Episode 83: 100,000 Sites Impacted by Vulnerabilities in Advanced Access Manager

The Wordfence Threat Intelligence team discovered vulnerabilities in the Advanced Access Manager plugin installed on over 100,000 WordPress sites. A high severity authorization bypass could lead to privilege escalation and site takeover. Critical vulnerabilities found in the Quiz and Survey Master plugin could also lead to site takeover on the 30,000 WP sites using the vulnerable version of this plugin.

Thousands of sites broke after updating to WordPress 5.5 due to deprecated support for jQuery Migrate, and the release of the Enable jQuery Migrate Helper plugin reached 10,000 active installations to help fix these sites using older themes or plugins.

As cryptocurrency values rise, we’re seeing a wave of new scams and hacking campaigns with cryptocurrency as a driving force, such as the recent Twitter hack and a botnet campaign called Fritzfrog that is breaching SSH servers to mine Monero.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:10 High-Severity Vulnerability Patched in Advanced Access Manager
2:05 Critical Vulnerabilities Patched in Quiz and Survey Master Plugin
3:43 Sites updating to WordPress 5.5 breaking due to deprecated jQuery migrate, new plugin released as a fix
6:27 Fritzfrog campaign breaching SSH servers, similar to previous cryptocurrency hacking campaigns

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 83 Transcript

Scott Miller:
Hey everyone, it’s Scott from Wordfence. This is Think Like a Hacker, the weekly podcast covering WordPress security and innovation. Let’s get right into this week’s stories.

Our first story of the week is the high severity vulnerability patched in the Advanced Access Manager plugin, Ram Gall, and our Threat Intel team here at Wordfence found vulnerabilities in the Advanced Access Manager plugin, which is installed on over 100,000 sites.

This high-severity Authorization Bypass vulnerability could lead to a privilege escalation and a site takeover. This plugin allows users to log in via the WordPress REST-API and unfortunately the plugins REST end points were set to respond to a successful login with a JSON-encoded copy of all metadata about the user, which can potentially expose users’ information to an attacker or a low-privileged user.

This information includes items such as the user’s hashed password and their capabilities and roles, as well as any custom metadata that might’ve been added by other plugins. Wordfence premium users received a firewall rule protecting against the Authorization Bypass vulnerability on August 14th, and sites that are still running the free version of Wordfence will receive this rule 30 days later on September 13th, 2020.

Now, lots of plugins and management systems give you the ability to customize roles for users on your site, whether you’re running a blog, an eCommerce store, or a membership site, or just adding a specific capability for certain users on your site. These additional roles require additional thought and attention, much like the plugins and management systems that are offering the features.

From a security standpoint, when it comes to issues and vulnerabilities like this regarding roles and capabilities, it’s typically recommended limiting the roles of users to only what is necessary and staying as close to the core functionality in WordPress as possible.

Our next story this week is the critical vulnerabilities patched in the Quiz and Survey Master plugin. On July 17th, our Threat Intel team found two vulnerabilities in the Quiz and Survey Master plugin, which is installed on 30,000 sites.

The Quiz and Survey Master plugin is a plugin built to allow users the ability to easily add quizzes and surveys to their site. One of the features of the plugin allows file upload implementation for quizzes and surveys. This upload feature, however, was not secure. The checks performed during a file upload only evaluated how the general settings were configured for the file upload itself.

During the upload, checks were made primarily to see if the file type and size were valid. The issue we discovered allows for unauthenticated attackers to upload arbitrary files and achieve Remote Code Execution, as well as remove arbitrary files, such as a site’s wp-config.php file, which could result in site downtime or a site takeover.

It’s recommended to update to version 7.0.1 as soon as possible. And thankfully the default Wordfence firewall rules protecting against malicious file uploads, local file inclusion, and directory traversal will protect both free and premium users from attackers targeting these vulnerabilities.

