Episode 91: How Hackers Can Use CSRF Vulnerabilities and Spearphishing to Wreak Havoc on WordPress
On this week’s episode of Think Like a Hacker, we chat about the cross-site request forgery (CSRF) vulnerability found in the Child Theme Creator by Orbisius and how attackers could use a vulnerability like this with spearphishing to wreak havoc, much like the phishing campaigns now being found on the Canva design platform.
With WordPress adding application passwords for REST API authentication, we discuss the benefits coming with this capability in WordPress version 5.6.
We also consider the ramifications of the critical, wormable RCE bug patched by Microsoft, and how attackers are actively attacking the recent zerologon vulnerability that was patched in August.
Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:42 High Severity Vulnerability Patched in Child Theme Creator by Orbisius
5:29 WordPress 5.6 to Introduce Application Passwords for REST API Authentication
7:48 October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug, attackers exploiting zerologon vulnerability
12:03 Canva design platform actively abused in credentials phishing
Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.
Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.
Episode 91 Transcript
Kathy Zant:
Hi and welcome to Think Like a Hacker, the podcast about WordPress, security and innovation. We’re switching things up with the podcast just a bit. I am Kathy Zant, Director of Marketing here at Wordfence, and I’ve got a special guest.
Ram Gall:
Hi, I’m Ram Gall. I am a QA Engineer and Threat Analyst. You might have seen me on Wordfence Live on Tuesdays.
Kathy:
Ram is one of the stars of Wordfence Live, and he definitely bring, not only the education to Wordfence Live, but the entertainment factor as well, and I enjoy watching you every week, Ram.
Ram:
I try, I try.
Kathy:
And you do a good job.
Ram:
Aw.
Ram:
So what do we got for today?
Kathy:
Well, we’ve got a few interesting stories. First, it looks like Chloe found a high severity vulnerability that was patched in the Child Theme Creator by Orbisius. And you did some QA on this, didn’t you?
Ram:
Oh yeah. I remember this one. I tested the firewall rule for this one and I mean, it’s kind of a doozy.
Kathy:
Is it?
Ram:
Yeah, it is a Cross-Site Request Forgery vulnerability. Maybe we should go into what that means a little bit.
Kathy:
Yeah. I remember that being something that an attacker would use, but they have to trick someone into performing an action in order for it to work. Is that correct?
Ram:
Yeah. Yeah. Imagine that you’ve got a button on your site that when you click it, it makes someone else an administrator. Now, let’s say an attacker knows exactly what kind of requests that button does, they’re not an administrator so if they press it, it can’t do anything. But if they basically copy what that request would do and send it to you in an email, for instance, and get you to click that request, you’re the one doing it. So you could make them an administrator without knowing what you’re doing exactly, if they disguise the link well enough.
Kathy:
Interesting.
Ram:
And we use something called a nonce, or a number used once, to protect against this kind of attack. So what happened in this case is that the theme creator didn’t have that check in place. So an attacker could send a crafted link, or get a victim who is an administrator to click on a link that would send a specialized form, or have JavaScript send a specialized request, and they could basically edit the theme file on a site or inject a new file on the site containing whatever they wanted: a backdoor, a web shell, anything like that. And at that point, I mean, they would basically own the site.
Kathy:
Right. So this would probably be used in a very targeted attack where an attacker says, “There’s Sally’s cat blog. We like to pick on Sally. There Sally’s cat blog, I want ownership of that so I’m going to mess with Sally and get her to click this.” Is that right?
Ram:
Yeah. And I mean, it is a targeted attack. It’s not the kind of thing that you could easily do as like a bulk exploit attempt. It’s not like the File Manager vulnerability we talked about a while back, but that doesn’t make it any less severe. If this kind of vulnerability is present, and let’s say you have a company with multiple administrators or multiple people with administrative access, an attacker is just going to keep trying until they get one of them to click it.
