offer some degree of functionality for this. But one thing I’ve seen a lot is people will install several of these plugins because each one of them might cover a different aspect of that process. And then they have conflicts, and you’ll see things like redirect loops happen. So, having it built into core is really nice, and not having to manually update the database by running a search and replace query.

Kathy:
And then it logs you out, and then you have redirects. Yeah. I’ve been through that pain. Anybody who’s been through that pain has battle scars. So, this’ll be really nice going forward. If you don’t get your HTTPS, your SSL certificate installed before you launch, and then have to go through the process of upgrading to HTTPS later, this’ll make things, actually, a lot easier.

But there’s a number of other cool things coming with WordPress 5.7, and it looks like a lot of these are associated with the block editor. Looks like drag and drop blocks are happening. Full height blocks are coming. Block variations will get their own descriptions, that will make it a little bit easier for understanding what block you created in the past, and you go back and revisit it and try to figure out what’s going on there. So, there’s a number of things happening there. And then we also talked previously about admins being able to send passwords to users. Why don’t we revisit that a little bit?

Ram:
One of the main differences in behavior is that in the past, the only way you’d get a password reset is if you requested a password reset, or if someone who knew your email requested a password reset from the front of site, which means that, if you got a password reset and you didn’t ask for it, that means someone’s trying to get into your account. The main difference now is that admins can legitimately send you a password reset, even if you’re not sure how to do it yourself, which could be useful and could make life easier, especially for sites that have custom login pages or something like that.

Ram:
It does open up a very slight possibility of social engineering, but again, that’s going to be the case with any added functionality that allows access. I don’t expect to see too many problems with it. Oh, the other thing that I wanted to bring up is that WordPress had originally planned to completely get rid of the old jQuery and jQuery-migrate by 5.7, and just finish up that process, which we’ve also discussed in previous podcasts. It looks like there’s a bit of a stay of execution on that. So, you have a little more time.

Kathy:
Excellent. That’s good to know. And it looks like there’s a new robots.txt API.

Ram:
Oh, yes. That’s going to allow developers to programmatically control and update the robots meta tag on a website, which could be really useful if you don’t want search engine spam from people running malicious searches on your site.

Kathy:
Right. Yeah. So, that’ll be very, very helpful. So, lots of good stuff coming with WordPress 5.7, and we will have more on that once it’s released. But let’s jump into some security news. It looks like Microsoft is fixing an actively exploited zero day on Exchange Server. What’s going on?

Ram:
So, this was an out-of-band update, which is what made me catch, what caught my attention is they didn’t run it on any of their usual patch days. So, there’s basically four zero days in the on-premises version of Microsoft Exchange, which is basically Microsoft’s email system. A lot of companies have on-premises servers running exchange to handle their email. Anyways, these zero days were found being chained together to steal companies emails and plant malware to gain further access. So, Microsoft is seeing what they’re calling limited targeted attacks in the wild. So, this means that companies that have on-premises Exchange servers are being actively exploited. So, if your company does have an on-premise Exchange server, please update.

Kathy:
Okay. Yeah. That’s big news, and big, scary news. It doesn’t necessarily affect WordPress, but a lot of our listeners are in the realm of running all kinds of enterprise types of situations, and WordPress in the enterprise, so definitely something to be aware of.

And now we have a story about Brave. Brave is what? What is Brave exactly?

Ram:
Brave is effectively a browser, at least they started out as a browser, that offers an alternative to traditional advertising revenue using what they call attention tokens, which run on a blockchain, which I know is your favorite, Kathy.

Kathy:
Yeah. Block chains. I think block chains are really fascinating, and Brave is-

Ram:
Brave is my favorite mobile browser. I got to say that.

Kathy:
It is one of my favorite mobile browsers as well. In fact, I think I probably use Brave more than anything else. I’m most interested in Brave, the basic attention token, as a disruptive technology. And basically what they set out to do is disrupt advertising online. And I know anyone who’s listening to this podcast, who has visited any website with advertising on it, without an ad blocker, is annoyed by that advertising. It’s ridiculous sometimes. It’ll take over your scrolling. It’ll take over your screen. You’re reading something and there’s a pop-up and it’s asking you to buy something you’re not interested in. And so, I’m interested in disrupting that and creating a better experience for the web. I think a lot of us are. And so, that’s what they’re attempting to do with this basic attention token. You as a site visitor hold basic attention tokens in your browser, and then if the site that you’re visiting, or the Twitter user, or the Reddit user, or the YouTube channel, any content creator can get paid in that basic attention token directly.

