Few days back we discussed the zero-day vulnerability in the WordPress Easy WP SMTP plugin, little did we know that after a couple of days of the detection we have to address another Zero day WordPress plugin vulnerability. You can even do a search for “Social Warfare Hacked” in order to get more information about it.
Of late, the latest zero-day vulnerability has been unearthed in the WordPress arena, affecting more than 70,000 websites by employing the Social Warfare plugin v 3.5.2 (WordPress Social Sharing Plugin). Well, there you go, another Zero-Day Vulnerability in Social Warfare WordPress Plugin to populate the list.
The heart of the issue is that the Social Warfare plugin features functionality allowing users to clone its settings from another site – However, this functionality was not restricted to administrators or even logged-in users, meaning anyone could take advantage of it.
Therefore, “An attacker is able to input a URL pointing to a crafted configuration document, which overwrites the plugin’s settings on the victim’s site,” according to Wordfence. (threatpost)
Social Warfare Zero-Day WordPress Plugin Vulnerability
This time around the plugin features functionality that facilitates the users to have a replica of its settings from another website. However, this particular functionality was not limited to logged-in users and administrators. A hacker can easily input a URL indicating to a crafted configuration document, which tends to overwrite the victim site’s plugin settings.
With the ability to make changes to the social media plugin’s settings, the hacker can easily perform harmful activities. In all the instances we have tracked so far, the hackers had modified the twitter_id value, as it mainly directs to a front-facing XSS injection point.
About WordPress plugin zero day exploit
We have noticed that a significant amount of exploit attempts have been made from over a hundred different IPs.
Our experts were able to detect three key Pastebin addresses –
Note – This document was removed right away, by Pastebin, at the time of writing this article.
The two Pastebin URLs that were live were alike. Both the URLs have the same type of injection, at the same injection point, having the same obfuscation technique, and above all the way in which the redirection are made are also identical. The sole difference is the redirect target.
It was found that between the two payloads, the following URLs can be seen –
We kept a close check on one domain – setforconfigplease[.]com for quite some time now, lately during the attack against Easy WP SMTP. The other domain – strangefullthiggngs[.]com is the latest addition. The below-mentioned image shows the date of its creation –
Such domains are an essential part of a significant redirect campaign, and most importantly the IP on which they are hosted are identical, i.e. 126.96.36.199. All those visitors who are redirected to these addresses are finally redirected to a sequence of harmful websites. Moreover, their actions are being tracked with the help of cookies.
Victim of Hacking?
You do have an alternate for this; you can just uninstall the plugin. However, if you choose to uninstall the plugin, it will not delete its settings.
And to offer apt protection to your blog, you need to change the admin password and install a web application firewall. If your website is protected by WP hacked help , a new rule will be added to the firewall tailored to offer protection from such attacks. If not, you will have access to the rule once upgrading to Premium.
Zero-Day in Social Warfare Patched
Acting responsibly, the vendor of the plugin released a patch as soon as they became aware of it.
As per the diffset mentioned in the image above, all of the prevailing settings import code was removed from the plugin and was replaced as well. Besides, a fresh code was included which tries to reverse the XSS injections that had been dispensed.
In code added to the function correct_invalid_values(), the plugin now put their best efforts to get rid of injected content from its options values. In case the twitter_id field is having a < symbol or the value’s length is more than 15 bytes; the setting is set to blank string.
Next, in case the string fromcharcode is there in any value, that value is set to an empty string identically. This is regarding the obfuscation method discussed above and used by the hackers responsible for this campaign.
On the afternoon of March 21, 2019, we were made aware of Zero-Day vulnerability affecting websites using the Social Warfare plugin. https://t.co/M0DjCoc6Ho
— Warfare Plugins (@warfareplugins) March 21, 2019
Update: Please make sure your Social Warfare plugins are up-to-date — current version = 3.5.4
— Warfare Plugins (@warfareplugins) April 1, 2019
More About Stored XSS Social Warfare Vulnerability
As if Cross-Site Scripting (XSS) vulnerability was not enough, our tech experts have unearthed another exploitable conduct in the database migration code of Social Warfare. This led to Remote Code Execution (RCE) on version, 3.5.2. Let us dig deep and get to know what is all the fuss about.
Fearing that this exploit may trigger a new wave of exploits, we felt the need to make our readers aware of the scope of these issues and how we protect them.