As a rule of thumb, be selective with who you provide access to your site. And more importantly, who is giving access levels greater than subscriber level. Users with these levels should always have unique and complex passwords.

Our next story this week looks at the increase in broken sites since the WordPress 5.5 core update due to depreciated support for jQuery Migrate. So, a few weeks ago, WordPress 5.5 shipped without a JavaScript library called jQuery Migrate.

jQuery Migrate is a library that basically helps old code function correctly on WordPress sites. This means if you have a plugin or a theme that is potentially no longer supported, or in other words, it’s out-of-date, it may have worked fine until updating to 5.5 where the library to help the code work was no longer included.

The result of the library not being included in the core updates so far has been 10,000 plus sites having issues. On one hand, this looks like the fault of WordPress for not including the library, but one of the real issues here is the number of sites using old themes and plugins.

Since the WordPress core update, there’s been a jQuery helper plugin released, which has surpassed the 10,000 [site] installation mark. This plugin, which was developed by the WordPress core team has provided some relief for users who have seen their site break due to the jQuery Migrate library not being included in the 5.5 core update.

This issue has exposed sites that are using older themes and plugins. And if your site was affected by these issues in 5.5, it may be a good time to look at finding replacements for those themes and plugins that are no longer supported.

If your site currently has plugins and themes that are still supported, but just out-of-date, there’s plenty of tools out there now that can help you manage updates. The new features and core that were added in 5.5 will allow you to update themes and plugins automatically and you can also use Wordfence alerts on your site to stay in tune with available updates for your themes and plugins.

You can also consider using Wordfence Central, which is a hub to add all of your Wordfence-protected sites, both free and premium and keep track of the scans and security of all the sites in one place. There’s a cool option for a summary of alerts in central that will help you with alert fatigue, and keep you up-to-date with what needs attention on your sites. The best part of it is, it’s completely free to use.

If you’re interested in some more information on auto-updates, we also have a good blog post on wordfence.com from August 6th, which is titled WordPress Auto-Updates, What Do You Have to Lose? And it details how you should go about the automatic update feature, which was introduced in WordPress 5.5. You can also check out the Wordfence livestream on YouTube from August 11th, where we go into this in depth.

In our last story this week, we take a look at the increasing value of cryptocurrency and how it’s increasing the number of attacks we’re seeing in various formats. Cryptocurrency has been increasing in value in the past few months, including the privacy focused cryptocurrency Monero.

It’s currently ranked as the 16th most valuable cryptocurrency on CoinMarketCap And it’s a favorite currency for those looking to hide their transactions, including hackers. With this rise in value, we believe we’ll start seeing more attacks using Monero mining much like what we saw with a massive crypto mining campaign, which affected WordPress sites in 2017.

We’ll include that link to our blog post in the show notes. Now, we’re already starting to see some of these attacks that have cryptocurrency as a driving force, including the recent Twitter hack, which focused on Bitcoin. In a similar story, a botnet campaign named Fritzfrog was discovered breaching SSH servers dating back to at least January 2020.

Fritzfrog used brute force to breach SSH. And once their malware was present, the malware replicated and grew in order to perform additional tasks. After some of the higher resource tasks were killed off on the server by the malware, it deployed tasks of its own, which focused on mining the Monero cryptocurrency.

In cases like these and as currency evolves, hackers won’t be far behind and there’s always a use for powerful servers, websites, and user accounts for hackers and botnets. It’s always important to monitor your server resources regularly, as well as harden your security and keep administrator, FTP, SSH, and other important accounts locked down or inaccessible until they’re needed.

That’s all for this week. Don’t forget to subscribe to our mailing list on wordfence.com, as well as check us out on Wordfence, live on YouTube every Tuesday at noon, Eastern 9:00 AM Pacific time where we talk all things WordPress and security. From all of us here at Wordfence, thanks for tuning in to Think Like a Hacker. And we look forward to catching up with you next week.

Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 83: 100,000 Sites Impacted by Vulnerabilities in Advanced Access Manager appeared first on Wordfence.

