Re: [NSE] Backdoored wordpress plugins

[Gutek <ange.gutek () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Le 23/06/2011 20:31, Henri Doreau a écrit :
> Hello,
>
> starting a thread here after discussing the subject with Djalal and Paulino.
>
> According to the Wordpress blog[1] three wordpress plugins have been
> backdoored recently. Thousands installations might be affected[2] and
> it would be very nice to have a detection script for NSE.
>
> Some information about the backdooring code is available at [3]. Code
> to execute is sent via the HTTP headers or cookies, making me think
> that simply adding entries to http-enum isn't possible for detection.
>
> We have a wordpress plugins detection script, that could run
> additional checks if one of these plugin is detected.
> http-wp-plugins.nse could also store detected plugins into the
> registry, to be read by detection scripts, but that might also bloat
> it...
>
> Another option is to write completely autonomous script(s) dedicated
> to detect these backdoors. This is how http-malware-host works.
>
> Regards.
>
>
> [1] http://wordpress.org/news/2011/06/passwords-reset
> [2] http://wpmu.org/wordpress-security-exploit-found-upgrade-wptouch-addthis-and-w3-total-cache
> [3] http://adamharley.co.uk/2011/06/wordpress-plugin-backdoors
Running Wordpress blogs for years, I must say that one strong point of
this blogging system is its efficiency about updates: Wordpress itself,
and its installed plugins as well. If not automatic, it's just one-clic
and very user friendly even for the most loose admin.
For those unaware of how WP administration works, the "dashboard" (main
admin panel) and a "plugins" page reminds the admin of available
updates. Then, just a clic and...done.

So here is my point: although being critical and massively spread, those
vulnerabilities won't last long.
o Most Worpress blogs should be patched in a short term
o Most WP blogs admins actually often visit their admin panel: it
provides stats, spam and comments management along with other usefull
tasks (ie: they will be quickly aware of the available updates)

That's why I think that modifying a script would mean adding a
capability that would be useless in a few weeks.
Plus, http-wp-plugins takes time to run (it's a dictionnary attack
against more than 14K known plugins to date): this means that in, say,
3-4 weeks this script will take additionnal time with this new test,
useless in 99% cases while ran every time it finds one of those
maybe-affected plugins.

Such a test against this vulnerability would be, I think, more efficient
(or, at least, quicker) in either its own script or a malware-dedicated
script. Anyway it would take seconds instead of minutes to report.

My 2 cents,

A.G.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk4DtNkACgkQ3aDTTO0ha7iL2QCdEruHS/4c36yw342w6Ay4AYID
AbwAn1mugrjCS4ToICNYLTVAkRfNHrye
=7sAa
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/