Kathy:
So, it cuts out that middleman of advertising, and basically puts end users and content creators in touch using this browser. So, I think it’s very interesting. And now they just came out, this news came out on Wednesday, March 3rd, that Brave has now purchased Tailcat, which was a search engine developed by Cliqz, which was a privacy-focused browser business that aspired to compete with Google. And they shut down last year, but they have a search component. And so, Brave has purchased this, this thing called Tailcat, and that’s going to be Brave Search now. So, that’s going to basically add to their portfolio with Brave Ads, and Brave Today, Brave Firewall and VPN, and a video conferencing system that is called Brave Together. So, they’re doing a lot.

Ram:
It sounds like they are becoming a force to be reckoned with. Also, it just occurred to me how similar the Brave attention token is to the Dogecoin tipbot. Do you remember the Dogecoin tipbot?

Kathy:
Yes. Exactly.

Ram:
Back in the day, I tipped a currently non-negligible amount of Doge. I tipped what would be worth quite a lot of Doge today.

Kathy:
Oh, my gosh. Not as bad as the Bitcoin pizza though, right?

Ram:
Not as bad as the Bitcoin pizza, but.

Kathy:
Yeah. This whole cryptocurrency and blockchain world is fascinating to me. It seems to be-

Ram:
The future is weird.

Kathy:
The future is weird, and the future seems to be on blockchains. So, I find it very fascinating. Brave is definitely something to watch. If you’re not using the Brave browser, I would definitely check it out, and check out everything that Brave is doing. It looks like they, actually, the CEO of Brave is Brendan Eich. Do you know who he is known most for?

Ram:
I have no idea. I haven’t been following it.

Kathy:
He created JavaScript.

Ram:
Wait, what?

Kathy:
Wait, what?

Ram:
Oh, he’s that guy.

Kathy:
He’s that guy.

Ram:
Oh, now I have a beef with him.

Kathy:
I think the world of developers has a beef with him.

Ram:
Maybe he’s trying to make up for everything he did in his past as the developer of JavaScript.

Kathy:
Yeah. Could be. Anyway, Brave is definitely one to watch, hoping to make the worldwide web a better place. So, we will be back again next week with more fun news in WordPress security and innovation. And we will see you on Tuesday for Wordfence Live over on YouTube.

Ram:
Yep. I will see you then.

Kathy:
Bye.

Ram:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 107: Two Plugin Vulnerabilities Target File Upload Capabilities appeared first on Wordfence.

Critical Vulnerability Patched in WooCommerce Upload Files

On December 29, 2020, the Wordfence Threat Intelligence team was alerted to a potential 0-day vulnerability in the WooCommerce Upload Files plugin, an add-on for WooCommerce with over 5,000 installations.

Please note that this is a separate plugin from the main WooCommerce plugin and is designed as an add-on to that plugin.

After confirming the vulnerability, we contacted the plugin’s developer, Domenico Lagudi, who responded quickly and released a patch the same day, on December 29, 2020.

Although the Wordfence firewall’s built-in rules provided some degree of protection against this vulnerability, we determined that a bypass was possible. We quickly released a firewall rule to our premium customers on December 29, 2020. Sites still running the free version of Wordfence received the firewall rule 30 days later, on January 28, 2021.

Description: Unauthenticated Arbitrary File Upload
Affected Plugin: WooCommerce Upload Files
Plugin Slug: woocommerce-upload-files
Affected Versions: < 59.4
CVE ID: CVE-2021-24171
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: 59.4

WooCommerce Upload Files is a premium plugin designed to allow customers to upload files when checking out in order to purchase customized products. In order to provide this functionality, it uses a publicly accessible AJAX function, ajax_manage_file_chunk_upload.

	function ajax_manage_file_chunk_upload()
	{
		global $wcuf_session_model ;
		
		if(!isset($_POST['wcuf_upload_field_name']))
			wp_die();
		
		$this->saving_on_session = true;
		$buffer = 5242880; //1048576; //1mb
		$target_path = $this->get_temp_dir_path();
		$tmp_name = $_FILES['wcuf_file_chunk']['tmp_name'];
		$size = $_FILES['wcuf_file_chunk']['size'];
		$current_chunk_num = $_POST['wcuf_current_chunk_num'];
		$file_name = str_replace($this->to_remove_from_file_name, "",$_POST['wcuf_file_name']);
		$tmp_file_name = $_POST['wcuf_current_upload_session_id']."_".$file_name;
		$upload_field_name = str_replace($this->to_remove_from_file_name, "", $_POST['wcuf_upload_field_name']);
		$wcuf_is_last_chunk = $_POST['wcuf_is_last_chunk'] == 'true' ? true : false;
	