Episode 84: Google Chrome Plans to Implement Insecure Form Warnings

The Google Chrome web browser has a high-severity vulnerability that could be used to execute arbitrary code, which has been fixed in Chrome version 85. Google also announced that Chrome 86 will alert users if a form submission is using the insecure HTTP protocol, making it a good time to audit older sites that may have migrated to HTTPS, but still have forms submitting via HTTP.

A security researcher found a flaw in Apple’s Safari browser that could allow an attacker to access files on a Mac or iOS device.

The FBI and CISA have issued a joint alert to warn about the growing threat from vishing attacks targeting companies.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:12 Chrome patches vulnerability that could be used to execute arbitrary code
1:20 Google announces Chrome 86 will alert users to insecure form submissions
2:55 Safari browser zero-day vulnerability could lead to leaking files to an attacker
4:40 FBI-CISA joint alert about growing vishing threat

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 84 Transcript

Scott Miller:

Hello everyone. It’s Scott from Wordfence. This is Think Like a Hacker, the weekly podcast about WordPress security and innovation. Let’s get right into this week’s stories.

First up a couple of stories relating to the Google Chrome browser. A patch was released for Google Chrome this week, which fixed a vulnerability that could potentially allow code execution. The flaw, which is called a use-after-free vulnerability was in the graphics library component of Chrome. This was part of the functionality that lets users render 2D and 3D graphics. The issue came about from improperly handling memory. If the memory layout of the browser were manipulated by an attacker, they could gain control and ultimately it could lead to arbitrary code execution. An attacker could execute code via one of the vulnerable functions, which was used to sync data. When that was done, it then creates the use-after-free condition mentioned earlier. This can occur from attempts to access memory after it’s been freed up, which can then result in a program crashing or potentially result in execution of arbitrary code. So currently the thing to do here is check your current browser version and make sure that you’ve updated to Chrome 85, which should be available for you now.

In another story regarding the popular web browser, Google said in an upcoming release of Chrome, that they will be restricting forms that are sent via HTTP protocol. This is a push to have site owners review their site and be sure that forms are transmitting data via the secure HTTPS protocol. It’s important to be sure that all of the data on your site is being transmitted securely. And if you’ve recently migrated to HTTPS, double check to be sure that your forms are transmitting data securely to reduce any chance of being alerted or warned by Google of the issue, which could potentially end up resulting in a loss of revenue, depending on what your forms are used for.

If your forms are not transmitting data securely, you’ll see a message alerting you that the form is not secure. And you’ll also see an alert that autofill has been disabled for the form. Your visitors will also see these messages as well. An additional warning will be then shown to the site visitor when they attempt to submit data via that form and the warning will give the visitor an opportunity to continue with the data submission or cancel the submission at that point. One thing to consider as a site owner is checking your browser console for warnings that mention mixed content being loaded on the site. If you’re seeing that message, you can then find some tools with a Google search or via the WordPress plugins area to help automatically fix insecure and mixed content being loaded. Chrome 86 will feature these changes and it’s due to be released on October 6th, 2020.

Sticking with browser related news, Safari has a zero day vulnerability affecting the Mac OS and iOS browsers. The vulnerability allows an attacker to access files that are stored on the user’s local hard drive. This bug was discovered by the polar security firm REDTEAM.PL. The vulnerability resides in the Safari web share API, which introduces the ability to share text, links, files, and other things cross-browser. Visiting a malicious site set up for this vulnerability could open your device to this issue and result in leaking out the private stored local files from your device. After repeatedly chasing Apple about this vulnerability, the researcher who discovered the zero day was notified by Apple, that it would not be patched until the April 2021 security update and then he took it upon himself to disclose the issue in advance. Now, the researcher who disclosed the bug has described it as not very serious due to the fact that the user would need to be tricked into a situation to leak out the files.

