WordPress Duplicator 1.2.42 – Remote code execution


 

Authors:synacktiv          Risk:High

CVE: N/A                        0day-id: 0day-1925

Date: 2018-09-19          Update time: 2018-09-19

 

Description

 

Presentation of WordPress Duplicator
“Duplicator creates a package that bundles all the site’s plugins, themes, content, database and WordPress files into a
simple zip file called a package. This package can then be used to easily migrate a WordPress site to any location you wish.
Move on the same server, across servers and pretty much any location a WordPress site can be hosted. WordPress is not
required for installation since the package contains all site files.”1

 

The issue

 

Synacktiv discovered that WordPress Duplicator does not remove sensitive files after the restoration process. Indeed, the
installer.php and installer-backup.php files can be reused after the restoration process to inject malicious PHP code in the
wp-config.php file. Thus, an attacker could abuse these scripts to execute arbitrary code on the server and take it over.
Even though the code injection was fixed in a first release, it is still possible to gain arbitrary PHP code execution. Indeed,
install steps can be bypassed to force the installer script to insert all the backed up data in an arbitrary MySQL database. As
the attacker controls this database, he would be able to change the hash of an administrative user to gain access to the
dashboard. Finally, he could upload a malicious WordPress plugin to execute PHP code.

 

Affected versions

 

The last version at the time of this advisory, 1.2.40, is known to be affected.

 

https://wordpress.org/plugins/duplicator/

 

Workaround

 

Update WordPress Duplicator plugin to the version 1.2.42 and remove the remaining files of Duplicator after restore.

 

Technical description and proof-of-concept

 

Initial vulnerability discovery
Duplicator is a WordPress plugin that can be used to create a complete backup of a WordPress instance and restore it on a
fresh server. The export method generates 2 files:
• An ZIP archive with the complete WordPress files and Duplicator specific files:
• A copy of the installer.php script: installer-backup.php
• A SQL script that will be used to restore the database content: database.sql
• An installer PHP script to restore the archive installer.php
When the installer.php completes its process, the following files remain in the directory and has to be manually deleted:

 

 

It was found that the scripts installer.php or installer-backup.php allow to overwrite the existing configuration files wpconfig.php
and .htaccess. Indeed, the script replaces the content of the database connection parameters using string

 

 

 

This updateStandard function is called in the step 3 of the installer:

 

 

This behavior can be abused to insert malicious PHP code in wp-config.php and backdoor the website.

 

Proof of concept of the code injection

 

Synacktiv consultants managed to send the following HTTP request to gain arbitrary command execution on the server:

 

 

Then, the wp-config.php file contains the malicious injected code:

 

 

The next step is to request the configuration file to execute the malicious code and puts the backdoor content inside a
test.php file. Then, the backdoor can be used:

 

Posted by James China on Tuesday, September 18, 2018

 

Impact

A successful exploitation allows an unauthenticated attacker to execute arbitrary code on the remote server. Please note that
a successful exploitation is destructive as it breaks the WordPress configuration file and thus, the WordPress instance.

 

 

Timeline

Date Action
2018-07-13 Advisory sent to Duplicator developers.
2018-07-14 First response of Duplicator developers.
2018-07-23 First fix proposed for the code injection.
2018-08-23 Final version of the fix proposed.
2018-08-24 Version 1.2.42 published.
2018-08-29 Advisory published.