In the coming few weeks, a friend of mine and I will be running a set of seminars on infosec in preparation for Cactus Con. The last seminar of which we will basically doing hands on vulnerability training. I was charged with setting up the world’s most vulnerable wordpress install, which was almost as easy as installing wordpress itself. I decided that while I was setting up a wordpress install you could beat up, I might as well make a blog post about it, since most of the plugins that were vulnerable seemed to have been downloaded tens, of not hundreds of thousands of times!
(As a side note, this is all for research purposes, and I’m just trying to live my life, not hack the FBI)
This is a paid Envato plugin that is included in practically every theme you buy from Themeforest. It makes obnoxious sliders on almost every site a little bit easier to make obnoxious. The attack was done the same way that most attacks are done with WordPress installs, by including some variables in the URL to grab something you’re not supposed to be able to grab. If you knew the site was running Slider Revolution all you had to do was go to your shiny address bar and type this in:
The wp-config file is one of the most important files in wordpress, it has database credentials, and FTP credentials, which means if an attacker gets this file, you’re hosed. This is a Local File Inclusion hack (LFI) and can be executed by hackers through a simple script that pings site with GET requests for that particular URL. This was discovered back in September but it is now February and I am still getting calls from people who have had their site compromised using this vulnerability. Envato is having a really hard time patching this bug.
More information about this vulnerability here
UpDraft is a backup solution for your wordpress site that takes your site and migrates it to the cloud, it’s pretty popular (Downloads: 1,812,770) and actually super convenient. On February 3rd, it was discovered that you can add an admin_action to the URL resulting in the plugin printing out the ‘updraftplus-credentialtest-nonce’ nonce which allows the attacker to print out the phpinfo() page which includes everything defined in the wp-config.php (database credentials…again).
This will give you the updraftplus-credentialtest-nonce (nonce is literally number used once, it is a method to protect yourself from malicious attackers, and is generated in the code to kind of verify that you’re who you say you are) and from there you can use the nonce generated to grab the credentials stored in the ajax handler and away you go!
More Information about this vulnerability here
Fancybox for WordPress
I have a few sites that use fancybox and also a few sites that got malware recently, correlation = causation? Apparently so. This was just reported today so I thought I’d mention it. It all started with this forum post
I was going to discuss how to actually inject malware into fancybox, but to gloss over it because apparently Fancybox isn’t interested in patching their plugin. To put it simply, it’s the same URL variable attack that you’ve been seeing
The update action will allow you to do a quick and easy injection of code into fancybox, this has been used for malware attacks in the past few days. (Edit: It seems like in the past two hours they have actually updated the plugin so it’s secure, so I might come back and finish writing out the attack.)
Please note that fancybox.js is not fancybox-for-wordpress, they’re totally different.
More information for this here
Easy Media Gallery
Easy Media Gallery is such a gorgeous plugin, I use it a lot, and so do a lot of other people. It has had a whole host of vulnerabilities these past couple of years, most due to it’s administrative functions being open to literally everyone. The lack of nonces (which we discussed earlier) allows for any user to execute and escalate themselves to admin. The AJAX function opens itself up to attack, but it’s just one of many that you can use as an attack vector for a cross site scripting attack.
This was first reported here and there’s also a nice proof of concept script. I think this is patched, but seeing the history of this plugin, it’ll be a matter of months before yet another vulnerability is discovered.
WP Ultimate CSV Importer
I grabbed this one because I absolutely hate these types of plugins. I can’t think of anything better to go after than a plugin that’s going to be mucking around in your database directly. Essentially, anyone under the sun can run the export script and get the entirety of your wordpress database with a simple POST to the export.php script for all of your users.
is the URL you’ll want to request from and you’ll just pass a POST request for the following:
It’ll return all the users and the hashed passwords back, this was patched unsuccessfully once, but it has been patched in the most recent version.
More info about this vulnerability here
All-In-One WP Security Plugin
I think out of all the wordpress vulnerabilities, SQL Injections remain my favorite ones because they’re so common. It’s only been recently that Contact Forms have begun sanitizing queries, Contact Form 7 was for the longest time the biggest pain in my rear because you could easily drop the database with the Name field. This one is a little trickier, but I thought it was ironic because it’s a security plugin, so I’d include it. Essentially the All in One Security Plugin did not sanitize queries at all, which allowed the attacker to do a SQL Injection through a GET request.
the orderby variable was not sanitized which allows you to inject directly into the database as long as you remember to convert your ASCII to HTML codes, which is a given.
More info about this here
WordPress Download Manager
Another issue with anyone in the world being able to execute a sensitive function from within wordpress, this one’s developer is actually what made me think to include it. He’s hilarious.
Okay so let’s talk about the vulnerability instead (but seriously, his responses to the one star reviews bring me life). There is a wpdm_ajax_call_exec() function and within the function they allow the POST to execute. Which means that any user can do whatever they want within the context of the ajax_call_exec function. This would allow us to generate the nonce required to execute higher admin functions. Once the nonce is generated, the attacker can do whatever he wants. The one securi mentioned was uploading a payload into the admin directory and executing it. Let’s walk through this super quick.
Homelab.it did a nice Proof of Concept Script (and video) using this exploit to add a user to wordpress, so using this handy dandy exploit script you just run it against the target site.
python wp_download_manager_274_add_admin.py -t http://targetsite.com
and now you’re an admin on the target site!
What can I do to prevent my site from being hacked?
I did all this research for a workshop on h4xx0rs but honestly, keeping your plugins up to date, making sure your plugin developers respond to vulnerability requests and following some security resources is all you need. Plugins make great attack vectors because anyone can make them!
Definitely keep an eye on sucuri’s blog and Twitter I see their representatives crawling all over wordpress forums for the latest problems that anyone running a WordPress install might encounter.
This WordPress Vulnerability Database is definitely one I have on my RSS feed reader to keep on top of things.
WordPress is hella insecure, literally people laugh at me when I tell them a major part of my job is making sure my clients don’t get hacked. WordPress and Security have never been in the same sentence together, so it’s up to us as administrators on this monstrosity of a CMS to constantly be alert.
Edit: All of these bugs have been patched before I posted this article, it is illegal to report 0-days without giving the software creator/manufacturer notice and time to patch it before reporting. In all of the “Read More” links you can either see which version is patched to make sure the plugin on your install is patched, or when they expect to release it.