However, the attack itself can be hidden well. The vulnerability is not easy to carry out, and it does require some user interaction, as I mentioned, which draws comparison to a social engineering attack. But the founder of the issue mentions that barriers for the bug are far from insurmountable and demonstrates the bug and a proof of concept video, which you can check out on YouTube. So as this has not yet been patched and may not be for some time, it’s always a good rule of thumb to double check where you’re browsing at any given time and always be aware on what you’re clicking and who you’re giving information to.

In our last story for this week, the FBI and CISA, which is the Cyber Security and Infrastructure Security Agency, issued an alert warning about the growing threat of voice phishing, or vishing, attacks. Now you might be wondering what is vishing? Vishing is a form of fishing where during a voice call, a scammer will attempt social engineering to get you to share personal information or company information, to help them with their attack. This can result in an attacker gaining access to employee tools with the end goal of monetizing the access. KrebsOnSecurity took a look at a crime group, which is offering to steal VPN credentials and other data from employees working remotely during the pandemic. In their article they mentioned in the joint FBI-CISA alert that the vishers are said to be compiling information on the employees using public profiles on social media sites and other readily available services, such as background checks.

In the alert it’s noted that in some cases, unsuspecting employees granted access to these vishers, even helping them bypass 2FA and/or one-time passwords (OTP). In other cases, attackers were able to gain access to the necessary one-time codes by targeting the employee with SIM swapping, which is a technique that involves social engineering an employee at a mobile phone company, which would then result in the employee giving them control of the target’s phone number, allowing them to access the 2FA code. One way around this for companies that are working remotely is the approach that Google took in requiring all employees to use physical security keys in place of one-time codes. You can check out USB and USBC versions of these physical security keys from the company Yubico who offers the YubiKey.

That’s all this week for Think Like a Hacker. Take a second to subscribe to our mailing list in the footer of the Wordfence.com homepage and keep up to date with any breaking security news there. Until next week from all of us here at Wordfence, have a great weekend and we’ll catch you soon.

Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 84: Google Chrome Plans to Implement Insecure Form Warnings appeared first on Wordfence.

Persistent WordPress User Injection

Our team recently stumbled across an interesting example of malicious code used to add an arbitrary user inside WordPress.

The following code was detected at the bottom of the theme’s functions.php. It uses internal WordPress functions like wp_create_user() and add_role() to create a new user and elevate its role to “administrator:”

The most interesting component of this sample is that the init (initialization) hook called from add_action() triggers the prefix_add_user() every time the Website finishes loading.

Continue reading Persistent WordPress User Injection at Sucuri Blog.

High-Severity Vulnerability Patched in Advanced Access Manager

On August 13, 2020, the Wordfence Threat Intelligence team finished investigating two vulnerabilities in Advanced Access Manager, a WordPress plugin with over 100,000 installations, including a high-severity Authorization Bypass vulnerability that could lead to privilege escalation and site takeover.

We reached out to the plugin’s author the next day, on August 14, 2020, and received a response within a few hours. After providing the full vulnerability disclosure, we received a response on August 15, 2020, that a patch had been released in version 6.6.2.

Wordfence Premium users received a firewall rule protecting against the Authorization Bypass vulnerability on August 14, 2020. Sites still running the free version of Wordfence will receive this rule 30 days later, on September 13, 2020.


Description: Authenticated Authorization Bypass and Privilege Escalation
Affected Plugin: Advanced Access Manager
Plugin Slug: advanced-access-manager
Affected Versions: < 6.6.2
CVE ID: Pending
CVSS Score: 7.5(High)
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: 6.6.2

Advanced Access Manager allows fine-grained access control, and has the capability to assign multiple roles to a single user. If the “Multiple Roles Support” setting is enabled, the plugin is vulnerable to authenticated authorization bypass and, in some cases, privilege escalation.