		$com = fopen($target_path.$tmp_file_name, "ab");
		$in = fopen($tmp_name, "rb");
			if ( $in ) 
				while ( $buff = fread( $in, $buffer ) ) 
				   fwrite($com, $buff);
				 
			fclose($in);
		fclose($com);
		
		wp_die();
	}

File names were based on a combination of an optional wcuf_current_upload_session_id parameter and the wcuf_file_name parameter. While the function did attempt to prevent the upload of files with executable extensions, it did so by checking the filename supplied in the wcuf_file_name parameter against a list of dangerous extensions and then removing the extension from the filename rather than blocking the request.

	var $to_remove_from_file_name = array(".php", "../", ".jsp", ".vbs", ".exe", ".bat", ".php5", ".pht", ".phtml", 
										  ".shtml", ".asa", ".cer", ".asax", ".swf", ".xap", ";", ".asp", ".aspx",
										  "*", "<", ">", "::");

For instance, uploading a file with a wcuf_current_upload_session_id parameter set to session1 and the wcuf_file_name parameter set to shell.php would result in the actual file uploaded being named session1_shell as the .php extension would be removed. The function only ran the sanitization process a single time, so it could be bypassed by sending a filename containing a blocked extension hidden inside another blocked extension. For example, if an attacker uploaded a file with the wcuf_current_upload_session_id parameter set to session1 and the wcuf_file_name set to shell.p.phphp, the middle .php would be removed, leaving the final file name as session1_shell.php.

Unfortunately, the wcuf_current_upload_session_id parameter was also not sufficiently sanitized and was vulnerable to directory traversal. For instance, if a request was sent with the wcuf_current_upload_session_id parameter set to ../../../../file and the wcuf_file_name set to info.p.phphp, the resulting file would be named file_info.php and would end up in the webroot.

This also meant that a double extension attack was possible. For instance, setting the wcuf_file_name parameter to test and the wcuf_current_upload_session_id parameter to info.php. would result in a filename of info.php._test which would be executable in Apache environments that use an AddHandler directive for PHP files.

Regardless of the method used, an attacker able to upload an executable PHP file to a website using this method would be able to infect and completely take over that website, as well as any other sites on the same hosting account.

Be Careful With Input Sanitization

As more WordPress developers focus on security, simple vulnerabilities are becoming less common. While most developers are aware of the importance of sanitizing input, it’s also important to use the right functions for the right input, otherwise sanitization can actually be used to bypass security functionality. It’s important to understand the kind of input a function is expecting and the dangers it can pose. For example, a function designed to sanitize input to be used in a database query might not offer sufficient protection against Cross-Site Scripting(XSS), while a function designed to remove scripting tags might not offer protection against SQL Injection(SQLi). As a general rule, it’s better to block malicious input entirely than to try to clean it up with the wrong function.

Timeline

December 29, 2020
08:25 MST – Wordfence Threat Intelligence becomes aware of a potential 0-day in the WooCommerce Upload Files plugin.
09:09 MST – We find the vulnerable code and develop a proof of concept exploit.
09:48 MST – We write a firewall rule to block the exploit and begin testing.
10:36 MST – We initiate contact with the plugin developer.
11:10 MST – The plugin developer responds, and we provide full disclosure.
13:33 MST – The plugin developer releases a patched version.
18:09 MST – Our firewall rule passes final tests and is released to Wordfence Premium customers.

January 28, 2021
The firewall rule becomes available to free Wordfence users.

Conclusion

In today’s article, we detailed a critical 0-day vulnerability in the WooCommerce Upload Files plugin that would have allowed attackers to infect and completely take over a website. This vulnerability has been patched in version 59.4, and we recommend that all users update to the latest version of the plugin as soon as possible, which is 60.1 at the time of this writing.

Wordfence Premium users have been protected against this vulnerability since December 29, 2020, while sites still running the free version of Wordfence received the same protection on January 28, 2021.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a critical severity issue that can result in remote code execution and site takeover.

Special thanks to plugin developer Domenico Lagudi for an extremely rapid response and to Threat Analyst Greg Bloom for his assistance getting a firewall rule deployed during holiday hours.

The post Critical Vulnerability Patched in WooCommerce Upload Files appeared first on Wordfence.

Trojan Spyware and BEC Attacks

When it comes to an organization’s security, business email compromise (BEC) attacks are a big problem. One primary reason impacts are so significant is that attacks often use a human victim to authorize a fraudulent transaction to bypass existing security controls that would normally be used to prevent fraud. Another reason is that social engineering lures may be expertly crafted by the attacker after they have been monitoring a victim’s activity for some time, resulting in more effective phishing campaigns with serious security implications.

Continue reading Trojan Spyware and BEC Attacks at Sucuri Blog.

Medium Severity Vulnerability Patched in User Profile Picture Plugin

Medium Severity Vulnerability Patched in User Profile Picture Plugin

On February 15, 2021, our Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in User Profile Picture, a WordPress plugin installed on over 60,000 sites. The vulnerability made it possible for authenticated users with the upload_files capability to obtain sensitive user information.

