Login

Tag Archives: Livemesh Addons for WPBakery Page Builder

26 Feb 2019

Hackers Are Probably Already Exploiting This Authenticated Option Update Vulnerability Just Fixed in Freemius

On Sunday we had probing on our website for usage of the plugin WP Security Audit Log, which has 80,000+ installs according to wordpress.org, from what looked to be hackers. Considering that plugin is known to vulnerable we didn’t further check in to what was going on, which was a mistake, but one that other monitoring we do allowed us to rectify today.

As part of our daily monitoring of subversion log messages from the WordPress Plugin Directory for mentions of security fixes, we found that 10 plugins had mentions of security fixes yesterday, which is way out of line with what we normally see and hinted that there might be a common issue between the plugins. As we started trying to figure out what was going on, we noticed that many of them were updating a third-party library Freemius, which is described as  a”[m]onetization, analytics, and marketing automation platform”. In looking in to that we noticed that Freemius was citing WP Security Audit Log as using their library. With one of those plugins, looking at the changes made, we saw the possibility that a major vulnerability had been fixed. Further checking confirmed that an authenticated option update vulnerability was fixed, which would allow anyone with access to a WordPress account to take over a website and is a type of vulnerability hackers have tried to exploit widely in the past so there is likely to be plenty of attempts due to this.

Update: We have now have reviewed the 1,000 most popular plugins and found quite a few use this library and as listed below plenty of them have yet to get a fixed version released.

The release page for the Freemius on GitHub is currently has no information on what changes were made in version 2.2.4, but two days ago the person that released that made a change described as “[debug] [security] [fix] [major] Restrict the options update to admin…s and only to the SDK’s options (starting with ‘fs_’).” What would be interesting to know is if the exploitation started before the fix was released or the fix caused the exploitation.

Update: Freemius has now admitted that they became aware of the vulnerability due to exploitation attempts.

The vulnerability isn’t too hard to understand. The library makes the function _set_db_option() available through WordPress’ AJAX functionality to those logged in to WordPress:

self::add_ajax_action_static( 'set_db_option', array( 'Freemius', '_set_db_option' ) );

Before the change made two days ago that function look liked this:

static function _set_db_option() {
	$option_name  = fs_request_get( 'option_name' );
	$option_value = fs_request_get( 'option_value' );
 
	if ( ! empty( $option_value ) ) {
		update_option( $option_name, $option_value );
	}
 
	self::shoot_ajax_success();
}

That will update a WordPress option (setting) specified by user input to a value also specified with user input. What hackers have been doing with that for years has been to set it so that new WordPress accounts can be created (though in this case someone would already need an account to exploit this) and that those accounts are Administrator accounts, which have complete control of the website.

That function has now been changed to this:

static function _set_db_option() {
	check_admin_referer( 'fs_set_db_option' );
 
	$option_name = fs_request_get( 'option_name' );
 
	if ( ! is_super_admin() ||
		 ! fs_starts_with( $option_name, 'fs_' )
	) {
		self::shoot_ajax_failure();
	}
 
	$option_value = fs_request_get( 'option_value' );
 
	if ( ! empty( $option_value ) ) {
		update_option( $option_name, $option_value );
	}
 
	self::shoot_ajax_success();
}

The changes restrict who can access the function (only Administrators), checks for a valid nonce to prevent cross-site request forgery (CSRF), and limits the options that can be updated to ones that start “fs_”.

If you are using a plugins that contains this library and you allowed untrused individuals to have WordPress accounts, you need to get the plugins updated to a version that includes the updated Freemius library right away or deactivate the plugin.

This is a vulnerability that would have been caught by our security reviews, which are available as part of our main service and a separate service, since we specifically check for this type of issue due to the likelihood of exploitation, so if you are concerned about the security of plugins you use getting a review done is a great option to avoid this.

Plugins Impacted

We will keep updating this list and if see a plugin we are missing, please leave a comment below.

Update: You can now check if plugins are using a vulnerable version of Freemius using our Plugin Security Checker.

(We have notified the developers of the unfixed plugins that have an accessible contact method.)

(Updated March 8, 2019)

Proof of Concept

The following proof of concept will turn on user registration, when logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin-ajax.php?action=fs_set_db_option&option_name=users_can_register&option_value=1