17 Sep

Sucuri Doesn’t Understand the Recently Disclosed Vulnerability Created by Duplicator (or Security in General)

The reputation of security companies is often very different than the reality. One company that seems to have a good reputation is Sucuri. That is despite everything we have seen over many years indicating they really lack even a basic understanding of security (we wish that were a gross exaggeration). We once again were reminded of that by something that popped up in the monitoring we do to keep track of vulnerabilities in WordPress plugins, which involved a repost of a recent Sucuri blog post.

The Sucuri blog post is titled “Outdated Duplicator Plugin RCE Abused”.

As usual Sucuri is behind in becoming aware of a security issue being exploited as we discussed the exploitation a week before, right after it started. That is contrary to what you would believe from the testimonial they show on their homepage which claims:

Another thing we like is that Sucuri knows about security issues before they become a problem – in advance.

While a week late, the post is written by someone who doesn’t appear to understand the vulnerability at all as they write this:

It’s hard to tell why the wp-config.php files are removed or voided, breaking the site. We can only speculate that it was a failed attempt to tamper with it. In several related cases, there was also a variety of backdoors present on the attacked server.

That doesn’t make sense in that they clearly successfully tampered with it if they have been “removed or voided”. What makes this so odd is the vulnerability specifically involves voiding the wp-config.php, as you replace intended information in the file with malicious code.

You only have to get to the second paragraph of the report from Synacktiv on the vulnerability, which Sucuri linked to, to find the first mention of that:

Indeed, the installer.php and installer-backup.php files can be reused after the restoration process to inject malicious PHP code in the wp-config.php file. Thus, an attacker could abuse these scripts to execute arbitrary code on the server and take it over.

At the end of the report it states:

Please note that a successful exploitation is destructive as it breaks the WordPress configuration file and thus, the WordPress instance.

Even with our dim view of the security industry and Sucuri, it is stunning that they put out a post without understanding what they are talking about at all. This seems like the sort of thing that should be a huge black eye for them, but it unfortunately won’t. They can’t even blame an intern on this as the bio of the writer of the post starts this way:

Peter has been working in Information Security for over 12 years, currently as a Senior Malware Researcher at Sucuri.

How bad must the non-“senior” malware researchers at the company be?

The next paragraph is not quite as bad, but still pretty bad:

Whether these backdoors are added by attackers abusing this vulnerability, or through different infection vectors needs to be confirmed. The only fix in case of a broken site is to recreate the wp-config.php file with the correct DB login credentials.

Why haven’t they confirmed that? Determining how websites are hacked is a basic part of a hack cleanup, so to not have gotten around to that is an indication of something being very wrong (from past experience it looks like the closest they usually come to trying to determine how websites are hacked is by looking for a correlation between the websites instead of doing things properly by reviewing logs and other relevant data).

Making things more problematic they describe the vulnerability as having been fixed in version 1.2.42, but as we discussed before part of the issue still issue still using default settings in Duplicator in that version. Considering that they don’t have any understanding of how the vulnerability they are discussing worked, it seems odd that they could have possibly determined if it was fixed.

They end their post with an ad (we removed the link from that):

If you believe your website has been compromised by this attack, we can help. Stay safe.

If your website has been hacked you really would help by avoiding Sucuri, we have repeatedly been brought in over at our main business to re-clean websites where they didn’t do things right, which shouldn’t be surprising considering lack of expertise seen in just the blog we were discussing.