Affected Plugin: Duplicator
Affected Versions: <= 1.3.26
CVSS Score: 7.5 (Higher)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Patched Version: 1.3.28
A critical protection update was lately issued for Duplicator, probably the most well-known plugins in the WordPress ecosystem. More than a million WordPress websites were suffering from a vulnerability enabling attackers to download arbitrary documents from victim websites. We desire all Duplicator customers to update to edition 1.3.28 as quickly as possible.
We are detecting energetic exploitation of the vulnerability in the open, and estimate over fifty percent a million sites remain running a vulnerable edition. Built-in firewall defense prevents these assaults for several Wordfence users, both Superior and the ones still on the totally free edition of Wordfence. As constantly, it’s still vital that you perform security updates irrespective of other protections.
Within today’s write-up, we’ll have a brief consider the vulnerable program code, discuss its severity, and reveal information on the ongoing episodes against it.
Document Download Vulnerability Evaluation
The Duplicator plugin helps site administrators migrate and copy WordPress sites. Section of this features involves exporting data source and file content material into transportable archives. When an administrator generates a new copy of these site, Duplicator enables them download the created data files from their WordPress dashboard.
This was implemented being an AJAX request within Duplicator’s admin user interface. The download control keys each trigger a contact to the WordPress AJAX handler with the motion duplicator_download and a file parameter, indicating the positioning of the document to end up being downloaded. When clicked, the requested document is downloaded and an individual doesn’t have to depart or reload their current web page.
open public static function duplicator_download() $file = sanitize_text_industry($_GET['file']); $filepath = DUPLICATOR_SSDIR_PATH.'/'.$file; // Process download if(file_exists($filepath)) // Clean output buffer if (ob_get_degree() !== 0 && @ob_end_clean() === FALSE) @ob_clean(); header('Content-Description: File Move'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename="'.basename($filepath).'"'); header('Expires: 0'); header('Cache-Control: must-revalidate'); header('Pragma: public'); header('Content-Size: ' . filesize($filepath)); flush(); // Flush system result buffer try $fp = @fopen($filepath, 'r'); if (false === $fp) throw brand new Exception('Fail to open up the file '.$filepath); while (!feof($fp) && ($information = fread($fp, DUPLICATOR_BUFFER_READ_WRITE_SIZE)) !== Fake) echo $data; @fclose($fp); catch (Exception $e) readfile($filepath); exit; else wp_die('Invalid installer document name!!');
Unfortunately the duplicator_download actions was registered via wp_ajax_nopriv_ and has been accessible to unauthenticated customers. To make things even worse, no validation restricted the filepaths getting downloaded. The
file parameter is exceeded through
sanitize_textual content_field and appended to the plugin continuous DUPLICATOR_SSDIR_PATH, but directory traversal had been still probable. An attacker could accessibility files beyond Duplicator’s intended directory by submitting ideals like
../../../document.php to navigate through the entire server’s document structure.
In add-on to the AJAX activity, exactly the same vulnerability existed in Duplicator’s duplicator_init() function, to create by WordPress’s
perform duplicator_init() if (isset($_GET['motion']) && $_GET['actions'] == 'duplicator_download') $file = sanitize_text_industry($_GET['file']); $filepath = DUPLICATOR_SSDIR_PATH.'/'.$file; // Process download if(file_exists($filepath)) // Clean output buffer if (ob_get_degree() !== 0 && @ob_end_clean() === FALSE) @ob_clean(); header('Content-Description: File Exchange'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename="'.basename($filepath).'"'); header('Expires: 0'); header('Cache-Control: must-revalidate'); header('Pragma: public'); header('Content-Duration: ' . filesize($filepath)); flush(); // Flush system result buffer try $fp = @fopen($filepath, 'r'); if (false === $fp) throw brand new Exception('Fail to open up the file '.$filepath); while (!feof($fp) && ($information = fread($fp, DUPLICATOR_BUFFER_READ_WRITE_SIZE)) !== Fake) echo $data; @fclose($fp); catch (Exception $e) readfile($filepath); exit; else wp_die('Invalid installer document name!!'); add_activity('init', 'duplicator_init');
Because it had been hooked into init, this functionality was executed on every WordPress web page load for logged-in customers and unauthenticated visitors as well. This implies an attacker could result in a file download with the addition of query strings to any route on a vulnerable web site, bypassing AJAX-particular monitoring.
