Moderate
CVE-2020-11738
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-11738
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.
Add Assessment
Ratings
-
Attacker ValueMedium
-
ExploitabilityVery High
Technical Analysis
This plugin is recorded as having over 1 Million installations via Wordpress – https://wordpress.org/plugins/duplicator/
It has a free and a pro version with both being impacted.
Other reporting suggests that there are around 170,000 active installations. with ~ 150,000 of these not on the latest version.
The vulnerability allows arbitrary file read of any file on disk in the context of the web application. This kind of attack can lead to further compromise depending on its setup and configuration. Using this level of access can lead to database credentials being compromised which in turn can lead to further exploitation.
This exploit has been seen in active campaigns as reported by wordfence – https://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/
IOC’s Shared by wordpress and replicated here for ease of discovery.
Indicators Of Compromise (IOCs)
The following Indicators of Compromise (IOCs) can be used to determine if your site may have been attacked.
Traffic logged from the threat actor’s IP address should be considered suspicious:
- 77.71.115.52
- Attacks in this campaign are issued via GET requests with the following query strings:
- Attacks in this campaign are issued via GET requests with the following query strings:
- action=duplicator_download
- file=/../wp-config.php
- Note: Because this vulnerability can be exploited via WP AJAX, it’s possible to exploit via POST request. In this case, it’s possible for the action parameter to be passed in the POST body instead of the query string. This will prevent the action=duplicator_download string from appearing in HTTP logs. The file parameter must be passed as a query string, however, and is a reliable indicator.
- file=/../wp-config.php
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- snapcreek
Products
- duplicator
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Miscellaneous
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
I had not seen any POC code listed for this but it is incredibly simple to exploit based on the published details.
File read is still only in the context of the web server so its typically not going to be root.