Joomla Media Manager Attacks in the Wild

If you are using Joomla and didn’t update your site recently, you better stop doing whatever you are doing, and update it now. There is a very serious vulnerability in Joomla’s Media Manager component (included by default), that can allow malicious files to be uploaded to your site.

The only two safe versions of Joomla are 3.1.5 and 2.5.14. If you are not using either of them, you are at risk.


Read More

W3 Total Cache and WP Super Cache Vulnerability Being Targeted in the Wild

As if on queue, almost 7 days since we released the post about the latest W3TC and WP Super Cache remote command execution vulnerability, we have started to see attacks spring up across our network.

In our post you might remember this:

<!–mfunc echo PHP_VERSION; –><!–/mfunc–>

In this example we explained how it was a very simple approach to displaying the version of PHP on your server. There were a lot of questions following that saying, well what’s so harmful in that. Etc… With little help from us the attackers go on to show us what they can do.

Taking a Look at the Attacks

In this section I’ll show you three of the various attacks we’re seeing. In each you can see how they abuse the mfunc vulnerability, one in a more traditional approach of injecting a backdoor and other in a more creative way that allows them to abuse HTTP headers. In either case they all seem to be getting passed via comments, and we give an example of that below. This is obviously for educational purposes only.

Read More

Game of Coins: The Uprise of Bitcoin Mining

Research by Daniel Cid. Authored by Dre Armeda.


One thing you can’t take away from some of the attackers we deal with everyday is their creativity. From time to time we write about new trends we’re seeing, and this post is no different. We’re seeing a new tactic recently, and it may be affecting your pockets, even if you’re not into the latest trend of using digital currency.

Game of Coins

Digital currency you say?

I sure did! Bitcoin to be exact.

Read More

Update WP Super Cache and W3TC Immediately – Remote Code Execution Vulnerability Disclosed

Shame on us for not catching this a month ago when it was first reported, but it seems that two of the biggest caching plugins in WordPress have what we would classify a very serious vulnerability – remote code execution (RCE), a.k.a., arbitrary code execution:

…arbitrary code execution is used to describe an attacker’s ability to execute any commands of the attacker’s choice on a target machine or in a target process. – Wikipedia

It appears that a user by the name of kisscsaby first disclosed the issue a month ago via the WordPress forums. As of 5 days ago both plugin authors have pushed new versions of their plugins disabling the vulnerable functions by default. The real concern however is the seriousness of the vulnerability and the shear volume of users between both plugins.

There are a few posts, released within the past few hours that do a great job of explaining what the issue was and what was being exploited. You can find some good after action thoughts on Frank Goosens’ blog and on Acunetix’s blog as well.

Why Such a Big Deal?


Read More

Mass WordPress Brute Force Attacks? – Myth or Reality

We are seeing in the media some noise about a large distributed brute force attacks against all hosts targeting WordPress sites. According to reports, they are seeing a large botnet with more than 90,000 servers attempting to log in by cycling different usernames and passwords against the WordPress access points: /wp-login.php and /wp-admin.

This got us thinking, well we block a lot of attacks why not look at the logs to see what they tell us. So we did.

The Data

Looking back, we can see in our historical database the following:

2012/Dec: 678,519 login attempts blocked

2013/Jan: 1,252,308 login attempts blocked (40k per day)

2013/Feb: 1,034,323 login attempts blocked (36k per day)

2013/Mar: 950,389 login attempts blocked (31k per day)

2013/Apr: 774,104 for the first 10 days – 77,410 per day


Read More

WordPress Plugin: Easy Digital Downloads – Security Flaw Discovered and Patched

Last night we were contacted by Adam Pickering about a security flaw discovered in Easy Digital Downloads (EDD), a free WordPress eCommerce plugin that allows you to sell digital downloads. If you use EDD and haven’t done so already, please make sure to upgrade to Version 1.4.4.2 immediately!

The plugin author, Pippin Williamson received word about the flaw within hours of it being validated, and had a patched version up on the WordPress Plugin Directory within the hour.

