Active exploits are targeting a recently patched flaw in the popular WordPress plugin Duplicator, which has more than 1 million active installations. So far, researchers have seen 60,000 attempts to harvest sensitive information from victims.
Researchers at Wordfence who discovered the in-the-wild attacks said in a post Thursday that 50,000 of those attacks occurred before Duplicator creator Snap Creek released a fix for the bug last week on Feb. 12 – so it was also exploited in the wild as a zero-day.
Duplicator is essentially a simple backup and site migration utility. It gives WordPress site administrators the ability to migrate, copy, move or clone a site. WordPress says that Duplicator has been downloaded more than 15 million times and is in active use for over one million sites.
Unfortunately, Duplicator prior to version 1.3.28 and Duplicator Pro prior to version 22.214.171.124 contain an unauthenticated arbitrary file download vulnerability. According to a writeup from Tenable, “an unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a WordPress site using the vulnerable version of the Duplicator plugin.”
This would allow attackers to then download files outside of the intended directory. The only caveat is that an attacker would need “some knowledge of the target file structure or attempt to download commonly known files,” wrote Satnam Narang, researcher with Tenable.
Narang said that two functions, duplicator_download and duplicator_init, are vulnerable in unpatched versions, because they were implemented using the wp_ajax_nopriv_ hook. In practice this means that they would be executed on every WordPress page that’s loaded, whether the user is logged in or not.
“Within these functions, the file parameter was sanitized but not validated, so an attacker could use path traversal to access files outside of Duplicator’s specified path,” explained Narang. “These files could include the wp-config.php file.”
This is the WordPress site configuration file, which, he pointed out, contains database credentials and authentication keys and salts.
According to Wordfence, the 60,000 exploitation attempts that it saw within its customer telemetry were all efforts to download the wp-config.php file.
“Depending on the site, wp-config.php can contain any amount of custom code, but attackers target it to access a site’s database credentials,” according to a blog posted this week. “With these credentials, an attacker can directly access the victim site’s database if it allows remote connections. This access can be used by an attacker to create their own administrator account and further compromise the site, or simply to inject content or harvest data.”
That said, even websites that keep their databases configured only for local access can be attacked, the firm said — if those databases are situated in a shared hosting environment.
“It’s possible for one user on a shared server to access the local database of another site on the same server,” according to Wordfence.
Nearly all of the attacks that researchers saw came from the same IP address: 126.96.36.199. This corresponds with a data center in Bulgaria, owned by Varna Data Center EOOD. The attacks are issued via GET requests using the query strings “action=duplicator_download” and “file=/../wp-config.php.”
“A handful of websites are hosted on this server, suggesting the attacker could be proxying their attacks through a compromised website,” the firm added.
Further, Wordfence added that the same IP address has been linked to other malicious activity against WordPress recently, so researchers are monitoring the situation.
“Duplicator’s massive install base, combined with the ease of exploiting this vulnerability, makes this flaw a noteworthy target for hackers,” according to Wordfence. “It’s crucial that Duplicator’s users update their plugins to the latest available version as soon as possible to remove this risk.”
As noted, Snap Creek addressed the bug in Duplicator version 1.3.28 and Duplicator Pro version 188.8.131.52 on February 12. Duplicator and Duplicator Pro users are strongly encouraged to upgrade to versions 1.3.28 and 184.108.40.206 or greater as soon as possible.
“An organization’s ‘front door’ is their website and a target for criminals as they attempt to gain access to install malicious code and malware for all who visit their website,” said James McQuiggan, security awareness advocate at KnowBe4, via email. “The security for the website should be extremely robust with a well documented and repeatable change control program, including regular patching. Organizations using plugins need to verify all updates and test them to reduce the risk of infecting users who visit their website.”
Don’t miss Threatpost’s complete RSA Conference 2020 reporting next week: Please visit our special coverage section, available here.