On 19 February 2020, Wordfence reported a highly critical vulnerability found in the popular Duplicator plugin for WordPress.
This plugin is useful when users want to migrate and copy WordPress sites. With Duplicator, sysadmins can create a new copy of the site and the generated file can be downloaded from the WP dashboard.
WordPress Duplicator Plugin Zero-day Vulnerability
Exploiting the newly discovered zero-day vulnerability allows hackers to download arbitrary files from the target sites. More than 1 million WordPress websites are affected by this security flaw.
When users create a copy of a WP site and click on the download button, it’ll trigger a call to the WordPress AJAX handler with the action duplicator_download and a file parameter.
„Unfortunately the duplicator_download action was registered via wp_ajax_nopriv_ and was accessible to unauthenticated users. To make things worse, no validation limited the filepaths being downloaded. The file parameter is passed through sanitize_text_field and appended to the plugin constant DUPLICATOR_SSDIR_PATH, but directory traversal was still possible. An attacker could access files outside of Duplicator’s intended directory by submitting values like ../../../file.php to navigate throughout the server’s file structure.” - WordFence
function
duplicator_init() {
if
(isset(
$_GET
[
'action'
]) &&
$_GET
[
'action'
] ==
'duplicator_download'
) {
$file
= sanitize_text_field(
$_GET
[
'file'
]);
$filepath
= DUPLICATOR_SSDIR_PATH.
'/'
.
$file
;
// Process download
if
(
file_exists
(
$filepath
)) {
// Clean output buffer
if
(ob_get_level() !== 0 && @ob_end_clean() === FALSE) {
@ob_clean();
}
header(
'Content-Description: File Transfer'
);
header(
'Content-Type: application/octet-stream'
);
header(
'Content-Disposition: attachment; filename="'
.
basename
(
$filepath
).
'"'
);
header(
'Expires: 0'
);
header(
'Cache-Control: must-revalidate'
);
header(
'Pragma: public'
);
header(
'Content-Length: '
.
filesize
(
$filepath
));
flush
();
// Flush system output buffer
try
{
$fp
= @
fopen
(
$filepath
,
'r'
);
if
(false ===
$fp
) {
throw
new
Exception(
'Fail to open the file '
.
$filepath
);
}
while
(!
feof
(
$fp
) && (
$data
=
fread
(
$fp
, DUPLICATOR_BUFFER_READ_WRITE_SIZE)) !== FALSE) {
echo
$data
;
}
@fclose(
$fp
);
}
catch
(Exception
$e
) {
readfile(
$filepath
);
}
exit
;
}
else
{
wp_die(
'Invalid installer file name!!'
);
}
}
}
add_action(
'init'
,
'duplicator_init'
);
Source: WordFence
What are the signs of exploiting this vulnerability?
If you see the following query strings in a GET request, most probably you became a target for hackers:
- action=duplicator_download
- file=/../wp-config.php