Twenty Year Anniversary

WordPress iThemes Security Insecure Backup / Logfile Generation

WordPress iThemes Security Insecure Backup / Logfile Generation
Posted Apr 21, 2016
Authored by Nicolas Chatelain

WordPress iThemes Security suffers from insecure backup and logfile generation vulnerabilities.

tags | exploit, vulnerability
MD5 | 0a72248fec890cb6ef88cbe6f6554721

WordPress iThemes Security Insecure Backup / Logfile Generation

Change Mirror Download
--------------------------------------
ISSUE 1:

Wordpress iThemes Security (Better WP Security) Insecure Backup/Logfile Generation (access rights)
==================================================================================================


Description
===========

A vulnerability has been found in iThemes Security backup function that may allow attackers to gain access to backup/log files.


By default, when using the "database backup on filesystem" feature, iThemes Security saves the backup files in a world-readable directory :

wp-content/uploads/ithemes-security/backups

The .htaccess file is generated during the plugin initial setup/update, only if the wp-content/uploads/ithemes-security/backups exists (or wp-content/uploads/ithemes-security/logs). Note that it does *NOT* exists by default.

When running a backup, the ITSEC_Backup class creates the directory but *without* any .htaccess file inside.
The same thing happens with log saving.

If the webserver has directory listing enabled, then anybody can download the complete database backup or view the log files.


**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-219

**CVSS Base Score**: 7.5

---------------
Vulnerable code
---------------

The vulnerable code is located in core/modules/backup/class-itsec-backup.php, line 246 :

if ( ! is_dir( $itsec_globals['ithemes_backup_dir'] ) ) {
@mkdir( trailingslashit( $itsec_globals['ithemes_dir'] ) . 'backups' );
}

And in core/class-itsec-logger.php, line 31 :

//Make sure the logs directory was created
if ( ! is_dir( $itsec_globals['ithemes_log_dir'] ) ) {
@mkdir( trailingslashit( $itsec_globals['ithemes_dir'] ) . 'logs' );
}

The application creates the backup/log directory, but *not* the .htaccess/index file inside.

--------
Solution
--------

Add a default index file file inside the backup folder when creating the directory or store the backups outside of the web root.

Update iThemes Security to version >= 5.3.1

Timeline (dd/mm/yyyy)
=====================

* 26/02/2016 : Initial contact with iThemes.
* 26/02/2016 : iThemes confirms the vulnerabilities.
* 29/02/2016 : iThemes publishes a new version (5.3.1) of iThemes Security that fixes the vulnerabilities.

Credits
=======

* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)



--
SYSDREAM Labs <labs@sysdream.com>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream


--------------------------------------
ISSUE 2:

Wordpress iThemes Security (Better WP Security) Insecure Backup/Logfile Generation (predicatable filename)
==========================================================================================================


Description
===========

When using the "database backup/logging on filesystem" feature, iThemes security generates a weak filename allowing attackers to obtain the backup/log file if they know when the backup/log file was generated (timestamp).

**Access Vector**: remote

**Security Risk**: medium

**Vulnerability**: CWE-330

**CVSS Base Score**: 7.5


---------------
Vulnerable code
---------------

The vulnerable code is located at core/modules/backup/class-itsec-backup.php, line 244 :

$file = 'backup-' . substr( sanitize_title( get_bloginfo( 'name' ) ), 0, 20 ) . '-' . $current_time . '-' . ITSEC_Lib::get_random( mt_rand( 5, 10 ) );

In core/class-itsec-logger.php, line :

$itsec_globals['settings']['log_info'] = substr( sanitize_title( get_bloginfo( 'name' ) ), 0, 20 ) . '-' . ITSEC_Lib::get_random( mt_rand( 0, 10 ) );


In core/class-itsec-lib.php, function get_random, line 415:

public static function get_random( $length, $base32 = false, $special_chars = false ) {

if ( true === $base32 ) {

$string = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ234567';

} else {

$string = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';

if ( true === $special_chars ) {

$string .= '_)(*&^%$#@!~`:;<>,.?/{}[]|';

}

}

return substr( str_shuffle( $string ), mt_rand( 0, strlen( $string ) - $length ), $length );

}


The str_shuffle should *never* be used for generating secure strings as it uses the PHP rand() function and just shuffles the characters' position.

--------
Solution
--------

Make sure to generate non-predictable strings, using cryptographically secure generators.
Update iThemes Security to version >= 5.3.1

Affected versions
=================

* iThemes Security <= 5.3.0

Timeline (dd/mm/yyyy)
=====================

* 26/02/2016 : Initial contact with iThemes.
* 26/02/2016 : iThemes confirms the vulnerabilities.
* 29/02/2016 : iThemes publishes a new version (5.3.1) of iThemes Security that fixes the vulnerabilities.

Credits
=======

* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)



--
SYSDREAM Labs <labs@sysdream.com>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    19 Files
  • 18
    Oct 18th
    21 Files
  • 19
    Oct 19th
    16 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    19 Files
  • 23
    Oct 23rd
    24 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close