Think Like a Hacker Episode 124

Episode 124: PrintNightmare 0Day Exploit Accidentally Leaked Online

Security researchers accidentally leaked zero-day exploit code for a new Windows bug, now called PrintNightmare, while easily exploitable vulnerabilities in the ProfilePress plugin, previously called WP User Avatar, were patched quickly. An unprotected cloud database containing over 814 million DreamHost user records was found online. Google Chrome is getting a HTTPS-only feature in an upcoming version, and two bugs, one of which is a zero-day, are leading to attackers fighting over control of internet-connected Western Digital My Book Live devices.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:15 Researchers accidentally release exploit code for PrintNightmare, CISA Advisory
4:42 Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin
7:48 Cloud Database Exposes 800M+ WordPress Users’ Records
9:45 Google Chrome will get an HTTPS-Only Mode for secure browsing
12:18 Hackers exploited 0-day, not 2018 bug, to mass-wipe My Book Live devices

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 124 Transcript

Ram:
Welcome to Think Like A hacker, the podcast about WordPress, security, and innovation. I am Ram Gall, threat analyst at Wordfence. And with me is Director of Marketing, Kathy Zant. So it seems like this week we’ve got one of those endless scream situations again.

Kathy:
We do. What’s going on?

Ram:
So there’s this PrintNightmare, zero-day exploit, that allows domain takeover of any Windows Server running the Print Spooler service, which is a lot of them. It’s unpatched so far. It’s a zero day.

Kathy:
Oh my gosh. So, is this what network engineers are going to be doing over a holiday weekend, is turning off Print Spooler on all of their Windows Servers?

Ram:
Yeah. There’s no patch available for it yet. The only thing you can do is turn off the Print Spooler service, and it allows both remote code execution and local privilege escalation, which again between them mean that you can basically take over the domain controller. And once you have that, you basically have the entire Windows network.

Kathy:
So not just the server, you can take over the entire Windows network? Now, there was an interesting story of how this vulnerability became public. What happened here?

Ram:
So, this is interesting. It looks like two different security companies in China were both researching Print Spooler vulnerabilities. And one of them basically found a vulnerability in the Print Spooler, let Microsoft know responsibly, which is the right thing to do. And Microsoft patched it a few days back. And meanwhile, the other security company saw it and went, “oh, Hey, we’ve been working on that too. Here’s our proof of concept for that exploit.” And it turns out-

Kathy:
And they posted that on GitHub, right?

Ram:
Yeah. Only it wasn’t that exploit. It was a different exploit in the same thing and it wasn’t patched. And they deleted it as soon as they figured out what had happened. But by then the internet never forgets.

Kathy:
It doesn’t it. It got it, what? Cloned, forked and cached all over the internet.

Ram:
Yep.

Kathy:
And what are they calling this? PrintNightmare?

Ram:
It is PrintNightmare. And you know how we’ve talked some pretty big numbers. We’ve had like the Exchange Server thing, which was-

Kathy:
Yeah that was huge.

Ram:
This is bigger.

Kathy:
Bigger, yeah. Well, there’s more Windows Servers than there are Exchange Servers. So this is pretty much everywhere. Is this on Windows like desktop machines as well?

Ram:
The Print Spooler runs on Windows desktop machines. I don’t want to speculate and say write out that it’s invulnerable, but you know it’s the same service. It’s just that Windows desktop machines are probably not exposed to the internet at large and probably don’t have the same degree of permissions. They’re not as useful to take over as a natural Windows Server. The good news is that Windows Servers, you don’t usually need to print things off of a server unless it’s a print server. Usually you can just print off of the desktop. In some cases it might be disabled already on Windows Server. And the good news is that it’s a pretty simple group policy change. You can just push this to everything real quick, if you’re a domain administrator. So it’s not hard to turn this off. It’s just that, I really hope that everyone who needs to know, this knows this and is fixing it right now.

Kathy:
Right. Right. Yeah. So Rapid7 was one of the researchers that had confirmed that these public exploits work against fully patched Windows Server 2019 builds. And that this vulnerable service is enabled by default on Windows Server. So you need to be aware if you’re running any kind of Windows Server on your network at home, anywhere Windows server is default running, you’re going to need to go turn off Print Spooler because the proof of concept is out there. This will be under attack. And so this is important that you pay attention. Alarm bells are indeed ringing. So yeah, important.

Ram:
Yeah. The vast majority of enterprise controllers, all domain controllers, even those that are fully patched are vulnerable to remote code execution by authenticated attacker. So that does mean that they need like an “in” into the network. Given the number of ransomware attacks these days, one can basically assume… you don’t necessarily have to assume breach, but assume that an attacker has a foothold.