We initially reached out to Cozmoslabs, the plugin’s vendor, on February 15, 2021 through their contact form. On February 17, 2021 Cozmoslabs confirmed the inbox for handling discussion and we sent over the full disclosure details. Just a day later we received a response from the plugin’s original developer along with a proposed patch for us to test. We confirmed the patch was adequate and provided an additional security recommendation. They released the patch the same day on February 18, 2021. We highly recommend updating to the fully patched version, 2.5.0, immediately.

Wordfence Premium users received a firewall rule to protect against any exploit attempts targeting this vulnerability on February 15, 2021. Sites still using the free version of Wordfence will receive the same protection on March 17, 2021.

Description: Sensitive Information Disclosure
Affected Plugin: User Profile Picture
Plugin Slug: metronet-profile-picture
Affected Versions: <= 2.4.0
CVE ID: CVE-2021-24170
CVSS Score: 6.5 (Medium)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Fully Patched Version: 2.5.0

User Profile Picture is a plugin designed to allow site owners to upload profile pictures for individual users. By default, WordPress will set a users profile picture to the associated Gravatar, if present, for any given email. This plugin makes it so that user profile pictures can be customized and can override the Gravatar associated with an email address.

One feature the plugin offered was the ability to add user profiles to a post using a Gutenberg block. When adding the block to a post, the plugin made a request for user data to retrieve the users profile picture and username for users with access to the Gutenberg editor in order to add the information to the block. To retrieve this information, the plugin registered the REST API route /mpp/v2/get_users tied to the rest_api_get_users function.

register_rest_route(
                        'mpp/v2',
                        '/get_users',
                        array(
                                'methods'             => 'POST',
                                'callback'            => array( $this, 'rest_api_get_users' ),
                                'permission_callback' => array( $this, 'rest_get_users_permissions_callback' ),
                        )

Unfortunately, this REST API endpoint returned more information than was required for its functionality. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information.

A look at the User Profile Picture exploit.

The REST API endpoint did have a permissions callback preventing users from accessing it unless they had the upload_files capability. By default this would only be available to users in the author role and above. However, the User Profile Picture plugin page promotes a separate plugin, Profile Builder, by the same developers, noting that it can be used to allow other roles to upload images. By doing so, a site owner would make it possible for users and roles that do not have the upload_files capability by default to upload their own profile photos. It is likely that a number of site owners have granted this capability to lower-level users.

In a normal configuration, all authors and editors could retrieve this sensitive information. In addition, any sites where the upload_files capability had been granted to lower-privileged users could be exploited by those users to retrieve this information as well.

If an attacker were able to crack a password or user activation key, then they could potentially log into the vulnerable WordPress site and effectively take it over. However, it should be noted that WordPress passwords and user activation keys are salted and hashed with strong cryptography and, therefore, would be very hard to crack for further use, especially if strong passwords are being used.

Disclosure Timeline

February 15, 2021 Conclusion of the plugin analysis that led to the discovery of the vulnerability. We develop a firewall rule to protect Wordfence customers and release it to Wordfence Premium users. We made our initial contact attempt with the vendor, CozmosLabs.
February 17, 2021 We receive a response confirming appropriate inbox for handling discussion. We provide full disclosure details.
February 18, 2021 We receive an acknowledgement from Ronald Huereca, the original plugin developer, along with a proposed fix. We verify that the fix addresses the security issue and provide an additional security recommendation.
February 18, 2021 A patched version of the plugin is released as version 2.5.0. We verify again that the vulnerability has been patched.
March 17, 2021 – Free Wordfence users will receive firewall rule.

Conclusion

In today’s post, we detailed a flaw in the User Profile Picture plugin that granted attackers the ability to obtain sensitive information like hashed user passwords. This flaw has been fully patched in version 2.5.0. We recommend that users immediately update to the latest version available, which is version 2.5.0 at the time of this publication.

Wordfence Premium users received a firewall rule protecting against this vulnerability on February 15, 2021, while those still using the free version of Wordfence will receive the same protection on March 17, 2021.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected.

Special thanks to Ronald Huereca, the original developer of the plugin, for working promptly to get a patch out to customers.

The post Medium Severity Vulnerability Patched in User Profile Picture Plugin appeared first on Wordfence.