Kathy:
Yeah. This plugin though, it kind of falls into this category of utility plugins. It’s not necessary for the functionality of the front end of the site. So utility plugins, I kind of think of these as like File Manager that recently had a vulnerability, the Duplicator plugin, which had a vulnerability. These things are not necessary for the site’s front-end functionality, but yet people seem to leave these on their sites fairly frequently. I mean, this particular one has an install base of 30,000. Are these people just leaving this on their site, and what would be your recommendation for that?
Ram:
I mean, it does sound like people are just leaving it on the site. And I mean, how many times do you really need to create a new child theme? Maybe once for every theme that you’re going to install and decide to keep, which might be like two or three themes at most, ever.
Kathy:
Right.
Ram:
If you’re actually going to the trouble of creating a child theme, you’re investing work in that theme. So at that point you’ve more or less decided to keep that theme. So, I mean, once you created the child theme, you don’t really need the plugin anymore. We recommend not just deactivating these plugins, but actually removing them from your site.
Kathy:
Right. Because the file manager plugin, If you deactivated it and it was still resident on your site, you’re still vulnerable, right?
Ram:
Yeah. Yeah. That was the problem with the File Manager plugin. It didn’t matter if it was deactivated or not, because it didn’t actually need to load up in WordPress to be vulnerable. Attackers could just access this one file sitting there in the plugin directory.
Kathy:
And create a lot of havoc, right?
Ram:
Exactly.
Kathy:
Yeah. Interesting. Okay. So if you are using the Child Theme Creator by Orbisius and it is on your site and you’re not using it actively, maybe you’d like to delete it, at the very least you should have it updated.
Kathy:
Looks like we have another story about WordPress 5.6 which is upcoming, is going to introduce application passwords for the REST API. What do you think about this, Ram?
Ram:
I think it’s probably a very good thing. So, okay, the REST API kind of started as a replacement for XML-RPC, which we all know has its own set of problems. Basically, it’s a way for other applications, other programs to communicate with various plugins on the WordPress side, which is well and good as long as it’s properly secured.
Kathy:
Sure.
Ram:
Having application passwords, with 5.5, they actually reduced a requirement for any REST API end points. Basically, anything that tries to access using the WordPress REST API needs to have some kind of authentication check in place saying, “Yes, I checked to make sure that this person is allowed.” You can still just have it return true in all cases if you do want to make a public endpoint, but it is definitely going to help improve best practices on that. But adding passwords to it is going to make it way easier to establish secure ways for other programs to interact with WordPress, and that’s a really good thing.
Kathy:
Yeah. So this is probably going to make application developers say, mailing list providers, or different applications that can be leveraged to provide functionality to a site or getting information in and out of WordPress, it’s going to give them a level of security where they can add additional functionality and ensure that that is secured. So I think that this ultimately is going to add to the usefulness of WordPress and integrations with other software.
Ram:
Definitely. Yeah. I mean, we use the WordPress REST API for Wordfence Central. We had to develop a pretty rock-solid authentication system using some fairly heavy cryptography, but…
Kathy:
Yeah.
Ram:
Yeah. This would have made that a lot easier, but I think we’re still keeping our high-security version, so.
Kathy:
Yeah. Yeah. So this’ll be interesting to see. I’m not sure when WordPress 5.6 is coming, but 5.5 just came out, what? In August, so I’m guessing probably by first part of the year. So this is definitely something cool to watch.
And Ram, you found a cool story about October Patch Tuesday, and what’s going on with Microsoft. You found a wormable RCE bug?
Ram:
Yeah. So first of all, I should probably define a couple of things. Wormable is kind of a problem because it means that if an attacker infects one system, they can then get that system to attack other systems and just sort of spread on its own without human intervention. And RCE is remote code execution, which once an attacker has that, it basically means that, well, they own it. The very least whatever the user they’re attacking can do, which in this case, since it’s the IPStack is, it runs at the kernel level so, pretty much everything.