Kathy:
Sure. Definitely. And CISA it looks is like they have an alert out warning anyone to disable Windows Print Spooler as well. And we’ll have a link to that in the show notes. So even if you are not managing a Windows sServer, this might be one of those times that you call your friends that you used to work with that are running Windows Servers and let them know because this is like an all hands on deck, get the alarm bells ringing out there type of problem that could have wide ranging effects.

Ram:
Yep. Meanwhile, this is the second time we’ve mentioned this plugin in, I want to say, a couple of months.

Kathy:
Yeah. ProfilePress?

Ram:
Yeah. That was the one that used to be WP User Avatar, right? And there was kind of an uproar, right?

Kathy:
There was a little bit of an uproar. Recently WP User Avatar had 400,000 installations and they changed their name to ProfilePress and basically changed it into a fully functional membership type of plugin. Rather than just a user avatar plugin. So they introduced a ton of new features. People who were using WP User Avatar were like, wait a minute, this is not the functionality I had in mind, when they updated and found that they had somewhat of a different plugin installed. So when you’re introducing new functionality into a plugin, there’s a propensity for introducing bugs. Some of those may be security bugs. What did we find when we took a look, Ram?

Ram:
Well, I am really glad that Chloe decided to look at it pretty much as soon as she heard about all the new functionality, because, woo boy, she found some stuff.

Kathy:
She did.

Ram:
So this is kind of sad and at the same time hilarious, but literally every membership plugin in the repo has, at some point in its history, had this exact bug. Basically where anything that basically allows users to have custom roles or something, you can tell it that you want to become an administrator. And it’ll just make you an administrator if you pass it the right keys and values. And for some vulnerabilities, it’s just been at registration. For others it’s been from the profile update page. With this it was both. The good news is that it was introduced when it became ProfilePress so it’s only versions 3.0 to 3.1.3 that are vulnerable.

Kathy:
Okay. And Chloe contacted them and they responded she said, within minutes. They responded quickly and got a patch back to Chloe so that she could double check it and make sure that it dealt with some of these vulnerabilities very, very quickly. So everything is patched. Because of the severity of the vulnerabilities we determined that it would probably be best to ensure that firewall rules went out to everyone, including those using the free version of Wordfence. So those all went out by June 26, and we published shortly thereafter. So you can take a look on our blog and find out more details about these vulnerabilities patched in ProfilePress if you’re one of the 400,000 people using this.

Ram:
There were some file uploads, too.

Kathy:
File uploads. Oh those are always fun because that basically is just like ownership. Because any file upload vulnerability is going to be an upload of a shell that basically gives you access to anything on that server or that particular installation of that website, correct?

Ram:
Yep. Two privilege escalations and two arbitrary file uploads. And that’s just a lot.

Kathy:
That is a lot. Okay. Speaking of a lot, it looks like DreamHost had a lot of user records that were exposed. What happened with this cloud database?

Ram:
Well, security researcher Jeremiah Fowler found an unprotected trove online with no password protection containing 814 million DreamHost records dating back to 2018. Was 86 gigabytes of stuff containing their users’ WordPress configurations, including login URLs, first and last names, email addresses, usernames, roles, host IPS, which that actually doesn’t sound like a big of a deal but if you’re using a cloud-based WAF and you have the host IP, then you can bypass that cloud-based WAF a lot of the time. Which is why having multiple layers is so important.

Kathy:
Yes, definitely. So you can have a cloud-based WAF if you want, but it’s always good to have an end point WAF. Layer that security like a seven-layer cake. Protect your website. Now this only seems to have affected DreamHosts DreamPress users, not all of their users. So if you were using DreamPress, their specific managed WordPress installation, those are the customers that were affected here.

Ram:
Indeed. And they say it appears to date back to 2018, but they don’t actually know how long it’s been exposed. Just the data in there is from 2018.

Kathy:
Right. And they have no idea of knowing how many people may have accessed it, how long. Maybe it was known for a long time that this was a publicly available database in hacker circles or whatever. So no way of knowing. You just. have to assume that if it was public, that someone malicious may have found it.

Ram:
Yeah. And I mean, realistically, we always say that assume that your username is public knowledge.

Kathy:
Right. Right. Exactly. Because it very may well be. So Google Chrome, no Chrome zero days today?

Ram:
No Chrome zero days. We’ve got a two week streak.

