4 Mar, 2020

Massive Exploitation of New Bug in WordPress Duplicator Plugin

A critical vulnerability in Duplicator has been uncovered on WordPress sites that use it. Read on to learn how it is being used for credential-grabbing attacks.
Last month we released a post that showed several ways an attacker can dump WordPress database credentials. That gives an attacker a key piece for infecting the WordPress database or grabbing information from it.

The popular Duplicator plugin, from Snap Creek, allows easy cloning or backup of a WordPress site.
A critical vulnerability in Duplicator has WordPress sites that use it to credential-grabbing attacks. With over a million active installations of the plugin, this is a widespread problem. The publisher, Snap Creek has issued a security update, and everyone with Duplicator installed should update it as quickly as possible. It became available on February 12, 2020.
How the Duplicator vulnerability works
The issue is a path traversal bug that allows an arbitrary file download. With this type of bug, a suitably constructed URL can specify a path that walks up to the Web directory's parent. It gives the attacker access to WordPress configurations and other files. Specifically, it allows access to wp-config.php, which contains the database credentials and security keys.

No login is required in the vulnerable versions, and file paths aren't validated. The bug could allow access anywhere in the file system, if the account running WordPress has the necessary rights. Access to all files is necessary when copying a site, but the functionality is supposed to be limited to administrators.

The file wp-config.php is one of the most critical points in WordPress security. It holds sensitive information, including the database password, as plaintext. If it's exposed, the site's security is compromised. Path traversal issues are the most common vulnerability exploit for gaining access to the file.

By itself, the bug doesn't necessarily give an outsider access to the database, but a malware infection can get directly at the database. Attackers who have the credentials for an installation will focus on exploiting it, even if it takes them a little more work. If the site uses shared hosting, an attacker could exploit the bug by compromising another account on the same host, or even by opening an account of its own.

The URI for exploiting the vulnerability has this path:

/wp-admin/admin-ajax.php?action=duplicator_download&file=/../wp-config.php

For additional website protection against attacks of this type, you can set up your website firewall to block the servers known to be issuing this attack. They currently include 121 IP addresses. We are not posting them here, but you would like to get them, please contact us at support@quttera.com. ThreatSign customers with Quttera website firewall enabled do not need to take any actions, you are protected since we've updated the global rules set and keep updating it in real time.

Here is the attack map:
Checking if you have been attacked
Active exploitation of the vulnerability had begun before Snap Creek released the patch. All the discovered attacks went after the wp-config.php file. A large proportion of them came from one location in Bulgaria.

It isn't clear what use the attackers made of the stolen credentials. Sites with compromised databases could have altered content that isn't apparent from a visual inspection. Visitors could receive malicious JavaScript or be redirected to another site.

How can you find out if your wp-config file has been compromised? Check the access logs in your Apache, Nginx, or other Web server. If you find the string "duplicator_download&file=/../wp-config.php", someone has attempted to exploit the vulnerability, and your website firewall didn't stop the attempt from reaching the server.

This doesn't mean the attack was successful. However, if your site includes the Duplicator plugin and you find this string, you should make sure your site is safe. After upgrading to the current version of the plugin, change the password for the database. Update the wp-config.php file to match. Run a security scan of your site to make sure it hasn't been infected.

Detecting a WordPress database malware infection is difficult. Expert analysis is necessary, and it may not catch all problems. Monitoring the site is the best way to detect any persistent threats that have been installed in the database. Quttera WAF will detect and block many threats of this type.

If your site has been blacklisted even though you aren't doing anything shady, that's a strong hint that it's been compromised. Users will get browser warnings, and you need to fix the problem as quickly as possible to minimize interrupted business. Quttera ThreatSign will detect blacklisting and help you to remove the problem from your website.
Protection from the Duplicator bug and similar attacks
As already mentioned, the first step in protecting your site from this vulnerability is to update the Duplicator plugin to the latest version. That will stop the vulnerability cold.

Every plugin in your installation, even a reputable one like Duplicator, adds to your site's attack surface. Limit the active plugins on your site to those you need and use. Deactivate or delete the rest. Keep all the ones you use up to date. Keep an eye out for plugins that stop getting updates. If one disappears from the WordPress.org plugin directory, consider replacing it with something in better standing.

If you're using a vulnerable version of Duplicator, or if you have in the past, you should consider changing your database password on general principles. You may have to contact your hosting provider to do this, depending on what access privileges you have. Do this only after updating Duplicator.

Path traversal vulnerabilities are a common problem in plugins. Sometimes the crooks find out first and launch zero-day attacks. Patching can't stop bugs that are exploited before the publisher knows about them.

Run WordPress from an account with limited privileges. A WordPress site running as root exposes the entire filesystem to attackers taking advantage of a path traversal bug.

Limiting access to the database makes exploitation of credentials harder. If your database is on the same network as the WordPress installation, you can disallow outside access. If it's a remote database, you can limit access to the IP addresses you run WordPress on.

If you had the Quttera Web Application Firewall (WAF), you would have an extra layer of website security against the Duplicator vulnerability and others of its kind. It guards against requests with behavioral patterns suggesting attempts to breach the system, as well as identifying known threats.
All Quttera customers using WAF were protected from the Duplicator attack. You can have this protection and improve your WordPress security against known and unknown threats, simply by signing up for Quttera ThreatSign.