Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: [NSE] Backdoored wordpress plugins
From: Paulino Calderon <paulino () calderonpale com>
Date: Thu, 23 Jun 2011 21:05:02 -0700

On 06/23/2011 02:49 PM, Gutek wrote:
Hash: SHA1

Le 23/06/2011 20:31, Henri Doreau a écrit :

starting a thread here after discussing the subject with Djalal and Paulino.

According to the Wordpress blog[1] three wordpress plugins have been
backdoored recently. Thousands installations might be affected[2] and
it would be very nice to have a detection script for NSE.

Some information about the backdooring code is available at [3]. Code
to execute is sent via the HTTP headers or cookies, making me think
that simply adding entries to http-enum isn't possible for detection.

We have a wordpress plugins detection script, that could run
additional checks if one of these plugin is detected.
http-wp-plugins.nse could also store detected plugins into the
registry, to be read by detection scripts, but that might also bloat

Another option is to write completely autonomous script(s) dedicated
to detect these backdoors. This is how http-malware-host works.


[1] http://wordpress.org/news/2011/06/passwords-reset
[2] http://wpmu.org/wordpress-security-exploit-found-upgrade-wptouch-addthis-and-w3-total-cache
[3] http://adamharley.co.uk/2011/06/wordpress-plugin-backdoors

Running Wordpress blogs for years, I must say that one strong point of
this blogging system is its efficiency about updates: Wordpress itself,
and its installed plugins as well. If not automatic, it's just one-clic
and very user friendly even for the most loose admin.
For those unaware of how WP administration works, the "dashboard" (main
admin panel) and a "plugins" page reminds the admin of available
updates. Then, just a clic and...done.

So here is my point: although being critical and massively spread, those
vulnerabilities won't last long.
o Most Worpress blogs should be patched in a short term
o Most WP blogs admins actually often visit their admin panel: it
provides stats, spam and comments management along with other usefull
tasks (ie: they will be quickly aware of the available updates)

That's why I think that modifying a script would mean adding a
capability that would be useless in a few weeks.
Plus, http-wp-plugins takes time to run (it's a dictionnary attack
against more than 14K known plugins to date): this means that in, say,
3-4 weeks this script will take additionnal time with this new test,
useless in 99% cases while ran every time it finds one of those
maybe-affected plugins.

Such a test against this vulnerability would be, I think, more efficient
(or, at least, quicker) in either its own script or a malware-dedicated
script. Anyway it would take seconds instead of minutes to report.

My 2 cents,

Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/
Well, Windows Update actually pops up and nags users and people still don't apply updates so I wouldn't be surprised if installations are left vulnerable for some time ;).

Even if we don't end up doing a script to specifically check for this vuln, I feel like we need to add these signatures to the http-wp-plugins db now.


Paulino Calderón Pale
Web: http://calderonpale.com
Twitter: http://www.twitter.com/paulinocaIderon

Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]