mailing list archives
Re: [NSE] Backdoored wordpress plugins
From: Gutek <ange.gutek () gmail com>
Date: Thu, 23 Jun 2011 23:49:13 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Le 23/06/2011 20:31, Henri Doreau a écrit :
starting a thread here after discussing the subject with Djalal and Paulino.
According to the Wordpress blog three wordpress plugins have been
backdoored recently. Thousands installations might be affected and
it would be very nice to have a detection script for NSE.
Some information about the backdooring code is available at . Code
to execute is sent via the HTTP headers or cookies, making me think
that simply adding entries to http-enum isn't possible for detection.
We have a wordpress plugins detection script, that could run
additional checks if one of these plugin is detected.
http-wp-plugins.nse could also store detected plugins into the
registry, to be read by detection scripts, but that might also bloat
Another option is to write completely autonomous script(s) dedicated
to detect these backdoors. This is how http-malware-host works.
Running Wordpress blogs for years, I must say that one strong point of
this blogging system is its efficiency about updates: Wordpress itself,
and its installed plugins as well. If not automatic, it's just one-clic
and very user friendly even for the most loose admin.
For those unaware of how WP administration works, the "dashboard" (main
admin panel) and a "plugins" page reminds the admin of available
updates. Then, just a clic and...done.
So here is my point: although being critical and massively spread, those
vulnerabilities won't last long.
o Most Worpress blogs should be patched in a short term
o Most WP blogs admins actually often visit their admin panel: it
provides stats, spam and comments management along with other usefull
tasks (ie: they will be quickly aware of the available updates)
That's why I think that modifying a script would mean adding a
capability that would be useless in a few weeks.
Plus, http-wp-plugins takes time to run (it's a dictionnary attack
against more than 14K known plugins to date): this means that in, say,
3-4 weeks this script will take additionnal time with this new test,
useless in 99% cases while ran every time it finds one of those
Such a test against this vulnerability would be, I think, more efficient
(or, at least, quicker) in either its own script or a malware-dedicated
script. Anyway it would take seconds instead of minutes to report.
My 2 cents,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/