Episode 106: Admin Password Resets, Blockchain Botnets and a Central Management RCE

WordPress 5.7 is due to be released on March 9, and it will allow administrators to send password reset emails to users. A botnet is abusing the Bitcoin blockchain for command and control, while VMWare fixes a critical remote code execution bug in all default vCenter installations. Android users now have an easy way to check password security. We talk about the ramifications of vulnerability disclosures and how last year’s File Manager vulnerability did not have long lasting effects on plugin installation base or growth. We also discuss how investor data breach fatigue has reduced the stock price impact of cybersecurity failures.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:41 Wordfence/Defiant is hiring, and we’re offering a $500 gift card for anyone who refers a successful candidate
2:30 The Wordfence K-12 site cleaning and site audit program continues to help schools around the world
3:00 WordPress 5.7 will allow administrators to send password reset emails
6:20 This botnet is abusing the Bitcoin blockchain to stay in the shadows
9:52 VMWare fixes critical RCE bug in all default vCenter installations
11:53 Android users now have an easy way to check password security
14:40 Investor data breach ‘fatigue’ reduces Wall Street punishment for cybersecurity failures

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 106 Transcript

Ram:
Welcome to Think Like A Hacker, the podcast about WordPress, security, and innovation. I am Ram Gall, threat analyst at Wordfence, and with me is director of marketing, Kathy Zant. Kathy, how are things?

Kathy:
Things are very, very good compared to last week. It’s almost like Texas has somewhat recovered. At least the weather’s recovered. I think people here-

Ram:
Do have power and water now?

Kathy:
I have power. I have water. The skies were blue yesterday. We have ping pong ball sized hail coming, apparently. What is with Texas? I don’t know. It’s interesting, though. Got to keep-

Ram:
Everything is bigger in Texas, even the hail.

Kathy:
Even the hail. It’s a crazy place. Anyway, all is well. And we have some interesting things, some big things happening with Wordfence.

Ram:
I hear we are hiring.

Kathy:
We are hiring. We’re hiring for four specific roles. These are senior roles. So we wanted to sweeten the pot for all of our listeners who are out there listening who… Come on. You guys know someone who’s amazing. Someone who’s looking for-

Ram:
And you like free money, too, right?

Kathy:
And you like free money. So we thought we’d put all of those things together, and we want you to refer someone that you think would be exceptional in one of these roles and that would enjoy the fun, fast-paced environment we have here at Wordfence.

Kathy:
We have a security operations role. We want someone who’s up on the AWS scene. We’re looking for a couple of senior PHP developers and a senior researcher who is very interested in website performance. If you know someone and you refer someone, we will give you a $500 gift card if you refer a successful candidate. And if you think you might be a successful candidate, we would love to talk to you. There are links in the show notes for these job descriptions so you can get the full details about what these jobs entail and the benefits of working here at Defiant. Benefits that even include a week off between Christmas and New Year’s, which is always a nice time. Don’t you love that, Ram?

Ram:
Yeah. Yeah. Honestly, the last few years we’ve been doing it, but they finally made it official policy instead of just a cool thing we decided to do at the last minute.

Kathy:
Yeah, exactly. It’s a nice way to end the year. Just kind of think back over the previous year and plan for the future. Always a good time.

Kathy:
We also have our K-12 school initiative, site cleaning and site audits available for any government or state funded school in the United States, in Canada, in Mexico, anywhere in the world. If you know of a school that could use some security support, send them our way. We are cleaning and auditing those sites for free, and educating the educators. That program is continuing and continues to be a success, so we just wanted to mention it. We would love your referrals. Just send those schools our way.

Kathy:
Now, we saw some interesting stuff coming in WordPress 5.7. Ram, what do you know?

Ram:
WordPress 5.7 is actually fulfilling a sort of long-requested feature to let administrators send password reset links. And this is very cool. I mean, there is some potential for abuse via social engineering, but I mean, if you think about it, an attacker can already request a password reset for a user if they know or can guess the username or email address, so it’s not like attackers can’t send password resets to people anyways.

Kathy:
Sure, sure. Now this feature is rolling out in WordPress 5.7, which is coming up pretty soon. This has been a five-year-old ticket that has been in the trac system, and it’s going to allow administrators to manually send a password reset link to users instead of having to instruct a user about what to do, how to go about doing it. The administrator can just say, “Okay, let me just send that to you,” rather than trying to explain something to maybe a user who’s just a subscriber or a user who is a student in a learning management system, to basically get that lost password link to them so that they can go ahead and reset that password.

Kathy:
But obviously that send password reset link is going to be in several places, and with anything that sending to a user, there’s a potential if that site ever is hacked that that could trigger something that an attacker could use to basically trigger a user to perform some actions.

Ram:
I mean, I’m not really worried about that. WordPress now has fairly strong cross-site request forgery protection. I think, realistically, the only potential problem we could see is that now there’s this expectation that you could get a legitimate password reset email sent by an administrator without asking for it. So, I mean, it’s conceivable that these could be spoofed and used in phishing attacks.