A low-privileged user could assign themselves or switch to any role with an equal or lesser user level, or any role that did not have an assigned user level. This could be done by sending a POST request to wp-admin/profile.php with typical profile update parameters and appending a aam_user_roles[] parameter set to the role they would like to use.

The reason this worked is that the AAM_Backend_Manager::profileUpdate method that actually assigns these roles is triggered by the profile_update and user_register actions, and failed to use a standard capability check.

            add_action('profile_update', array($this, 'profileUpdate'), 10, 2);
            add_action('user_register', array($this, 'profileUpdate'), 10, 2);
    public function profileUpdate($id)
    {
        $user = get_user_by('ID', $id);

        //save selected user roles
        if (AAM::api()->getConfig('core.settings.multiSubject', false)) {
            $roles = filter_input(
                INPUT_POST,
                'aam_user_roles',
                FILTER_DEFAULT,
                FILTER_REQUIRE_ARRAY
            );

            // let's make sure that the list of roles is array

            $roles = (is_array($roles) ? $roles : array());
            $okroles=array_keys(get_editable_roles());

            // prepare the final list of roles that needs to be set
            $newRoles = array_intersect($roles, array_keys(get_editable_roles()));

            if (!empty($newRoles)) {
                //remove all current roles and then set new
                $user->set_role('');

                foreach ($newRoles as $role) {
                    $user->add_role($role);
                }
            }
        }
    }

This meant that, if the ‘Multiple Roles Support’ setting was enabled, any user would trigger this method when updating their profile. The profileUpdate function would then check to see if any roles were present in the aam_user_roles[] POST parameter. If roles were present, it then used the WordPress get_editable_roles function to determine whether the user was allowed to add a given role, and if so, granted the user that role without performing any other form of capability check.

By default, get_editable_roles returns all registered roles. However, the Advanced Access Manager plugin added a filter to limit these roles in the AAM_Service_UserLevelFilter::filterRoles method. This method looped through each registered role and determined the role’s user level using the AAM_Core_API::maxLevel method.

    public function filterRoles($roles)
    {
        static $levels = array(); // to speed-up the execution

        foreach ($roles as $id => $role) {
            if (!empty($role['capabilities']) && is_array($role['capabilities'])) {
                if (!isset($levels[$id])) {
                    $levels[$id] = AAM_Core_API::maxLevel($role['capabilities']);
                }

                if (!$this->isUserLevelAllowed(true, $levels[$id])) {
                    unset($roles[$id]);
                }
            }
        }

        return $roles;
    }

AAM_Service_UserLevelFilter::filterRoles then removed any roles with a higher user level than the current user from the list of roles the current user was allowed to choose. By default, this worked reasonably well; all built-in roles have a built-in user-level attribute. Unfortunately, however, the user-level attribute was deprecated in WordPress 3.0.

This meant that if a role did not have a user-level attribute, or had a user-level attribute equal to or lesser than the logged-in user, the logged-in user could assign themselves to that role.

This was a problem in 3 possible scenarios:

  • Plugins with custom roles. There are several thousand plugins that add custom roles in the WordPress plugin repository, and most of these plugins do not assign a user-level attribute to these roles. For a few real-world examples, a backup plugin could add a role that is allowed to restore arbitrary files, including malicious code or database modifications, or an educational plugin might add an instructor role with the ability to insert unfiltered html and embed malicious JavaScript into the site.
  • Roles without an assigned user level. If a role was created from scratch in Advanced Access Manager, but not assigned a user level, any user with subscriber-level access could switch to that role.
  • Cloned user roles. If a role was cloned from an existing role (for instance, a contributor or author) and assigned additional capabilities, any user in the original role could switch to or assign themselves to the new role.

In any one of these scenarios, a low-privileged attacker could potentially switch to a role that allowed them to either directly take over a site or could be used as part of an exploit chain, depending on which roles were configured.


