Rodrigo is a Senior Security Analyst, he is one of the leads on the Remediation / Support team. His diet consists of web-based malware in the morning, backdoors in the afternoon and security research in the evening. You can find him on Twitter: @ipaxdc.

Malware Cleanup to Arbitrary File Upload in Gravity Forms

During our regular cleanup process we came across a reinfection case that caught our attention.

This particular environment didn’t have anything special or fancy, it was an updated WordPress installation and had 3 out-of-date plugins; that’s pretty reasonable.

After running through our processes and cleaning the environment we kept coming back to a reinfection; the attacker kept uploading nefarious files on the server.

file-modified

This got us very curious and so we had to dig a little deeper.

The malicious files were being uploaded to ‘/wp-content/uploads/gravity_forms’ and ‘/wp-content/uploads’ on Feb 21st, but how?

While Forensics is not a default offering and the client was not using our Website Firewall (which would have prevented the reinfection), we do love a good challenge. So why not investigate when the cases are curious – such as this one. Fortunately, we had access to the logs and were able to find some interesting requests to those particular files.

With that in mind, we started looking for different variations of “_input_” and found a lot requests to those files.

file-requests

We went back a few days in the logs to find what preceded those requests and where they could have come from.

file-source

In analyzing the files, we came across these requests to “?gf_page=upload”; that sounds interesting doesn’t it?

We searched for that string in the file system and found an instance within the WordPress plugin GravityForms (out-dated version 1.8.19).

Gravity Forms is a WordPress plugin used originally for contact forms, but in a more general sense, it allows site owners to create forms to collect information. Gravity Forms can be used for contact forms, WordPress post creation, calculators, employment applications and more.

Written in PHP, Gravity Forms uses many WordPress built-in functions and features to power its form builder. It also uses the same MySQL database system as WordPress, but stores all forms and entries in its own tables.

Gravity Forms is open source and GPL licensed. All of the code included is unencrypted, and easy to modify. We’ve added in tons of hooks and filters to be able to customize Gravity Forms to your hearts content.

Upon further investigation, we found “?gf_page=upload” inside common.php in line 3635.

gf_page

It was very interesting, not in a good way though; there was no sanitization of that request.

For testing purposes, I requested “?gf_page=upload” to see what would happen and interestingly enough, we got this:

failed-upload

Which lead to searching where the message was being processed.

failed-upload-from

From checking the upload.php, we see that $_REQUEST[“form_id”] has to be set otherwise the upload fails.
Keep in mind that at this time, we already bypassed any protections that could prevent unauthorized users from accessing that resource.

I set the value of form_id to 1 and made another request in a crafted upload form and this time the error was a little bit different.

file-type-not-allowed

As I tried sending a test.php, we hit a function file_name_has_disallowed_extension() that didn’t allow such a file from being uploaded, but we’re stubborn, so let’s not give up.

From checking the declaration of those functions in common.php we found why this happened.

There’s a list of allowed extensions in get_disallowed_file_extensions() that the function file_name_has_disallowed_extension() checks against and php is there.

file-allowed-extensions

It basically means that we can’t upload .php files, right? Wrong and let’s see why.

Inside includes/upload.php, we see that we have total control over the filename that is being uploaded as well how the file is saved into the server. The lines 54 and 55 give us such power through simple HTTP requests.

We also see that if $field is empty, the execution dies (59,60), so we set a value 1 to field_id.

file-upload-filename

After changing the filename from test.php to test.jpg we got a very interesting response.

file-upload-success

The file was uploaded to the server but its name is _input_1_, therefore we can’t do much with it.
It turns out that this is how the temp_filename is created:

file-tmp-filename

Breaking that down, we have the following:

$form_unique_id	= We didn't set any value here
_input_			= Hardcoded
$field_id		= We set that 1 as mentioned above
_				= Harcoded
$file_name		= We control this data, therefore we can set .php here

Our $tmp_file_name is ready to go and we finally got what we were looking for! :)

file-success-php

Conclusion

From checking the changelog for gravity forms we see that the security fix was applied in the version (1.8.20) please update soonest: http://www.gravityhelp.com/gravity-forms-v1-8-20-released/

Gravity Forms v1.8.20 is now available via automatic update and the customer downloads page. This is an important security and maintenance release.
We recommend all users update as soon as possible. It is important to always keep WordPress, plugins and themes up to date as a matter of best practice.

