19 Aug

iThemes Security Fails to Protect Against Likely Exploited Arbitrary File Upload Vulnerability

One of the things we have been doing recently to improve the security of WordPress websites is tracking down vulnerabilities in plugins that appear to be known and being exploited by hackers but have been missed by WordPress security companies. Through that we recently spotted an arbitrary file upload vulnerability in the plugin Attachment Manager, which a hacker may have been exploiting since at least June of last year. While trying to find the best way to contact the developer about the issue we noticed that they are listed as being one of the of the developers of the iThemes Security plugin. While that might say a lot about the current state of WordPress security plugins, the developer did fix the vulnerability the same day we reported to them, despite the plugin not having been last updated 7 years ago before that, which is much better than the average response from developers when notified of vulnerabilities in their plugins.

We hadn’t really looked to closely at the iThemes Security plugin in the past, but a couple of things we noticed in passing earlier this year didn’t point to it being from trustworthy company since the plugin had a button that when clicked would claim the website had been “Secured” despite nothing else happening and they are using the non-existent threat of brute force attacks to collect the email address of the plugin’s users .

After noticing the connection between the vulnerable plugin and the iThemes Security plugin we took a closer look and noticed a seeming contradiction between what iThemes claimed to be threats to WordPress and the security the plugin provides.

On the plugin’s page in the Plugin Directory they state the threats against WordPress websites as:

WordPress sites can be an easy target for attacks because of plugin vulnerabilities, weak passwords and obsolete software.

They also describe protecting websites by:

Take the guesswork out of WordPress security. iThemes Security offers 30+ ways to lock down WordPress in an easy-to-use WordPress security plugin.

In looking over the plugin’s feature we didn’t notice anything that would actually stop plugin vulnerabilities from being exploited, which they mentioned as one of three major sources of attacks. We will come back to that in second, but for the other two issues it doesn’t seem like the plugin is the right solution for them either. For weak password WordPress out of the box handles things quite well and if you want further protection can use a plugin that is specifically focused on further restricting users’ ability to create weak passwords. For obsolete software we are not quite sure what that is supposed to refer to, since obsolete software isn’t necessarily vulnerable, so maybe they are referring to vulnerabilities in such software, for which they don’t seem to provide any protection against either.

To see what protection iThemes security might actually provide against a plugin vulnerability we thought a good test would be try exploiting the vulnerability that had been in the Attachment Manager plugin. Seeing as arbitrary file upload vulnerabilities are highly likely to be exploited and since the vulnerability likely was already being exploited by hackers.

To test this we created a fresh install of WordPress 4.6, installed the latest version of iThemes Security, 5.6.1, and the most recent version of Attachment Manager that was vulnerable, 2.1.1. We then enable the various features in the iThemes Security plugin. Finally we try exploiting the vulnerability using the proof of concept included with our report on the vulnerability. The result was that the file was successfully uploaded, so iThemes security provided no protection against it.

The only feature that would have an impact on the hacker then using the file that has been uploaded is the “Change Content Directory”, which renames the wp-content directory to something else, since the file is uploaded in to that directory. But as is noted on page for that feature can be easily worked around:

Some older and less intelligent bots hard coded this directory in order to look for vulnerable files. Modern bots are intelligent enough to locate this folder programmatically, thus changing the Content Directory is no longer a recommended security step.

Once a hacker exploited this type of vulnerability to place a malicious .php file they generally have complete access to the website, so among other things they would have the ability to modify the iThemes Security plugin to prevent it from providing any indication that hack had occurred (that would be true of any WordPress security plugin, which it doesn’t seem that people consider when thinking about the protection they can actually provide).