Disclosure: Insecure Nonce Generation in WPtouch

If you use the popular WPtouch plugin (5m+ downloads) on your WordPress website, you should update it immediately.

During a routine audit for our WAF, we discovered a very dangerous vulnerability that could potentially allow a user with no administrative privileges, who was logged in (like a subscriber or an author), to upload PHP files to the target server. Someone with bad intentions could upload PHP backdoors or other malicious malware and basically take over the site.

So to make a long story short, if you’re running WPtouch, then update immediately!

Update (11:18am) This disclosure only applies to 3.x versions of WPtouch. Administrators using 2.x and 1.x versions of the plugin will not be affected by the vulnerability.

What are the risks?

First of all, this vulnerability can only be triggered if your website allows guest users to register. If your site falls within this category, a logged­-in attacker could potentially take over your website by uploading a backdoor (remote shell) inside your website’s directories, allowing him to do anything he wants with your website.

Technical Details

If you read our last disclosure, you may remember that we mentioned that the WordPress “admin_init” hook should not be used as an authentication method. This bug illustrates another reason that the “admin_init” hook should not be used in this way (though, it does so more subtly).

In the file “core/class­wptouch­pro.php”, the “admin_initialize()” method was called by the “admin_init” hook.

Here is the interesting piece of it:

function admin_initialize() {

(…)
// load the rest of the admin scripts when we’re looking at the WPtouch Pro page
if ( $this­>admin_is_wptouch_page() ) {
(…)

} else {
$localize_params = array(
‘admin_url’ => get_bloginfo(‘wpurl’) . ‘/wp­admin’,
‘admin_nonce’ => wp_create_nonce( ‘wptouch_admin’ )
$localize_params ););

(…)
// Set up AJAX requests here
wp_localize_script( ‘wptouch­pro­other­admin’, ‘WPtouchCustom’,
}
(…)
}

If you notice the admin nonce getting generated and then added to WordPress script’s queue, then you can probably see where we’re going with this.

function handle_upload_file() {
$this­>cleanup_post_and_get();
header( ‘HTTP/1.1 200 OK’ );
$nonce = $this­>post[ 'wp_nonce' ];
if( wp_verify_nonce( $nonce, ‘wptouch_admin’ ) ) {
switch( $this­>post[ 'file_type'] ) {
(…some upload mechanism…)
}
}
die;
}

This nonce was also used to verify whether or not a user could upload files to the server. As the script didn’t use any other form of identification to check or authenticate the user’s privilege to upload files, it was possible for any user to complete the upload in there.

All an attacker had to do in order to compromise a vulnerable website was:

  1. Log­in and get his nonce via wp-admin
  2. Send an AJAX file upload request containing the leaked nonce and his backdoor

For developers, the key takeaway from all of this should be to not use nonces, by themselves, to protect sensitive methods. Instead make sure to always add functions such as “current_user_can()” or the like to confirm a user’s right to do something.

Update as soon as possible!

This vulnerability illustrates, yet again, the reason that attackers will always be able to find some way into your system. If you’d been adhering to the principle of least privilege, you would still be vulnerable because of a small error in the code, and since humans write code, there will always be errors that attackers will be able to exploit.

In this case, the great thing is that we disclosed the vulnerability to the WPtouch team and they swiftly put a patch online to correct this issue (version 3.4.3 – WPtouch Changelog). In order to correct this issue on your website, all you have to do is to update the plugin on your administration panel. And like we said before, you should do so ASAP.

Finally, if you’re noticing anything strange with your website, make sure to check out our easy to understand malware symptoms. If you need help, we’re always available to take a look at your website to make sure hackers haven’t taken control of your environment.

For our customers: The good news is that every website that is protected by our Website Firewall – CloudProxy is already protected against this vulnerability, so that means your website is secure.

Scan your website for free:
About Marc-Alexandre Montpas

His passion for code and IT security got no limit. You'll generally find him competing in some security capture-the flag competitions or searching for security vulnerabilities in widespread products for the fun of it. He's also a great fan of heavy-metal music.

  • http://www.rivmedia.co.uk/ Adam H

    Had one site running Wptouch, happened to be one i hadnt logged into for sometime as well. Thanks for the heads up.

  • Jozef R

    Hi Marc,

    I would like to ask you, is this vulnerability present also in version < 3?

    I have lot's of site's using WP Touch 2.x because of custom design so it will be pretty dificult and time consuming update all my sites to current version.

    Or can be version 2.X patched in some way (commenting some lines…) ?

    Thanks a lot!

    • Marc Montpas

      Hi Jozef. No, this issue only affects websites running version 3.x.

  • Demian Scott

    Hello Marc
    how can i run the exploit with metasploit

  • Anne

    2 questions:
    1. what if you’re already updated? will that be enough to protect?
    2. would deleted all site registrants help this situation? Most of mine are auto spam so I’d have no problems giving them the boot :)

    Thanks!

  • Stephan Beal

    The easiest way to fix ALL WP cracks is to make all of the PHP files and wp dirs read-only:

    find wp-dir -exec chmod 0440 {} ;

    or something along those lines. Even my oldest WP installations haven’t been cracked in the 8+ years i’ve been doing that.