Ram:
You send someone something that looks like a password reset link and say, “Hey, I’m the administrator for your site. It looks like your password might’ve been compromised so I’m sending you this link,” and then get them to fill it in on a phishing site. There’s still some caveats with that, where if they log in with their new password and find it doesn’t work, will they then reset it again to the same password? I mean, I could see this being abused. I could see it being fairly difficult to abuse, but there’s always the potential.

Kathy:
Sure. Mostly we just want people to know that this new feature exists, and with any new feature that shows up there’s the potential for it to be used in a unique and never-seen-before way, so just to be aware that that feature exists. That if a password link shows up in a user’s inbox, that that user should definitely look at that if it’s unexpected and investigate further before they go haphazardly clicking links and traversing the internet, right?

Ram:
Yeah. I mean, it’s just like receiving a weird request, like something that could be a spear phishing request in your company email inbox. If you get a request for something that you weren’t expecting from someone, just verify with them via another channel. If you get a password reset link from an admin, maybe you get in touch with them and say, “Hey, did you send this on purpose?”

Kathy:
Exactly. All right, let’s move on. Let’s look at this botnet that we saw abusing Bitcoin blockchains to stay in the shadows. Now, Bitcoin is crazy in the news.

Ram:
Your favorite. That’s your favorite. I know it is.

Kathy:
It’s everywhere. Everybody’s talking about Bitcoin. I mean, when an asset performs in ways that people weren’t expecting or predictable ways, everybody starts talking about it. As soon as cryptocurrency starts increasing in value, we start seeing attackers trying to leverage any technology they can in order to either mine that cryptocurrency, to ransomware people out of cryptocurrency. It just becomes another way that we see attackers trying to monetize attacks, right?

Ram:
Yeah.

Kathy:
What are we seeing with this one?

Ram:
Okay, so one of the things about the blockchain is that effectively, it’s an immutable record of things that have happened. This is actually kind of interesting. The botnet that was using it as actually a skid map malware, which is actually used for mining other cryptocurrency. In this case, Monero, which is popular amongst threat actors, because it’s untraceable or at least it really hard to trace. And by the way, these guys aren’t actually doing a great job. Apparently, they’ve mined like $30,000 in Monero, which is not really a lot considering.

Kathy:
Yeah, come on.

Ram:
Anyways, it looks like what they were doing is the malware that was looking for C2 instructions … So here’s the thing about command and control systems, it’s they’re really easy to disrupt. If your malware is asking for new instructions from so-and-so domain or so-and-so IP, then it’s fairly easy for the hosting provider or the domain registrar to take those down at the request of governments or security researchers once they figure out there’s something malicious happening there.

Ram:
So, a lot of malware that relies on this command and control infrastructure needs a way to figure out, okay, where should I ask for instructions next, because of my current instruction feed has gone down?

Ram:
What they did was they basically added an algorithm that looks at a particular Bitcoin wallet and checks how much had been sent to it, and it used that number in Satoshi’s, which are, I forget if it’s a hundred thousandth of a Bitcoin, but very small amounts of money. It uses that number and basically breaks it up and parses it into an IP address, and that IP address is the IP address of the next server they should check.

Kathy:
That’s crazy.

Ram:
Yeah. Since it’s pretty much immutable, you can’t really shut it down, but what you can do is you can send money to that and mess up the IP address.

Kathy:
Hack the hackers.

Ram:
Pretty much. And that’s cheaper than fixing the IP address back to where it was, but the attacker probably controls that wallet. Giving them money seems like a not great way to get them to stop, especially if they can just give themselves more money to undo what you just did.

Ram:
I think we’ll be seeing a lot more of this in the future, just because it’s a novel command and control method. We’ve seen this in Twitter feeds. We’ve seen this in Instagram feeds. We’ve seen all sorts of C2 methodology happen in the past few years that’s just kind of wild.

Kathy:
Yeah, interesting, because whatever is written into the blockchain, it’s there. It’s not something that can be erased or undone, it’s just there. This’ll be interesting to watch and see how other people are using blockchain technologies in novel ways to, I don’t know, be stinkers on the internet, I guess.

Ram:
Pretty much.

Kathy:
Yeah.

Ram:
Speaking of stinkers on the internet, it turns out there was a VMWare bug, a critical remote code execution bug in all default vCenter installations. So, vCenter server is basically a central management solution for virtual machine hosts.

Kathy:
Okay. So kind of like ManageWP would be for WordPress, this is for a centralized server for VM hosts, right?

Ram:
Kind of, yeah. Yeah. Basically, it manages all the virtual machines in an organization’s network that they’ve set it up to actually use virtual machines. Anyways, the vSphere client, basically it had a remote code execution vulnerability. It was in one of the vCenter server plug-ins related to something called vRealize operations, but the thing is it was vulnerable even if you weren’t using that particular plugin.