Kathy:
Yeah. So this is really dangerous in enterprise situations where you have a whole room full of Windows servers that are on the same network?
Ram:
Yeah. It’s actually a lot like the old school “ping of death” attack. You’ve opened up a command prompt and run ping against a site to see if it’s up, right?
Kathy:
Sure.
Ram:
So that uses a special kind of packet called an ICMP packet, and it used to be possible to basically make a malformed version of that packet and send it to a server and crash it. And we called that the ping of death. This is kind of like an IPv6 variant on that, but with a bit more potential capability. So, I mean, the good news is that no one’s actually achieved remote code execution as far as we know yet, but that’s just for the time being. For now, most exploits just result in a blue screen of death so this could still be used for denial of service. There’s more good news, and that’s that a lot of firewalls seem to block ICMPv6 packets by default so it’s not necessarily going to be easy to exploit by an attacker that’s not already inside your network.
Kathy:
When we were talking before you said something about how if it’s going to be exploited, you’re going to see a lot of servers just going down so it’s not really useful for an attacker who wants to maintain persistence in a network, right?
Ram:
Not yet. Not until they get full RCE. Once they do then it might not actually leave any traces, so.
Kathy:
Fascinating. So definitely something to patch and something to watch because I’m sure not everyone’s going to patch. Why is it that we don’t get everyone patching when Patch Tuesday happens?
Ram:
I don’t know. Remember, what was it, zerologin?
Kathy:
Yeah.
Ram:
Yeah. The thing you talked about a couple of weeks ago, apparently there’s already access to Fortune 500 company networks being sold on the dark web because of that vulnerability.
Kathy:
Wow. Just that one vulnerability is exposing companies. Wow. Yeah. Yikes. And didn’t you mention that Linux has a pretty intense vulnerability too?
Ram:
Well, it has a cool name at least, which is “bleedingtooth.” It does mean that the attacker has to be close by a vulnerable computer, but pretty much any Linux computer with Bluetooth enabled running before the current version of the Linux Kernel. I’ve seen some disagreement on the minimum version that’s affected. I’ve seen anywhere from 3.6 to 5.8. So it seems likely that at least some older versions are affected before the second to latest version, but the long and short of it is that if you have a Bluetooth device nearby a Linux computer with Bluetooth enabled, you can attain zero-click remote code execution via the Bluetooth BlueZ stack. Again, that means that someone can own your computer in kernel mode, so yeah.
Kathy:
Wow. So update all of the things, pretty scary vulnerabilities there.
Kathy:
Did you see this article about Canva being used for phishing?
Ram:
Yeah. I just read that yesterday. And wow, I had no idea you could do all that with a graphics design platform.
Kathy:
Did you test it out yet?
Ram:
I have not. If you get any emails from Microsoft, make sure to click them.
Kathy:
Tricky, aren’t you? Yeah. I don’t trust any emails from Microsoft or anyone basically. Especially financial institutions after hanging out with you and Chloe.
Ram:
Hey, I haven’t hacked you yet.
Kathy:
No, you haven’t, yet. Most of the phishing campaigns that we receive are from our Director of Information Security who likes to keep us on our toes. Doesn’t she?
Ram:
Yeah. Hey, we actually passed the last few ones. No one clicked on any of those phishing links.
Kathy:
Yeah. Yeah.
Ram:
So, and that’s-
Kathy:
Yeah, we’re getting good.
Ram:
Yeah. It’s really important to train all your users as to the dangers of phishing so that they don’t actually click on suspicious links because so many corporate vulnerabilities start this way. There’s zerologon and all that stuff and there’s technical flaws but usually attackers get their foot in the door via something called spearphishing.
Kathy:
What is spearphishing exactly?
Ram:
Basically where an attacker does research on your company, in particular, find someone who might be susceptible to clicking on a link and entering in or sharing confidential information. Then crafts a message that looks like it would be from their boss or their co-worker asking for this quarter’s financials or sending them an infected file that claims to be this quarter’s financials.