Kathy:
Oh wow. Wow. Keep that streak going. But it looks like Google Chrome has a security update that looks to be rolling out by the end of August. What is this going to entail?

Ram:
So it looks like Google is going to add an HTTPS-only mode to protect your web traffic from eavesdropping. And that basically means that… there’s already plugins or extensions you can use to do this. But it will at least attempt to upgrade all connections to HTTPS. Now that is going to be dependent on the site you’re visiting having a certificate and being able to support that connection. Otherwise, it hasn’t been confirmed, but I don’t see any way this wouldn’t throw up a roadblock page if you’re trying to connect to a site that doesn’t have a certificate, if this is enabled.

Kathy:
Right. Right. So this doesn’t get you off the hook of having a secure certificate. Obviously Google has inspired all of us to add an SSL certificate to our website because it improves your search engine performance. So if you want to be found, it’s important to have that. But now with this new HTTPS-only mode… and Google, also Chrome has been showing “insecure” as a little alert up in the address bar of sites that did not have a certificate installed. So I imagine that the warning is going to be even more dire should someone be visiting a site that doesn’t have an SSL certificate.

Ram:
I very much suspect that this will effectively make having a TLS certificate mandatory if you want people to view your site with Chrome. At least if this is enabled. Though, I don’t know if it will be enabled by default for awhile, but it does seem like that’s the direction it’s heading of having a TLS certificate or non-technical users at least will not be able to visit your site at all.

Kathy:
Right. Okay. Interesting. So we’ll have a link to the article on Bleeping Computer in the show notes and there they have some specific instructions that can show you how you can test this now, so you can prepare for this to roll out end of August with Chrome 93. So you’ll want to test your site, make sure everything looks okay when this does roll.

Ram:
Indeed. In August, right?

Kathy:
Yeah. It says August 31st is when Chrome 93 is expected to be reaching stable status. So we’ll probably see it somewhere around then.

Ram:
Cool. For this next one, I actually have one of these or at least this line of product. So I had to double check it’s the Western Digital My Book devices or My Book Live devices.

Kathy:
Okay. It’s just a hard drive?

Ram:
Yeah. It’s basically a little network-attached hard drive. You plug it into your router with an ethernet cable and it gives you like a few terabytes of storage that you can access from anywhere on your network. It’s actually pretty cool. It turns out that I have the slightly later model that wasn’t impacted, which is why all my stuff is not gone.

Kathy:
Oh, nice. It looks like there was a bug, a security bug in 2018 that was patched. But a lot of people weren’t patching their My Book Lives?

Ram:
Yeah. I mean, this is a device that’s been around for a while. I think I got mine in like 2013 or something, and mine’s the newer revision. But it looks like there were two vulnerabilities in question, kind of like with that Print Spooler PrintNightmare thing. So there was one from 2018 and then there’s a zero day that attackers are also using to reset these devices. What we’re actually seeing is attackers password protecting the end points in question. It looks like more than one group of attackers that might be fighting over these devices and trying to use them for their botnets.

Kathy:
Oh, interesting. Wow. So if you are using one of these devices, what should someone do?

Ram:
Disconnect it from your network for the time being.

Kathy:
Gotcha. Okay. Because this is a zero day, this doesn’t have a patch?

Ram:
For the time being. Yeah.

Kathy:
Wow. Okay. Interesting. So, yeah, definitely if you are using one of these Western Digital My Book devices, it should not get to play on the internet or your home network. It just needs to go to sleep for a while, I guess. Keep it safe. Okay.

Ram:
Keep it secret.

Kathy:
Keep it secret. Keep it safe. Obscurity.

Ram:
Security through obscurity.

Kathy:
Yes, indeed. Okay. So, well that’s it for our July 2nd edition of Think Like A Hacker. We are going to take next week off because it is a holiday week here in the United States. So we will be celebrating all of the things, bombs going off. Not bombs.

Ram:
Fireworks!

Kathy:
Fireworks going off.

Ram:
Mostly illegal fireworks starting forest fires.

Kathy:
Yeah, yeah. It a little crazy here, but we will be celebrating and also just spending time with family and friends. So we hope that if you are celebrating that you have a safe 4th of July. And if you’re not, wherever you are in the world, we hope that it is a nice, peaceful first week of July. And we will talk to you again week after next. Thanks for listening.

Ram:
Bye.

Kathy:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

Did you enjoy this post? Share it!

Comments

2 Comments
  • Dreamhost posted an update https://www.dreamhost.com/blog/dreamhost-database-event/

    • Thanks for sharing that update, Mike.