Ram:
An attacker with network access to port 443, which is just the standard SSL port or TLS port, could exploit the issue to execute commands with unrestricted privileges on the underlying operating system that hosted the server, which would probably give them control of all the VMs it was managing, too. Which, for some organizations, would be all of their servers. Apparently, they’ve already seen this being attacked in the wild in several thousand vulnerable servers exposed on the internet. So yeah, I feel bad for those organizations. If your organization is running this, then please update.

Kathy:
Yikes. That just sent chills down my spine. Very, very frightening. So definitely update if you have anything going on with VMWare and vCenter server. Scary.

Ram:
If you’re managing multiple VM hosts using vCenter server, then this is definitely something to be aware of. If you’re just on a desktop or running VMware to run a virtual machine, you’re probably okay. I mean, you’re definitely okay, but yeah.

Kathy:
Wow. Well, it looks like Android users now have an easy way to check password security. What’s going on with this?

Ram:
I don’t know if you’ve heard of Have I Been Pwned-

Kathy:
I have.

Ram:
Which is a online service that you can use to see if your password has been exposed in any data breaches. Which is a really good thing to do, because so many data breaches are the result of passwords exposed in other data breaches, that it’s just not even funny anymore. So yeah, use a password manager with unique passwords for each service you use, please.

Ram:
Anyways, this works really similar to Have I Been Pwned. It basically uses cryptography to ensure that the password checking service never gets your password that you’re checking. Not even just the hash of the password that you’re checking. Which, if you want to know more about password hashes you can listen to our previous podcast and our Wordfence Live show on encryption.

Ram:
Anyways, basically what it does is phones or device sends the first part of the hash of a password to the service, and the service sends back an encrypted set of breached hashes and it compares them without either side ever knowing the full hash you’re checking or the full hash of the breached passwords. It’s pretty cool. If you can turn it on, please do, because that way it’ll let you know if you’re using a password that’s been breached in any of your Android apps. And most of them, if you’re not signing in directly with Google or Facebook OAuth, you probably have an account set up with a password that you’ve probably used somewhere else, too.

Ram:
I remember I got breached in the GrubHub breach a while back because I was reusing a password for that, so this is kind of important.

Kathy:
Very important. So this is resident within all Android phones.

Ram:
If you’re up-to-date, yeah.

Kathy:
It’s a project by Google. Let this be a reminder to you that you should be using a password manager. Most of the major password managers, they have both a desktop as well as a phone, iOS or Android version, and always kind of these tools have ways of letting you know that you are using passwords in multiple places, password checkups, types of features. Always good to have this running in your apps, as well, just across the board. You can’t just have the one password anymore.

Kathy:
Hey, do you want to hear the worst story? One of the first companies I ever worked at in the networking department, and one of our server passwords was Flowbee.

Ram:
Oh gosh. It sucks, and it cuts.

Kathy:
It sucks and it cuts. That should have not been a password, but back in the day you could reuse passwords and do dumb, funny things like that. No longer.

Ram:
No longer.

Kathy:
Yeah. So, let’s talk a little bit about this article you found, Ram, about data breach fatigue. What does that mean, and what does it mean for … I mean, you and Chloe and our threat intel team are constantly finding vulnerabilities and working with plugin developers, theme developers, anybody in the WordPress space, helping them to patch their code and to write more secure code. But then, of course, there comes a point once that’s patched and once firewall rules and updating has occurred, you have to publish details about what you found for educational purposes, for keeping your certifications up. And a lot of, I think, plugin developers and whatnot, is it painful for them when you guys are publishing?

Ram:
We have heard some concerns expressed that publishing the vulnerability will reduce the plugin’s market share. And, you know what? We have seen that happen in the very short term, but they almost always recover. Even the File Manager vulnerability, the one last year-

Kathy:
Yeah, that was a bad one.

Ram:
That was really bad. That was hugely impactful. That was almost a worst case scenario in everything except how they handled it. They handled it pretty quickly, but it was already a zero-day. It was already being exploited by the time it got found out and it had a lot of installations and there were a lot of sites impacted by it. Our site cleaning team is still cleaning sites that were impacted by that and didn’t have Wordfence at the time.

Ram:
So, yeah, it was a huge thing. And you know what? Their install growth dropped. It went negative for about a month and a half, and then it came back. The growth is not back to where it was, but the install count is right where it was, and growth is still positive and growth went positive again about a month and a half after it got disclosed. So, yeah, if you’re worried about the impact of vulnerability in your plugin, don’t be. It’s much better to fix it than to have people impacted and to not fix it.

