Episode 87: Vulnerabilities Affect Discount Rules for WooCommerce Plugin, ModSecurity & Windows

Vulnerabilities were recently patched in the Discount Rules for WooCommerce plugin installed on over 40,000 WordPress sites. Developers from OWASP Core Rule Set said ModSecurity v3 is exposed to denial of service exploits, though the maintainers of ModSecurity reject that claim.

A severe vulnerability called Zerologon in Windows Netlogon was patched in August; this bug could be exploited to attack enterprise servers. And a security researcher also discovered that the Windows TCPIP Finger command can also function as a file downloader and a makeshift command and control server.

Last weekend, nearly 2,000 Magento stores were compromised in the largest hacking campaign since 2015.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:13 High-Severity vulnerabilities patched in Discount Rules for WooCommerce
2:26 ModSecurity maintainers contest denial-of-service vulnerability claims
4:43 Netlogon cryptographic weakness has critical impact on enterprise servers
6:30 Windows 10 ‘Finger’ command can be abused to download or steal files
7:29 Magento online stores hacked in largest campaign to date

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 87 Transcript

Scott Miller:

Hey everyone. It’s Scott from Wordfence, you’re listening to Think Like a Hacker, the weekly podcast about WordPress security and innovation. Let’s jump into this week’s stories.

Our first story of the week takes a look at several vulnerabilities found in the Discount Rules for WooCommerce plugin. On August 20th, our Threat Intel team here at Wordfence was made aware of multiple vulnerabilities that had recently been patched in the Discount Rules for WooCommerce plugin, which is installed on over 40,000 sites. We initially released a firewall rule to protect against these vulnerabilities on that same day. During our investigation, we also discovered multiple other unpatched vulnerabilities, and released a firewall rule to protect against these issues the next day, on August 21st. We then, reached out to the Flycart team on the same day and received a reply almost immediately. They were aware of one of the additional issues that we had found and released an interim patch the next day, on the 22nd, followed by a more comprehensive patch on September 2nd. They then addressed the last of the issues on September 9th.

The Discount Rules for WooCommerce plugin works alongside the WooCommerce e-commerce plugin to create custom rules for discounts such as a two-for-one special discount. So, their initial patch added a check to prevent switching between the V1 and V2 code bases which, at the time, were both accessible. At this point, sites using the V1 code were still vulnerable. Once the plugin was set to use the V1 code base, a number of AJAX actions became available providing similar functionality to the patched actions in V2.

Ultimately, the end result is that attackers were able to send a post request and inject malicious JavaScript into one of the fields of a discount rule, which would be done simply by adding it to the data parameter. Following that, the next time an administrator viewed or edited discount rules the malicious JavaScript would then be executed in their browser and could ultimately lead to a site takeover by adding a backdoor plugin, or theme file, or potentially adding malicious administrator among other malicious actions.

Sites still running the free version of Wordfence will receive these rules after 30 days on September 19th and September 20th. If you’re using the discount rules for WooCommerce plugin, be sure you’re updated to the latest version.

In our second story of the week, ModSecurity maintainers contest denial of service vulnerability claims. You likely know ModSecurity as the popular firewall that’s designed to stop attacks against applications by monitoring HTTP traffic in real-time. This project is open source and maintained by Trustwave’s SpiderLabs. Now, the ModSecurity firewall works off of WAF rules, and admins can create their own rules, or deploy one of many existing libraries to block malicious attacks and attempts on the server.

A recent discovery suggests that ModSecurity opened itself up to denial of service vulnerabilities. And, as a response, a Trustwave spokesperson said that while changes were made to the ModSecurity engine, they did not introduce a security vulnerability. The Trustwave spokesperson stated that there was a change in regular expression matching in ModSecurity 3.x that provided additional functionality, and that is not considered a vulnerability for a few reasons, such as an attacker would need to know that a rule using a potentially problematic regular expression was in place. Also, the attacker would need to know the basic nature of the regular expression itself in order to exploit any resource issues. And while those resource issues may cause a slow down, they have not been able to replicate.