Description: Authenticated Information Disclosure
Affected Plugin: Advanced Access Manager
Plugin Slug: advanced-access-manager
Affected Versions: < 6.6.2
CVE ID: Pending
CVSS Score: 4.3(Medium)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Fully Patched Version: 6.6.2

Advanced Access Manager also allows users to login via the WordPress REST API. Unfortunately the plugin’s aam/v1/authenticate and aam/v2/authenticate REST endpoints were set to respond to a successful login with a json-encoded copy of all metadata about the user, potentially exposing users’ information to an attacker or low-privileged user. This included items like the user’s hashed password and their capabilities and roles, as well as any custom metadata that might have been added by other plugins. This might include sensitive configuration information, which an attacker could potentially use as part of an exploit chain. For example, an attacker able to assign themselves a custom role using the previous vulnerability could view which capabilities were assigned to them, allowing them to plan the next phase of their attack.

What are Roles and Capabilities?

All WordPress sites need an administrator, a user who has complete control over the site in order to make changes and perform maintenance. Likewise, an eCommerce site would need to allow customers to log in to keep track of their orders, and a news site would likely need to allow its journalists the ability to author posts, and might need an editor. In these cases, “administrator”, “editor”, “author”, and “customer” are roles.

Each of these roles comes with a certain set of capabilities. For example, an administrator would have the manage_options capability that allows them to make changes to a site’s options, but it would be disastrous to allow a customer, or even an author, the same capabilities. Likewise, an author would need the capability to edit_posts, but not edit_others_posts, and a customer or subscriber should not have any of these capabilities.

In many cases, a site owner might need more fine-grained control over which users can perform certain actions, so they might use a plugin like Advanced Access Manager to create custom roles for their users. They could then assign the capabilities they want those users to have, such as allowing a site designer the ability to edit_theme_options without changing other site options.

Additionally, many plugins add specific roles and custom capabilities. For example, while “customer” is not a built-in WordPress role, eCommerce plugins will define a specific “customer” role that has custom capabilities related to viewing their order status and updating their address information, while prohibiting them from making any other changes to the site.

The ability to customize roles and capabilities using plugins is part of the power of using WordPress for a variety of applications, including eCommerce, learning management systems, membership sites, and many others. However, this expanded functionality demands a greater attention to access control and capabilities from site owners.

Timeline

August 13, 2020 – Wordfence Threat Intelligence finishes analyzing vulnerabilities.
August 14, 2020 – We release a Firewall rule to Wordfence Premium users to protect against privilege escalation vulnerability and provide disclosure to the plugin’s author.
August 15, 2020 – A full patch is released.
September 13, 2020 – Firewall rule becomes available to sites using the free version of Wordfence.

Conclusion

In today’s post, we detailed two vulnerabilities in the Advanced Access Manager plugin, including a high-severity vulnerability that could allow lower-level users to escalate their privileges. We strongly recommend updating to the latest version of the Advanced Access Manager plugin, currently version 6.6.2, as soon as possible.

Wordfence Premium users have been protected against this vulnerability since August 14, 2020. Sites still using the free version of Wordfence will receive the firewall rule 30 days later, on September 13, 2020.

If you know a friend or colleague who is using this plugin on their site, please forward this advisory to them to help keep their sites protected.

Special thanks to the plugin’s author, Vasyl Martyniuk, for an excellent and rapid response to our disclosure

The post High-Severity Vulnerability Patched in Advanced Access Manager appeared first on Wordfence.

Magento Multiversion (1.x/2.x) Backdoor

The Magento 1 EOL date has already passed, however it’s evident that a large number of websites will continue to use it for the foreseeable future. Unfortunately, attackers are also aware that many websites are struggling with their Magento migrations and post compromise tools have been created to support deployment for both Magento 1.x and 2.x versions, making it easier for them to exploit a larger number of sites.

Malicious Forbidden Activity

During a recent investigation, our team came across a  tool aptly named Forbidden.

Continue reading Magento Multiversion (1.x/2.x) Backdoor at Sucuri Blog.

Pin It on Pinterest