Adrian Hada
ATI Security Researcher
Blog

Missing Updates and Site Misconfiguration Can Lead to Exposed Backups

September 25, 2018 by Adrian Hada

Keeping track of the latest and greatest threats in the wild is one of our main concerns here at the Application and Threat Intelligence Research Center. In that respect, something along the lines of “missing updates” and “site misconfiguration” might not seem to be something new on the threat scene. This is an investigation that started out, like many others, from a malware sample we were analyzing and helped us to, once more, demonstrate how these two old-but-gold problems of the security world can lead to sensitive data exposure.

While analyzing the detonation of a malicious Microsoft Word document spreading the Emotet banking trojan, one of the malicious payload URLs caught my attention. 

1

The URLs point to a subfolder in an installation of the Wordpress framework. Searching for the folder name, I found that it was the backup folder for a Wordpress plugin named “All-in-One WP Migration”. The plugin, as the title suggests, allows the user to easily backup their instance of Wordpress and, if needed, restore to the same server or migrate to a completely new server. As expected, backing up server data requires that Wordpress be able to write to the folder so it’s no surprise that a malware creator would choose to host malware inside that folder exactly.

With a little bit of searching, I reached the conclusion that, at some point, the plugin had been vulnerable to an authenticated arbitrary file upload/remote code execution vulnerability in version 2.0.2 as well as unauthenticated download of Wordpress data. Either one could have been abused by the malware creator on websites that were missing updates. As a result, I decided to search for more websites with said component and see whether either of them allows me to view the backup folder contents to detect more malware. 

Using Google, I was not able to identify more such websites but, instead, found something completely different and unexpected – one of the indexing views showed me the website’s backup files. 

2

The black squares are there to offer whatever limited protection to the people holding this website – although we tried to contact them where contact info was available, some of them still hold such vulnerable content on the website.

The “.wpress” file is an export file in the plugin’s proprietary export format. I did not attempt to download it, as it is filled with the user’s personal data, instead opted to create a fresh installation of Wordpress and the plugin on a test server and check whether the file contents are encrypted. Unfortunately, they are not:

3

Technically, a malicious actor could download this backup file then proceed to recover data from the server. In the screenshot I’ve blacked out the hash of my admin user password – an attacker would be able to use this info to do a brute-force attack to crack the said hash offline and then access the website using the admin credentials. This is a serious vulnerability and I attempted to access the backup folder in the manner I attempted above. However, I was met with a blank page:

4

Investigating some more, I found that the folder structure created by the plugin when a backup is generated on the local server tries to prevent index views of the folder:

5

The .htaccess and web.config files are special directive files used by Apache and Microsoft IIS, respectively, to allow special configuration for the folder. In this case, they both disable the default “Index of” page that is created for the folder if an index does not exist and, furthermore, redirect to a fake index.php file that renders the blank page. All in all, the plugin developers have taken the necessary measures to stop this – so what happened that allowed me to view the contents of the folders in the first place?

There are three different scenarios that I identified:

  • One is the lack of updates on the vulnerable servers – even though the plugin developers have taken steps to block this view since 2012, some websites seem to be using extremely old plugin versions that do not have these safeguards in place
  • The second one is the possibility of website misconfiguration – for example, in Apache, the directive to disable the “Index of” view is “Options -Indexes”. However, a mistake by the site admin might disable the processing of the .htaccess files or disallow option setting on subfolders – rendering this safeguard useless
  • The third would be caused by __MACOSX resource forks which rename the .htacces and web.config files to _.htaccess and _web.config, rendering them unusable for the web folder such as in the screenshot below

6

As can be seen, the issue is not necessarily on the developer’s part and they have taken precautions against making these files available for download. Had their customers updated the plugins to the latest, non-vulnerable, versions, or correctly configured their web servers, these files would not have reached the wild.

I contacted ServMask, the company responsible for the backup plugin, and presented the problem. They confirmed the measures taken and that encryption is not done in the basic plugin, but they do offer an extension with the option of AES-256 encryption. Their response, below:

7

At the beginning of September, I contacted the developers and all the websites where I could locate such backup files and had contact information, notifying them that we plan to release a blogpost on this matter at the end of the month. Given that three weeks have passed, and we’ve received no response from anyone but the developers, we’re releasing this investigation into the wild as a case study of how important information can be leaked. We’ve decided against naming the exact websites involved to avoid making their security posture any weaker. However, given the recent publicity around the Wordpress Duplicator plugin remote code execution vulnerability, it’s possible that attackers will start to look more and more into backup plugins. We hope that people become aware of these issues and take the necessary steps to ensure their security and the security of all those who might be attacked using a hacked website.

As always, the Application and Threat Intelligence Research Center continues to monitor threats and malicious actors as they develop. Customers of Ixia’s BreakingPoint and ThreatARMOR benefit directly from these efforts. We hope that the rest of our blog readership does as well.

Leverage Subscription Service to Stay Ahead of Attacks

The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.