  • Fixed a security issue with the file upload field.

The versions 1.8.19 and lower might be affected by this vulnerability.

We always say that keeping all software updated is one of the most important steps you can take towards reducing the risks of infection and this post is a good example of why.

This is a dangerous vulnerability, you should update all of your websites using this plugin as soon as possible. If for any reason you cannot, we highly recommend you to have a look at our Website Firewall (WAF) product. It’s designed to help you stay ahead of vulnerabilities like the one described here, and many more.

Open Source Backdoor – Copyrighted Under GNU GPL

Malware code can be very small, and the impact can be very severe! In our daily tasks we find a lot of web-based malware that varies in size and impact. Some of the malware is well known and very easy to detect, others not so much, but this one is very interesting.

Open Source GNU

Here’s the backdoor, can you see what it’s doing?

Read More

HideMeBetter – SPAM injection Variant

Compromised sites being injected with SPAM SEO is something we deal very often. A few months ago we wrote about a wave of SPAM injections known as HideMe.

However, the bad guys are always getting more and more “creative”, and they’ve developed a better version of that SPAM, called “HideMeBetter”. Yes, that’s their own naming scheme.

Read More

Backdoor Tool Kit – Today’s Scary Web Malware Reality

We often talk about the importance of keeping your server clean. You can see it in a number of our articles and presentations, this post will likely drive that point home.

This past week we came across a nice little package that we felt compelled to share with you. In it, the attacker makes use of a number of tools designed to help them infiltrate your environment. What’s likely most annoying about this kit is that it’s loaded into your environment, and uses your own resources to help hack you. That’s like being punched in the gut and slapped at the same time, not cool.

Read More

Pharma Hack Backdoor Analyzed – PHP5.PHP

Some of you might remember my last Pharma hack post, Intelligent (Pharma) SPAM Decoded, today I will spend some time looking a different variant of the same infection type but focus on a payload that is not encoded or embedded within an existing file, instead it resides in its own file – PHP5.php.

“Hmm, maybe it’s a good / system file, it does have PHP in it, I won’t bother looking at it…”

If you have ever come across this file and find yourself thinking this, we highly encourage you not to and take a minute to see if any of its components resemble what we’re about to share.

Dissecting the Payload


Read More

Varying Degrees of Malware Injections Decoded

It is no longer the day of human-readable injections, or even the use of basic encoding schemes like base64. Instead we’re seeing a rise in complex, and in some instances, elusive encoding schemes that carry with them a big punch.

There are varying degrees of malware injections that include some of the following traits:

  • Encoding (pretty basic)
  • Encryption & Encoding (a bit more exciting and challenging)
  • Concatenation & Encryption & Encoding ( gets our hearts pumping a bit faster)
  • Cameleon integration (flows with existing code and difficult to detect)

In this post we’ll look at an instance where the malware leverages a combination of encoding, concatenation and cameleon traits to impact the end-user.

Read More

Intelligent (Pharma) Spam Decoded

We are seeing a rise in the use of intelligent SPAM – a.k.a Pharma Hack – across a number of platforms. We recently found a nice injection that made us salivate, we figured you’d be just as interested

It is of no surprise to us that attackers are always looking for ways to trick us and more importantly our users. This gem of a find was no different.

SPAM = “Stupid, Pointless Annoying Message”.

SPAM, in the form of unsolicited e-mail messages, is a problem that we face every day.  Imagine sending a client a link to a newly released product, they get to the page, and BAM they’re greeted with advertisements for pharmaceutical products (Viagra / Cialis / Male Enhancers). What do you think the impact would be?
Read More