Read More

Ruby on Rails Vulnerability Leads to Remote Command Execution on Servers

As always, the year is kicking off with a bang. This is a public service announcement to get the word out on a very serious vulnerability found, and patched, on the Ruby on Rails application. It’s estimated that there are some 250k + websites using the application so it’s important the word gets out.

On January 8th a very serious vulnerability was released for the Ruby on Rails application. A number of proof of concepts (PoC) on how to exploit, demonstrating the seriousness have been posted on several forums and blogs. One of the better ones is on Ronin blog. The issues comes down to the parameter parsing component of the application, it contains a weakness that allows an attacker to bypass authentication systems, inject and execute arbitrary code and perform denial of service (DoS) attacks on any Ruby application.

It’s important to note that this vulnerability has since been patched and it’s imperative that if you’re using the Ruby on Rails application you update immediately.

The one attack vector that stands out from the rest is the arbitrary injection and execution of code at the server level. This means that the threat goes beyond your application and has the potential to penetrate further into your infrastructure and / or impact any neighboring applications that may not be built on Ruby on Rails. Instead of drafting the reasons this is so serious I’ll reference another good post that articulates and summarizes the issue well, on Code Climate:

Threat Agents: Anyone who is able to make HTTPs request to your Rails application.
Exploitability: Easy — Proof of concepts in the wild require only the URL of the application to attack a Ruby code payload.
Prevalence: Widespread — All Rails versions prior to those released on Tuesday are vulnerable.
Detectability: Easy — No special knowledge of the application is required to test it for the vulnerability, making it simple to perform automated spray-and-pray scans.
Technical Impacts: Severe — Attackers can execute Ruby (and therefore shell) code at the privilege level of the application process, potentially leading to host takeover.
Business Impacts: Severe — All of your data could be stolen and your server resources could be used for malicious purposes. Consider the reputation damage from these impacts.

W3 Total Cache Implementation Vulnerability

Just in time for Christmas, it was announced on the full disclosure list a security (configuration/implementation) bug on W3 Total cache (W3TC), one of the most popular WordPress plugins.

The issue is connected to the way W3TC stores the database cache (in a public accessible directory). It can be used to retrieve password hashes and other database information.

By default the plugin will store the caches inside /wp-content/w3tc/dbcache/ and if you have directory listing enabled, anyone can browse to yoursite.com/wp-content/w3tc/dbcache/ and download them. The second issue is that even if you don’t have directory listing enabled, it is still possible to guess those directories/files in order to extract the database cache queries and results.

Read More

PSA: December Zero Day’s Announced – MySQL, FreeSSH, Free FTPD

So it looks like we’re closing out the year in style in 2012. This weekend a number of new, very serious, zero-day vulnerabilities were released for a number of very popular applications – MySQL, FreeSSH, Free FTPD.

MySQL

FTPD

>FreeSSHD

Of the three, the most concerning is obviously MySQL. If you listen to any of our security presentations you know that your application is but one piece of the puzzle, and you environment is a critical component of that puzzle too.

MySQL is integral to any LAMP based application – LAMP = Linux, Apache, MySQL, PHP – this includes many open source content management systems (CMS) like WordPress, Joomla, Drupal, Magento, osCommerce and many more. This is exceptionally dangerous to those environments in which MySQL is being published (i.e., not bound to itself or it’s port open) to the world and applies to VPS and Shared environments alike.

SFTP/FTP Password Exposure via sftp-config.json

Have you heard of the file sftp-config.json? You haven’t? Neither did we until a few weeks ago.

It is used by some SFTP/FTP clients (Sublime SFTP is one) to pre-configure SFTP/FTP connections to remote sites and it contains some useful information in there (not encrypted):

“type”: “ftp”,
..
“host”: “FTP HOST”,
“user”: “FTP USER”,
“password”: “FTP PASS”,
“port”: “21″,

Which makes a lot easier to connect and manage remote servers. However, with extra flexibility comes some serious security issues if not used properly.

Read More