Both of the vulnerable cases have already been patched by Duplicator 1.3.28. The AJAX motion has been up-to-date to correctly validate filenames, and today requires a complementing ID and hash to permit the document download. The duplicator_init() perform has been removed completely.
Attackers Stealing Data source Credentials
Arbitrary document download vulnerabilities could be a critical problem whatever the vulnerable web site’s system, but such assaults against WordPress websites largely target one document: wp-config.php.
Depending on the website, wp-config.php may contain any quantity of custom program code, but attackers focus on it to gain access to a web site’s data source credentials. With one of these credentials, an attacker can straight access the victim web site’s data source if it allows remote control connections. This access may be used by an attacker to generate their very own Administrator account and additional compromise the web site, or just to inject articles or harvest information.
Sites with nearby databases still have result in for problem, however. On shared enviroment environments, it’s easy for one consumer on a shared server to gain access to the neighborhood database of another web site on a single server. This certainly limitations the attack surface area of the vulnerable web site, but continues to be a severe concern.
At the time of the writing, Wordfence provides blocked a lot more than 60,000 attempts to download wp-config.php files with this particular vulnerability. About 50,000 of the events occurred before Duplicator patched the flaw, causeing this to be a zero-time vulnerability.
Nearly most of these attacks were issued from exactly the same Ip:
18.104.22.168. This IP factors to a webserver situated in Bulgaria, possessed by Varna Information Center EOOD. A small number of sites are hosted with this server, suggesting the attacker could possibly be proxying their episodes by way of a compromised website. We've associated this Ip with other malicious exercise against WordPress lately, and analysis into its action is ongoing.
Indicators Of Compromise (IOCs)
The following Indicators of Compromise (IOCs) may be used to determine if your website might have been attacked.
- Visitors logged from the risk actor’s Ip is highly recommended suspicious:
- Attacks in this marketing campaign are issued via Obtain requests with the next query strings:
- Note: Because this vulnerability could be exploited via WP AJAX, it’s feasible to exploit via Write-up request. In cases like this, it’s easy for the
actions parameter to be passed within the POST body rather than the query string. This can prevent the action=duplicator_download string from appearing within HTTP logs. Thebe approved as a query string, however, and is really a reliable indicator.
file parameter must
- February 10th, 2020 – First assaults against Duplicator vulnerability. Wordfence customers already safe because of built-in firewall safety.
- February 12th, 2020 – Duplicator releases edition 1.3.28 to patch the flaw.
Duplicator’s massive install bottom, combined with the simple exploiting this vulnerability, can make this flaw a noteworthy focus on for hackers. It’s crucial that Duplicator’s users revise their plugins to the most recent available version as quickly as possible to remove this danger. All Wordfence customers are safeguarded from these episodes, but don’t forget to up-date despite this. Also, because of the character of Duplicator’s efficiency, it’s likely that it’s no more required on your own site. For those who have no intent of deploying it to migrate or clone your website in the immediate upcoming, it is possible to delete the plugin without get worried. It can continually be reinstalled afterwards if needed.
If you believe your website was attacked via this vulnerability, it’s critical that you alter your data source credentials and WordPress salts instantly. If you’re concerned an attacker could have gained unauthorized usage of your website, consider having our specialist analysts perform Site Security Audit to make sure your safety is intact.
The post Active Attack on Recently Patched Duplicator Plugin Vulnerability Affects Over 1 Million Sites appeared first on Wordfence.