Kathy:
So very, very targeted. So with the vulnerability we were talking before, the CSRF vulnerability with the Child Theme Creator, that could be used in a spear phishing attempt to really do some damage on a website, right?
Ram:
Oh yeah. I mean the spear phishing is probably the best way to get CSRF executed.
Kathy:
Gotcha. Yeah. A lot of people all talked about different types of vulnerabilities and they always think, well, CSRF means that somebody’s got to do something, so no big deal, right?
Ram:
Hackers are really good at getting people to do things.
Kathy:
They are. It’s really more of a manipulative psychological game than it is the actual vulnerability itself because the weakest link in security is always the human, isn’t it?
Ram:
Well, I mean, I know that I’ve definitely made some cybersecurity mistakes. I’ve gotten hacked a bunch of times in the past, so.
Kathy:
Yeah. Yeah. I think we all have.
So with this Canva design platform, it is being used in credentials phishing. So Canva’s hosting for images and whatnot, it is being used to create landing pages that are then used to redirect phishing victims to fake log-in forms. So I guess the biggest advice is to always verify domains. If you’re going to a financial institution, always type in that domain name, never click on a link in an email because these types of attacks are happening everywhere. And if you think that, “Well, it’s on Canva so then it’s got to be safe.” Well-
Ram:
Maybe not.
Kathy:
… this research is definitely showing that it is not.
Kathy:
And what would you recommend Ram for a company that has a number of employees that have access to sensitive information or to even their WordPress website, should those companies be testing their employees like we do to ensure that they can identify a phishing campaign? Because my Gmail inbox, I never see any phishing. I mean, I don’t even look at the spam folder anymore, but they’re really good at filtering it. So I’m not being tested there.
Ram:
I do think it’s important to test employees, train them to recognize signs of suspicious emails, even if they seem to be coming from someone else in the company. Because some of the test emails we’ve gotten actually looked like spear phishing campaigns, like sharing a report from some platform that we use or that kind of thing. Someone I work with granting me access to something or…
Kathy:
Yeah, and that always sounds really juicy. You want to click that, right?
Ram:
Exactly. And I mean, there’s the old advice that you can hover over links to see where they actually lead but with shortened URLs, that’s kind of hard. Though they do have services that can expand shortened URLs and figure out where they go to but there’s also redirect chains where a URL might redirect to another site, which redirects to another site, and it’s kind of hard to keep track of where it ends.
Kathy:
Yeah, definitely. So it’s just better to basically mistrust every link in an email.
Ram:
If you get an email that seems suspicious from someone you work with, maybe contact them via Slack or Messenger or give them a call and see if they actually sent that to you.
Kathy:
Good points. Very good points. Well, that’s all we got today for Think Like a Hacker, Episode 91. What do you think Ram, was this fun for you?
Ram:
Yeah, this was tons of fun, and it’s always fun thinking like a hacker.
Kathy:
It is. So let’s do this again next week. If you are wanting an alert when Think like a Hacker is posted, you can go to Wordfence.com/podcast, or you can subscribe on one of your podcasting apps on your phone. Keep in touch with us. We’re going to give you all of the latest news in WordPress security and innovation so that you can stay on top of things easily and just kind of walk around your neighborhood, drive to work, whatever you’re doing, drive to the coffee shop, and we’ll keep you updated. So talk to you again next week, right Ram?
Ram:
Yep. See y’all last… Next week. Not last week, next week.
Kathy:
2020 is really just kind of messing with time.
Ram:
It is, I’ll see you all next last week.
Kathy:
That’s what it’ll be. See you next time. Thanks.
Follow Ram on Twitter @ramuelgall or Kathy @kathyzant. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific. Next Tuesday on Wordfence Live, we’ll be talking about how to find and exploit WordPress vulnerabilities.
Comments