Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable 博客

订阅

Duplicator WordPress Plugin Vulnerability Exploited in the Wild

Attackers are targeting a recently patched flaw in a popular WordPress plugin with over 1 million active installations.

背景

On February 12, Snap Creek, makers of the popular WordPress plugin Duplicator, released version 1.3.28 and Duplicator Pro version 3.8.7.1 to address a serious vulnerability.

Duplicator is a plugin used by WordPress site administrators to “migrate and copy WordPress sites.” According to statistics from WordPress.org, Duplicator has over 1 million active installations, and according to Snap Creek, it has been downloaded over 15 million times.

分析

According to researchers at Wordfence, an unauthenticated arbitrary file download vulnerability exists in Duplicator versions 1.3.26 and below and Duplicator Pro versions 3.8.7 and below.

The vulnerability exists due to the implementation of a pair of functions, duplicator_download and duplicator_init. The functions can be accessed by unauthenticated users because they were implemented using the wp_ajax_nopriv_ hook. Researchers note that because the functions were “hooked into init,” they would be executed on every WordPress page that’s loaded, whether the user is logged in or not.

Within these functions, the file parameter was sanitized but not validated, so an attacker could use path traversal to access files outside of Duplicator’s specified path.

An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a WordPress site using the vulnerable version of the Duplicator plugin. This would allow them to download files outside of the intended directory. An attacker would need some knowledge of the target file structure or attempt to download commonly known files.

These files could include the wp-config.php file, referred to as “one of the most important files” in a WordPress installation. This is because the configuration file contains database credentials and authentication keys and salts. An attacker could use this information to create their own administrator account on the vulnerable site or “inject content or harvest data.”

Wordfence has reportedly blocked over 60,000 attempts to download the wp-config.php file using this vulnerability. They note that of the 60,000 attempts, 50,000 occurred before February 12, prior to Snap Creek releasing a fix for the vulnerability, indicating this was exploited in the wild as a zero-day.

概念验证

At the time this blog post was published, there was no proof of concept (PoC) available for this vulnerability. However, there is enough information available in Wordfence’s blog post along with the indicators of compromise to easily craft a PoC.

解决方案

Snap Creek addressed this vulnerability in Duplicator version 1.3.28 and Duplicator Pro version 3.8.7.1 on February 12. Duplicator and Duplicator Pro users are strongly encouraged to upgrade to versions 1.3.28 and 3.8.7.1 or greater as soon as possible.

Wordfence provided indicators of compromise to identify attacks exploiting this vulnerability. The bulk of the attacks they’ve seen originate from the following IP address:

  • 77.71.115.52

Additionally, review HTTP logs for requests that include the following query strings:

  • action=duplicator_download
  • file=/../wp-config.php

The most reliable indicator is whether the request contains the file parameter, as that is required to exploit this vulnerability.

识别受影响的系统

A list of Tenable plugins to identify this vulnerability will appear here as they’re released.

获取更多信息

加入 Tenable Community 中的 Tenable 安全响应团队

了解有关 Tenable 这款首创 Cyber Exposure 平台的更多信息,全面管理现代攻击面。

获取 30 天免费试用版 Tenable.io Vulnerability Management

相关文章

您可加以利用的网络安全新闻

输入您的电子邮件,绝不要错过 Tenable 专家的及时提醒和安全指导。

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。

Tenable Vulnerability Management 试用版还包含 Tenable Lumin 和 Tenable Web App Scanning。

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

100 项资产

选择您的订阅选项:

立即购买

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。

Tenable Vulnerability Management 试用版还包含 Tenable Lumin 和 Tenable Web App Scanning。

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

100 项资产

选择您的订阅选项:

立即购买

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。

Tenable Vulnerability Management 试用版还包含 Tenable Lumin 和 Tenable Web App Scanning。

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

100 项资产

选择您的订阅选项:

立即购买

试用 Tenable Web App Scanning

您可以通过 Tenable One 风险暴露管理平台完全访问我们专为现代应用程序量身打造的最新 Web 应用程序扫描产品。可安全扫描全部在线资产组合的漏洞,具有高度准确性,而且无需繁重的手动操作或中断关键的 Web 应用程序。立即注册。

Tenable Web App Scanning 试用版还包含 Tenable Vulnerability Management 和 Tenable Lumin。

购买 Tenable Web App Scanning

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

5 个 FQDN

$3,578

立即购买

试用 Tenable Lumin

使用 Tenable Lumin 直观呈现及探索您的风险暴露管理,长期追踪风险降低状况,并比照同行业者进行基准衡量。

Tenable Lumin 试用版还包括 Tenable Vulnerability Management 和 Tenable Web App Scanning。

购买 Tenable Lumin

联系销售代表,了解 Tenable Lumin 如何帮助您获取整个企业的洞见并管理网络安全风险。

免费试用 Tenable Nessus Professional

免费试用 7 天

Tenable Nessus 是当今市场上功能最全面的漏洞扫描器。

新 - Tenable Nessus Expert
不可用

Nessus Expert 添加了更多功能,包括外部攻击面扫描,以及添加域和扫描云基础设施的功能。单击此处试用 Nessus Expert。

填写下面的表格可继续试用 Nessus Pro。

购买 Tenable Nessus Professional

Tenable Nessus 是当今市场上功能最全面的漏洞扫描器。Tenable Nessus Professional 可帮助自动化漏洞扫描流程、节省合规周期的时间,并调动起 IT 团队的积极性。

购买多年期许可,即享优惠价格添加高级支持功能,获取一年 365 天、一天 24 小时的电话、社区和聊天支持。

选择您的许可证

购买多年期许可,即享优惠价格

添加支持和培训

免费试用 Tenable Nessus Expert

免费试用 7 天

Nessus Expert 针对现代攻击面而量身打造,可以查看更多信息,保护企业免遭从 IT 到云中漏洞的攻击。

已经有 Tenable Nessus Professional?
升级到 Nessus Expert,免费试用 7 天。

购买 Tenable Nessus Expert

Nessus Expert 针对现代攻击面而量身打造,可以查看更多信息,保护企业免遭从 IT 到云中漏洞的攻击。

选择您的许可证

购买多年许可证,节省幅度更大。

添加支持和培训