ThemeREX Addons WordPress Plugin Remotes Code Execution: The Technical Bits
On February 18th, Wordfence published a blog post regarding a critical zero-day vulnerability in the “ThemeREX Addons” WordPress Plugin, which is currently being exploited in the wild. The vulnerability affects an estimated 44,000 sites. This blog post aims to shed some light on the technical aspects of the flaw.
The above-mentioned plug-in comes bundled with several ThemeRex-produced premium and free themes, including “Topper – All-in-One Elementor Blog”, the target of our analysis. At this time, a CVE identifier has not yet been assigned.
After installation, the plugin has stored its contents within the [WP_INSTALL_DIR]/wp-content/plugins/trx_addons/ directory, of interest being includes/plugin.rest-api.php, where the affected code resides.
One may observe that a REST-API endpoint is defined on the trx_addons/v2, having as a callback the trx_addons_rest_get_sc_layout function.
This means that whenever a GET or POST request is made on the /wp-json/trx_addons/v2/get/sc_layout path, the callback function gets called.
Upon execution, the function stores the request’s parameters in the $params array, then uses the sc parameter as a function name, which is invoked a few lines below.
Note that no check is performed on the request initiator or the parameter names, allowing anyone to invoke arbitrary PHP functions.
According to line 57, the dynamically called function ($sc) is then passed an array with the request’s parameters as call arguments. This implies that the functions available to the attacker is limited to those accepting an array as argument. Let’s have a look at how the endpoint behaves when the crafted argument is set to ‘print_r’.
The function is invoked as expected, printing an array of request parameters. Due to the nature of the call, command execution functions that accept strings cannot be used; luckily, WordPress contains several functions with an indentical signature, such as wp_insert_user, the very choice of the attackers (according to Wordfence), which adds a new WordPress user. Moreover, the function receives an associative array, allowing the attacker to specify the username, password, and rights for the newly created account. A typical attack may look as follows:
The response contains the return value for the call, in our case, the new user id, indicating a successful attack.
Those using intrusion prevention systems (IPS), such as Suricata, may refer to the following rule to detect and prevent the attack.
drop http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ATI ThemeREX Addons RCE wp_insert_user attempted"; content:"/trx_addons/"; http_uri; fast_pattern; content:"/wp-json/trx_addons/v2/get/sc_layout"; http_uri; pcre:/sc"\s*:\s*"wp_insert_user/P; sid: 1000001; rev: 1;)
We have developed a strike for the vulnerability that will be available starting with the next BreakingPoint ATI Strikepack.
LEVERAGE SUBSCRIPTION SERVICE TO STAY AHEAD OF ATTACKS
The Ixia's Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and vulnerabilities for use with Ixia test platforms. The ATI Research Center continuously monitors threats as they appear in the wild. Customers of our BreakingPoint product have access to strikes for different MTA vulnerabilities, allowing them to test their currently deployed security controls’ ability to detect or block such attacks.