Christian Folini, the co-lead of the OWASP Core Rule Set development team, challenged this response saying, “As ModSecurity is only the engine. You need rules to expose the vulnerability. And, also, to blame the problem on the rules does not make much sense in this architecture.” He mentioned that it’s like stating that the server would be secure if nobody was hooked in on the internet. The co-lead of the OWASP development team has insisted that ModSecurity maintainers fast track a release to include mitigations to the alleged vulnerability.

SpiderLabs, as a response, is maintaining the changes made, have not introduced any security flaws. The OWASP development team has since said that it would roll out its own changes to mitigate the issues saying that it will release a patch, so users can fix this themselves, as well as providing work arounds for users being stuck on the old and insecure ModSecurity 3.0.4.

In our next story, the Zerologon vulnerability in Netlogon could allow attackers access to Windows Domain Controller Netlogon is an authentication protocol that will verify users and services by way of secure channel between a machine and a domain controller. This Windows service is a background process, and is important for authentication on networks. Microsoft patched a severe vulnerability described as a privilege escalation vulnerability in their August patch, which could be exploited by attackers to take over enterprise servers. And this was due to cryptographic weaknesses in Netlogon. The vulnerability was discovered by Secura’s Tom Tervoort.

So, if you’re not familiar, the Netlogon remote protocol is used to alter account credentials within a domain. And can also be used to establish user domain control relationships. Secura’s technical paper, which examined this vulnerability, mentions that all an attacker needs is access to a network to establish a link to a domain controller using MS-NRPC. So, the paper then mentions that no credentials are required to perform an attack. The vulnerability itself in the newest encryption was caused by incorrect use of an AES operational mode and allows attackers to, “spoof the identity of any computer account, and set an empty password for that account in the domain.”

Microsoft notes that the flaw is going to be addressed in a two-stage rollout due to the scope of the vulnerability. And it looks like it might be awhile before it’s fully patched. At the moment, domain controllers need to be patched as soon as possible. And Secura has released a tool on GitHub, which allows administrators to see if a domain controller is vulnerable.

In our next story this week, the Windows 10 Finger command can be abused to steal files. So, sticking with Windows finger.exe is a command in Windows that allows you to grab information about users on remote computers, running the finger service or daemon. The communication is carried out via the name/finger network communication protocol.

John Page, a security researcher, found that the Microsoft Windows TCPIP Finger command can also allow access to download files, as well as function as a command and control server that can ultimately allow an attacker to send commands and retrieve data. According to Page, the C2 commands can be disguised as Finger queries sent to retrieve files and pull data all without Windows Defender intervening or alerting a user of the activity. One thing to be sure of is that you are blocking port 79, which is used by the Finger protocol.

In our last story of the day Magento online stores are hacked in the largest campaign to date. Over 2,000 stores were hacked over the weekend in, what researchers called, the largest campaign ever. So, this was a Magecart scheme where hackers compromised sites and used malicious scripts that stole payment information, which shoppers were inputting during checkout. Now, most of the compromised sites were running on version 1 of Magento’s online store software. The, now, depreciated Magento version 1 software was seen as a target as early as last year when Adobe, who owns Magento, put out an alert, telling users running version 1 to update to the version 2 branch. Mastercard, and Visa, both echoed those warnings to update to branch two over the spring. Over the past year or so, the number of Magento version 1 users have dropped from over 200,000 to less than 100,000 recently.

Attackers seemingly waited for version 1 to be depreciated, or for the end of life of the software before exploiting the vulnerabilities. At this point, Adobe would no longer be patching their bugs. The Magento version 1 zero-day vulnerability has been seen posted on underground hacking forums last month. And it confirms that attackers had been waiting for the end of life to come. It was also noted that some high-traffic sites are still running on version 1, and relying on their firewall, now, to keep the sites protected, which is mentioned to be a risky strategy. If you’re still running Magento version 1, it’s recommended to update to version 2 as soon as possible to mitigate risk.

That’s all for this week on Think Like a Hacker. I hope the news found you well. Check us out on Tuesday at noon Eastern time on YouTube for Wordfence Live, where we always discuss best security practices, and how to keep your sites safe. In the meantime, be sure you’re subscribed to our mailing list. It’s in the footer of the wordfence.com homepage. Until next time, have a great weekend, and thanks for listening. We’ll catch you soon.

Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.