On February 17, 2022, UpdraftPlus, a WordPress plugin with over 3 million installations, updated with a security fix for a vulnerability discovered by security researcher Marc Montpas. This vulnerability allowed any logged-in user, including subscriber-level users, to download backups made with the plugin. Backups are a treasure trove of sensitive information, and frequently include configuration files which can be used to access the site database as well as the contents of the database itself.
As with all newly reported vulnerabilities, the Wordfence Threat Intelligence team examined the patch and was able to create a proof of concept. In addition, we released a firewall rule to block any attackers trying to exploit this vulnerability. Wordfence Premium, Care, and Response customers received this rule today, February 17, 2022, while Wordfence Free users will receive this rule after 30 days on March 19, 2022.
This vulnerability was patched in version 1.22.3 of UpdraftPlus, and as such we strongly encourage you to verify that your site is running the most up to date version of the plugin and updating immediately if it is not.
Affected Plugin: UpdraftPlus
Plugin Slug: updraftplus
Plugin Developer: UpdraftPlus.Com
Affected Versions: 1.16.7 – 1.22.2
CVE ID: CVE-2022-0633
CVSS Score: 8.5(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Researcher/s: Marc Montpass
Fully Patched Version: 1.22.3
UpdraftPlus is a popular back-up plugin for WordPress sites and as such it is expected that the plugin would allow you to download your backups. One of the features that the plugin implemented was the ability to send back-up download links to an email of the site owner’s choice. Unfortunately, this functionality was insecurely implemented making it possible for low-level authenticated users like subscribers to craft a valid link that would allow them to download backup files.
The attack starts with the WordPress heartbeat function. The attacker needs to send a specially crafted heartbeat request containing a data[updraftplus][updraft_credentialtest_nonce] parameter while a backup is running. If they are able to time this request to any time while a backup is running, the response will return the backup nonce required to download that particular backup.
Once the attacker has the backup nonce, they can trigger the maybe_download_backup_from_email function, but in order to do so successfully they’d need to fool a WordPress feature designed to determine the endpoint the request is being sent to:
public function maybe_download_backup_from_email() {
global $pagenow;
if ((!defined(‘DOING_AJAX’) || !DOING_AJAX) && UpdraftPlus_Options::admin_page() === $pagenow && isset($_REQUEST[‘page’]) && ‘updraftplus’ === $_REQUEST[‘page’] && isset($_REQUEST[‘action’]) && ‘updraft_download_backup’ === $_REQUEST[‘action’]) {
$findexes = empty($_REQUEST[‘findex’]) ? array(0) : $_REQUEST[‘findex’];
$timestamp = empty($_REQUEST[‘timestamp’]) ? ” : $_REQUEST[‘timestamp’];
$nonce = empty($_REQUEST[‘nonce’]) ? ” : $_REQUEST[‘nonce’];
$type = empty($_REQUEST[‘type’]) ? ” : $_REQUEST[‘type’];
if (empty($timestamp) || empty($nonce) || empty($type)) wp_die(__(‘The download link is broken, you may have clicked the link from untrusted source’, ‘updraftplus’), ”, array(‘back_link’ => true));
$backup_history = UpdraftPlus_Backup_History::get_history();
if (!isset($backup_history[$timestamp][‘nonce’]) || $backup_history[$timestamp][‘nonce’] !== $nonce) wp_die(__(“The download link is broken or the backup file is no longer available”, ‘updraftplus’), ”, array(‘back_link’ => true));
$this->do_updraft_download_backup($findexes, $type, $timestamp, 2, false, ”);
exit; // we don’t need anything else but an exit
}
}
The issue is the UpdraftPlus_Options::admin_page() === $pagenow check. This requires that the WordPress $pagenow global variable be set to options-general.php. Subscribers are typically not allowed to access this page. However, it is possible to spoof this variable on some server configurations, primarily Apache/modPHP. Similar to a previous vulnerability in WordPress < 5.5.1 also found by this researcher, it’s possible to send a request to e.g. wp-admin/admin-post.php/%0A/wp-admin/options-general.php?page=updraftplus.
While subscribers cannot access options-general.php, they are allowed to access admin-post.php. By sending the request to this endpoint they can fool the $pagenow check into thinking that the request is to options-general.php, while WordPress still sees the request as being to an allowed endpoint of admin-post.php.
Once this check has been passed, the attacker will need to provide the backup nonce as well as a type parameter. Finally, as all backups are indexed by timestamp, the attacker will need to perform a small amount of brute-forcing. Since the initial attack must occur while a backup is ongoing, the attacker will have a decent idea of the range of timestamps likely to be used by the backup, so they can send a number of requests with a timestamp parameter starting some time before the initial heartbeat request and incrementing until they are successfully able to download the backup.
Conclusion
Successfully exploiting this vulnerability would take a skilled attacker with an active account on the target system, as well as a large amount of trial and error. As such it is likely only to be used in targeted attacks. Nonetheless, the consequences of a successful targeted attack are likely to be severe, as they could include leaked passwords and PII, and in some cases site takeover if the attacker is able to obtain database credentials from a configuration file and successfully access the site database.
As such we urge all users running the UpdraftPlus plugin to update to the latest version of the plugin, which is version 1.22.3 as of this writing, as soon as possible, if you have not already done so. While the chances of being exploited are relatively low, the consequences of a successful exploit would be severe.
Wordfence Premium, Care, and Response customers are protected from any exploits targeting this vulnerability by a firewall rule as of February 17, 2022, while Wordfence Free users will receive this protection after 30 days on March 19, 2022.
If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.
Kudos to Marc Montpass for discovering this vulnerability and responsibly reporting it to the UpdraftPlus team.
The post Vulnerability in UpdraftPlus Allowed Subscribers to Download Sensitive Backups appeared first on Wordfence.