Kathy:
Right. Well, there’ve been some major … I mean, Target. When was that? 2013 when Target had all of their point-of-sale cash registers basically compromised and credit card data was compromised. I didn’t stop shopping at Target, and Target’s recovered quite well. It didn’t ruin them completely, right?

Ram:
Yeah. IBM’s done some research on the cost of a data breach report, and I mean, yeah. This is outside of the WordPress plugin ecosystem, mind you, so this is a completely different context. If you’re talking how much a database breach costs a large company, enterprise sector can expect an average bill of like $3.8 million, and some of them can rise up to like $392 million to actually remedy the breach.

Ram:
But they did a study on the stock prices of companies that disclosed breaches, and back in, say 2013, there was a massive impact, but even in 2019 stock prices would drop by like maybe 7% after a data breach was disclosed. Now, it only drops by like three and a half percent. So people are getting used to data breaches just kind of happening as a cost of doing business. That doesn’t mean they shouldn’t be addressed, because they absolutely should. If they’re not addressed, then that leads to much more severe long-term consequences.

Ram:
It only took like a 100 days for prices to recover, apparently, according to this research, and general performance was only slightly poorer in the six months after a breach. So, breaches happen. Address them, fix them, take precautionary measures if you can, but the response is really one of the big things that matters.

Kathy:
Right. Well software, to me, and I think to all of us, is about trust, right? Your WordPress site, you are trusting that a plugin developer has done a good job creating not only the functionality, but the security of that code and you trust it so you install it on your site. Trust comes in a lot of different ways, right? So if you have a vulnerability and you patch it and you don’t disclose that you’re patching it, or you don’t disclose what’s happening in the next version of a site, or you don’t disclose that something might have gone wrong, that destroys trust. That secretism … That’s not the right-

Ram:
Secrecy.

Kathy:
Secrecy, that’s the word.

Ram:
Trying to hide stuff, being sneaky and shady, and “No one will ever know that I was breached.” Yeah, that’s also … In a lot of cases, the law requires you to disclose a breach. If you don’t actually take appropriate action, that’s when you run into trouble. I mean, it’s still expensive. Transparency is good.

Kathy:
Transparency is the best. So when you’re evaluating a plugin to put on your site, that’s a factor that goes into, “Am I going to install this on my site? Do I trust this developer?” You go look at their change log, and if they’ve had a celebrity bug known as a vulnerability … Mark likes to call them celebrity bugs. If they’ve had it, how did they handle it? Did they disclose that in their change log? How was it fixed? How did they work with security researchers that may have disclosed it with them? If there was a zero-day in the past, how did they handle it? You make your evaluations of whether or not you trust someone based on how their past performance has been when they’ve had to deal with anything. Celebrity bugs, functional problems? That transparency really says a lot about a plugin developer. So it’s, I think, a factor when you’re evaluating a plugin.

Ram:
It really does. If you see in someone’s change log, at least look for security issue fixed. If the change log has never fixed a security issue, then I don’t know if I would trust a plugin that’s been around for a while and never fixed a security issue.

Kathy:
Right. Everybody has celebrity bugs at one point or another, don’t they?

Ram:
Pretty much, yeah.

Kathy:
So it’s just how do you handle those issues and how do you communicate about them, which is critically important. To all of the security researchers out there, and to all of the plugin and theme developers who we work with, we’re just really excited when we see plugin developers who have a security policy on their site. Makes it very easy for us to contact you. That you work with us, share information freely so that we can help you get things fixed quickly. Proof of concepts, all of that fun stuff is incredibly important in this disclosure process.

Ram:
Yeah. If you have a security contact, that means that we can send you the full disclosure right away instead of having to go through your support department and having to wait 24 to 72 hours for them to get back to us and say, “Okay, yeah. This is totally the right place to send security issues,” or, “No, here’s who you should send it to.” So that could save you one to three days in fixing something.

Kathy:
Right. And the faster you get it fixed, the faster and better it is for your customers. That’s all I’ve got, Ram. How about you?

Ram:
That’s all I’ve got. It was great chatting with you again, Kathy, and I will see you next week.

Kathy:
See you next week. Thanks, Ram.

Ram:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 106: Admin Password Resets, Blockchain Botnets and a Central Management RCE appeared first on Wordfence.

SQL Triggers in Website Backdoors

Over the past year, there’s been an increasing trend of WordPress malware using SQL triggers to hide malicious SQL queries within compromised databases. These queries inject an admin level user into the infected database whenever the trigger condition is met.

What makes this especially problematic for website owners is that most malware cleanup guides focus on the website files and data within specific database tables  — for example, wp_users, wp_options, and wp_posts.

Continue reading SQL Triggers in Website Backdoors at Sucuri Blog.

Pin It on Pinterest