Last week we blogged about the advantages of endpoint security over a cloud firewall solution We wrote about how cloud WAFs can be bypassed We also blogged about how it is more challenging for a cloud WAF provider to write complex firewall rules because cloud WAFs don’t know if a user is signed in or what their access level is
Part of the forensic research we do at Wordfence involves analyzing attack data we receive from sites that use Wordfence We use a scaleable database cluster to perform big data analysis on WordPress attack data We identified many attacks that were bypassing Cloudflare and being blocked by Wordfence So we dug a little deeper
Cloudflare Pro provides a web application firewall that is designed to perform a similar function to the Wordfence WAF We are in that sense, direct competitors We wanted to evaluate the Cloudflare WAF and to get access to it you have to get a paid ‘Pro’ account for $240 per year or $20/month So we bought and paid for the Cloudflare WAF
The default Cloudflare WAF sensitivity setting is ‘Medium’ We increased the sensitivity setting to ‘High’ That is the highest sensitivity setting before your users have to get through a captcha to access your site
We also enabled every rule we could find in the Cloudflare WAF That includes 11 rules in the “Cloudflare ruleset” and 20 rules in the “OWASP ModSecurity Core Rule Set” We also put that ruleset on “High” sensitivity We also enabled the “browser integrity check”
We enabled absolutely everything we could find and put everything on “High” sensitivity
We then confirmed that we could bypass the Cloudflare Pro WAF with the following attacks using no special techniques:
Revolution Slider – We gained a remote shell This went through completely undetected
MailPoet – We gained a remote shell Also completely undetected
Gravity Forms – We gained a remote shell Also completely undetected
Timthumb – Gained a remote shell using the phtml form of the attack Detected but not blocked
These results were surprising We used off-the-shelf hacker scripts without any special modifications It’s well known that RevSlider, Gravity Forms and Timthumb are three of the leading causes of hacked websites According to one report, 25% of hacked sites are hacked through one of these three WordPress exploits Cloudflare Pro at $240/year with a ‘High’ sensitivity setting and all rules enabled allows these attacks through
The free version of Wordfence blocks all of these attacks
Why do these well known attacks bypass Cloudflare?
We don’t know why Cloudflare allows these attacks through, as surprising as it is, but I’d like to share a few observations Firstly, Cloudflare is not WordPress specific They are trying to be a firewall for all web platforms which is a difficult, perhaps impossible, challenge Wordfence is WordPress specific, so we are able to tailor our rules for attacks that we know target that platform specifically
Cloudflare is a ‘cloud WAF’ and, as we have pointed out previously, because their servers and rules run out on the Internet, they don’t have access to authentication and authorization data to make their rule decisions Wordfence on the other hand knows if a user is signed in, what their identity is and what their access level is, so we are able to write more complex and stricter rules
Demonstration
We have created a video demonstrating Cloudflare being bypassed by these exploits In the first test we have a site that is filtering traffic through Cloudflare Pro with all rules enabled and on a ‘High’ sensitivity setting In this test we also enable the free version of Wordfence on our target site This allows us to see the attacks bypassing Cloudflare and being blocked by Wordfence
In the next test, we remove Wordfence completely from the target site and demonstrate how, without it, the site is exploited by an attacker, completely bypassing the Cloudflare Pro WAF on ‘High’ sensitivity
The following is a video demonstration of this attack In it we use two Linode servers, one as our attacker and another as our ‘Victim’ We use a Cloudflare Pro account on ‘High’ sensitivity with all rules enabled We also download and configure the free version of Wordfence for the first part of the demo, and then remove it
Why does this matter?
The free version of Wordfence blocks all of these attacks They are what we consider “the basics” when it comes to WordPress security If you pay us $99 a year you also get a real-time feed of emerging threats Cloudflare are selling a web application firewall for $240 per year that allows through the best known and most dangerous WordPress attacks
That means you can get better protection by using our free product than by using the $240/year Pro Cloudflare WAF Then, if you choose to upgrade to our paid option, you know you’re protected against the newest emerging threats against WordPress
It’s important to us that our customers know this We feel we would be doing you a disservice if we didn’t share this comparative data If you want to protect your WordPress site from a hack, you need a WordPress specific firewall that runs on the endpoint and protects you against “the basics” and also against emerging threats
Conclusion and Technical Notes
We have provided a public Github repository that include tcpflow packet captures from the perspective of the attacker and from the perspective of the victim The repository also includes the four exploits we used Note that you will need to edit the exploit files to add in your own target hostnames In the case of Timthumb you will also need to add a server from which timthumb can download an attack shell
We have not included the vulnerable plugins or theme However, we are supplying their versions They are: Gravity Forms 181, MailPoet 264, Revslider 2391 and Timthumb version 112 You can find these in the WordPressorg repository, in other repositories on github and elsewhere
If you do download and test one of these vulnerable products and find you’re not able to exploit them, you may be using an old version that has a back-ported security fix So please note that you need to find both a vulnerable ‘version’ of the product and one that has not had a back-ported security fix applied
As always I welcome your comments and questions
Trademark notice: All product names, logos, and brands are property of their respective owners All company, product and service names used in this website are for identification purposes only Use of these names, logos, and brands does not imply endorsement
The post Revslider, MailPoet, GravityForms Exploits Bypass Cloudflare WAF appeared first on Wordfence
#WordPressSecurity #Wordfence #GeneralSecurity #Research #WordpressSecurity http://wwwlarymdesigncom
No comments:
Post a Comment