A WordPress plugin vulnerability found in WP Live Chat could allow an attacker to upload arbitrary malicious files to vulnerable systems, according to researchers.
WP Live Chat is a plugin for WordPress that equips websites with a small pop-up chat support window that site owners can use to interact with visiting online customers. A previously-discovered critical arbitrary file upload flaw (CVE‐2018‐12426) was patched in the plugin – but researchers on Monday said they were able to bypass that fix in a proof-of-concept attack.
“The implemented protections as part of the patch for CVE‐2018‐ 12426 did not fully resolve the issue and the plugin remained vulnerable to unauthenticated arbitrary file uploads,” said Alert Logic in a Monday post. “The bypass was achieved using a non‐blacklisted executable file extension in conjunction with a whitelisted file extension.”
File upload vulnerabilities used against WordPress are prevalent and easy for attackers to exploit. A recent Wordfence report found that file upload flaws are the third most common vulnerability type for WordPress. These types of flaws are where a plugin allows an attacker to upload a malicious file directly which is then executed.
In July 2018, the researchers discovered the initial vulnerability in the WP Live Chat plugin before version 8.0.07. While the plugin was patched in version 8.0.07, researchers recently realized that patch could be bypassed in version v8.0.11.
The new bypass (CVE‐2019‐11185) stems from a glitch in the validation functions of the plugin for checking if an uploaded file is not malicious.
This upload feature has a function used to validate safe extensions. That includes a blacklist that has names of disallowed extensions, as well as a whitelist that has the names of valid extensions. When a file is uploaded, its extension is validated against both of these lists to ensure that it is not a malicious file.
However, “each of these validation steps can now be investigated and bypassed in turn, providing an attacker with the means to get malicious code onto the server despite the various validations in place,” said researchers.
Researchers found that files using the “.phtml” extension can bypass the blacklist check. That’s because the blacklist, customized by the plugin developers, was missing that particular file extension. Missing file extensions on blacklists (typically “.phtml”, as well as others such as “.php5”, “.pht”, “.asa” and more) are a common unrestricted file upload threat.
The “.phtml” type of extension “appears to have been intended as a means of differentiating files that contain both PHP and HTML templating from those that are purely PHP…. Regardless, from the perspective or the parser it is no different from a normal PHP file, and as such will execute the contained code,” researchers said.
The next validation step the file would face is the whitelist validation check, making sure the file has a name of a valid extension.
Researchers said that they were able to also bypass whitelist validation as long as a whitelisted extension existed anywhere in the filename. They tested the use of one such valid extension name, .Gif, and found that a ‘.gif.phtml’ file was indeed deemed acceptable by both the blacklist and whitelist functions.
That means a remote, unauthenticated attacker could create an executable file with malicious code, and the file with this particular extension could bypass the blacklist and whitelist checks.
“Using this vector an attacker could upload ransomware and encrypt the host, or establish persistence and begin to move laterally inside the rest of the infrastructure so that they can exfiltrate data or user details,” Jonny Milliken, manager of threat research on Alert Logic’s Threat Intelligence team, told Threatpost. “Another option is for attackers to upload malicious payloads there and then use the compromised host as a staging post for the files. Then successful attacks on other people by the attackers can download the malicious file from this legitimate host. This is a common tactic for attackers to successfully evade security vendors who operate predominantly on reputation and watchlist indicators.”
Researchers, who said that they have not seen evidence of the flaw being actively exploited, first reported the vulnerability on April 5. The patch was released on April 12.
“The vendor in question is commended for being responsive and open to resolving the bug quickly,” researchers said.
Some recent vulnerabilities found in WordPress plugins, including Social Warfare, Yellow Pencil Visual Theme Customizer, and Yuzo Related Posts. According to a Imperva report, almost all (98 percent) of WordPress vulnerabilities are related to plugins that extend the functionality and features of a website or a blog.