[Honeypot Alert] Wordpress Wp Symposium 14.11 - Unauthenticated Shell Upload Exploit Attempt

Screen Shot 2014-12-30 at 9.28.53 AMOur web honeypots picked up some exploit attempts for the recently released vulnerability in the WP Symposium Plugin. WP Symposium is described as:

WP Symposium is a plugin for WordPress, that will turn a WordPress site into a Social Network. And you can choose which features you want to activate, and customise them to achieve your social network features.

Uses of WP Symposium are limited only by your imagination, but some examples of how people are already using it include:

  • Social networks for those who live or work together (colleges, clubs, etc…).
  • Internal "intranet"s for a business or company.
  • Dating sites, including those for niche groups of people.
  • A social network supporting products and services.
  • A social network for particular hobbies/interests (music, films, etc…).

Wordpress WP Symposium 14.11 Shell Upload Vulnerability

WP Symposium allows user to upload different types of files and it has a preconfigured list of allowed extensions:

Screen Shot 2014-12-30 at 10.58.55 AM

These restrictions are applied to the /wp-symposium/server/file_upload_form.php page, however there are other pages that are not protected such as:

  • /wp-symposium/server/php/index.php
  • /wp-symposium/server/php/UploadHandler.php
  • /wp-symposium/mobile-files/server/php/index.php
  • /wp-symposium/mobile-files/server/php/UploadHandler.php

Exploit-DB has a vulnerability entry with Proof of Concept Python exploit code:

Screen Shot 2014-12-30 at 11.07.13 AM

Honeypot Exploit Attempt

Here is an example exploit attempt that was captured by ModSecurity WAF:

--f29bb312-A--
[24/Dec/2014:20:05:21 --0600] VJtw4cCo8AoAADHxgygAAAAF 192.99.195.96 50576 XXX.XXX.XXX.XXX 80
--f29bb312-B--
POST /wp-content/plugins/wp-symposium/server/php/index.php HTTP/1.1
Host: honeypot
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------259392320121592
Content-Length: 92562--f29bb312-I--
uploader%5fuid=1&uploader%5fdir=%2e%2fsymposium&uploader%5furl=http%3a%2f%2fhoneypot%2fwp%2dcontent%2fplugins%2fwp%2dsymposium%2fserver%2fphp%2f--f29bb312-J--
4,91960,"_privacy.php","<Unknown ContentType>"
Total,91960

The attacker attempted to upload a PHP file called "_privacy.php". This file has various PHP backdoor code which allows the attacker to send HTTP commands through request variables. It also contains a version of the WSO webshell:

Screen Shot 2014-12-30 at 12.22.19 PM

Action Items

Update WP Symposium

If you can not update, then you need to manually update the UploadHandler.php script. Update the following line from this -

// Defines which files (based on their names) are accepted for upload:
'accept_file_types' => '/.+$/i',

To this -

// Defines which files (based on their names) are accepted for upload:
'accept_file_types' => '/.(mp4|doc|docx|ppt|pptx|xls|xlsx|txt|pdf|gif|jpe?g|png)$/i',

Use a Web Application Firewall (WAF)

Both of Trustwave's WAF products (TW WAF and ModSecurity) can protect your sites from PHP file uploads.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.