Before, we go ahead and explore the scary issues, some good news. Remote Code Execution vulnerability was removed in the same patch as the Cross Site Scripting flaw, 3.5.3. In the event you have updated Social Warfare, rest assured you don’t have to worry much about this additional flaw.
Besides, the firewall rule released by us last week for XSS issue tends to block Remote Code Execution as well. Therefore, the customers of wp hacked help are still on the safer side even if they haven’t updated yet.
Cross-site scripting (XSS) is a widespread vulnerability that allows an attacker to inject malicious content into a site. This forces a victim’s browser to execute code as the page is loaded and perform actions in the browser on behalf of the website.
In the case of Stored XSS as seen with the Social Warfare vulnerability, the payload gets stored in the site’s database and retrieved with every page request. If left unpatched, it can be very dangerous, as it gives an attacker almost complete control of the browser environment.
What is Remote Code Execution Vulnerability
RCE (Remote Code Vulnerability) is a vulnerability where a hacker executes code remotely using the system vulnerabilities. Owing to RCE, a susceptible web application along with the web server can be completely compromised. It pays to be aware of the fact that, almost every programming language is known to have code evaluate functions.
More about Remote Code Execution
A code evaluation can take place when the user input inside functions is permitted that evaluate the code in the respective programming language. This can be done of one’s own free will, for instance – the hacker may want to access the mathematical functions of the programming language to create a calculator. Usually, it is not advised to do so. In fact, it is prohibited to use code evaluation.
Example of Code Evaluation Exploitation
You wish to have variable names generated dynamically for each user and store its registration date. This is how it is done in PHP –
eval("\$$user = '$regdate');
As the username is usually user-controlled input, a hacker can generate a name such as –
x = 'y';phpinfo();//
The final php code end up looking like this –
$x = 'y';phpinfo();// = '2016';
As shown, the variable is now termed as X and also has the value Y. Once the hacker successfully assigns that value to the variable, he initiates a new command using a semicolon.
At this stage, he can comment out the remaining string, so he doesn’t get syntax errors. As and when he executes this code, the output of phpinfo can be seen on the page. You should bear in mind that this is feasible not only in PHP but in various other languages with functions responsible for evaluating the input.
What is Stored Remote Code Evaluation
Unlike the above-discussed instance, this particular method is not dependent on any particular language function, but on the fact that the files are parsed via the interpreter of the language. For instance – the inclusion of a configuration file in a web application.
Ideally using input user files, executed by the interpreter, is not advisable as it can cause undesired behavior. Such an exploit method is often witnessed along with an upload functionality that lacks apt checks on both the types of files and extensions.
Examples of Stored Code Evaluation Exploitation
You must have developed a web application offering a control panel for each user. The control panel must be having some particular settings like – the language variable, that is set on the basis of a parameter and then stored in the configuration file. An anticipated input will be something like this –
Inside the configuration file, the above will then be reflected as $lan = ‘de’. However, the hacker has the authority to make changes to the language parameter like –
The above will result in the below-mentioned code inside the file –
$lan = 'de';phpinfo()//';
The execution of the above will be done when the configuration file is included in the web application, basically letting the hacker execute any command he desires.
Impact of Remote Code Evaluation
A hacker who has the proficiency of executing this flaw is capable of running commands with the privileges of programming language or web server.
How to Prevent Remote Code Evaluation
Keep in mind to avoid using user input inside the evaluated code. The best option is not to use functions like eval. It is believed to be a bad practice and should be avoided at every cost. Besides, you should keep a check that a user should never be allowed to edit the content of files that may be parsed by the respective languages.
Vulnerability Classification and Severity Table
How can you protect against remote code execution attack
- The most practical way is to deal with this issue is to patch up the vulnerabilities found on all the computers over the network, mainly the ones used by the administrators.
- Owing to this, it is imperative to keep your computers updated with the latest patches. This can be done by keeping a check on Microsoft’s Patch Tuesday fixes regularly. Security updates are released by Microsoft, every month, to patch threatening vulnerabilities concerning remote code execution issue.
- If you are using unsupported operating systems like Windows XP, then it is a wise decision to upgrade your operating system. This way you will ensure that the hackers do not target your system.
What Should You Do?
Deactivating the Social Warfare plugin until a patch is available will prevent these attacks, though at the loss of the plugin’s functionality.
Our team is actively tracking attacks against this flaw, and will produce more details as soon as we feel is responsible. In the meantime, please consider sharing this public service announcement to other WordPress users who may not know of these new risk factors.