RevSlider Plugin Exploit: The Imperceptible Earthquake That Shook WP kingdom
A closer look at the RevSlider(Slider Revolution) plugin vulnerability, that affected OVER 6 million sites, making them appear like a script kiddie’s Christmas candy present.
This is what we will be looking at:
- What is WP RevSlider plugin?
- What was the exploit affecting RevSlider Plugin all about?
- How were malicious attackers exploiting the identified exploit?
- Was there remediation put in place?
- Am I still vulnerable to that exploit?
- Could you offer me a few recommendations to keep in mind?
#1. What is WP RevSlider Plugin?
WP RevSlider or simply Slider Revolution plugin is a revolutionary WordPress(WP) plugin that enables you(the user) to easily add sliders, carousels, hero headers, special effects, and content modules to your WordPress site.
#2. The Slider Revolution Exploit: What was it all about?
Exploit: Local file inclusion(LFI).Exploit Author: Claudio VivianiDate Reported: 2014–07–24Affected version of the plugin:Slider Revolution Responsive <= 4.1.4Description:WordPress Slider Revolution Responsive(RevSlider)<= 4.1.4 suffered from Arbitrary File Download vulnerability. This meant that a malicious attacker could access, review, download and or upload a local file on the server.Remediation:If you still have this version or a lower one, you're advised to Update it to the latest version to fix the latest vulnerabilities (known and unknown to public threats).(Bonus)Add below code to .htaccess file . Refer to Scoring a Clean “A” Security Score in Your Website for more details. Here's the code:#wp-config.php protection via .htaccess file
#copy paste below code into your .htaccess file:
<files wp-config.php>
order allow, deny
deny from all
</files>Referenceshttps://www.homelab.it/index.php/2014/07/28/wordpress-slider-revolution-arbitrary-file-download/https://www.exploit-db.com/exploits/36957
#3. How did this (RevSlider Plugin) exploit work?
POC: Diving inside the attackers mind.
Scenario: If an attacker didn’t have one website which he/she was a hundred per cent sure has the vulnerable plugin, below are the steps they’d follow to find and exploit websites remotely:
(i) Find sites that are utilizing the vulnerable Slider Revolution plugin.
(ii) Use specific parameters to download the wp-config.php file.
- WP-Config file: This is one of the core WordPress files usually located within the root folder of a given website. It contains sensitive info such as MySQL settings, Secret keys, Database(DB) table prefix and ABSPATH(a PHP constant defined by WordPress in its core) used during WordPress installation. Below is a sample:
(iii) Use gathered info from step two above to further attacks.
(i) How to Find the vulnerable sites:
Use the below search string (dork query) to find exploitable sites:
inurl:/wp-content/plugins/revslider/
(ii) How to Download the wp-config.php file:
Assuming you’ve followed the previous step of finding your target and found results similar to the ones in the below sample:
.. now it’s time to download the wp-config.php file. Use the below parameters :
wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
The new full URL should now look something similar to this:
http://your-target.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
Now hit enter and save the config file via the pop up save window. From there, one can view and edit the vulnerable site’s database in plain text.
(iii) Use the Information to Further Attacks?
NO, use the information as a POC and report it to the affected site owners so that they can be able to update the plugin and or clean the entire site to avoid current and further compromise on the site.
#4. Was there remediation put in place?
Yes, but there was one issue, ThemePunch (Slider revolution owners) released the patch silently without any public announcement, meaning that only the sites that had officially purchased the plugin could get an auto-update fix.
Hmm, but what about the users using nulled plugins and those who bought the plugin from marketplaces like CodeCanyon? How long would it take for them to get a patch?
The simple answer is, long enough for attackers to toy with your site. The plugin had over 6.5 million active installs at the time, a number indicating just how many sites were affected in just a short period.
#5. Am I still Vulnerable to The Exploit?
- No, if you have the latest version of Slider Revolution.
- Yes, if you have Slider Revolution <= 4.1.4
If you’re in the Yes category, make sure you update the plugin to the latest version, which is currently at version 6.5.8 at the time of writing.
#6. What would you recommend to avoid being a victim?
Below are some of the recommendations I’d suggest :
- Make sure you periodically check if you have the latest plugin versions and templates.
- Install web application firewalls.
- Scan for already installed malware/ backdoors.
- Be cautious when installing plugins (avoid nulled ones if possible), and make sure you uninstall suspicious plugins.
- Update user passwords and delete suspicious accounts.
- Disable directory listing.
- Follow proper guidelines to harden you site. You can start by reading this infosec Guidelines by the Mozilla foundation.
- Be an observer of what’s going on ( latest threats &c).
Found this interesting? Share with your friends or show some love by buying me some coffee. I’ll appreciate it so much: https://www.buymeacoffee.com/stevemats. Thanks.