Zero-Day Vulnerability in ThemeREX Addons Now Patched

Screen-Shot-2020-02-28-at-10.41.16-AM.png
https://www.wordfence.com/wp-content/uploads/2020/03/registrationmagic.png

On February 18th, we were alerted to a vulnerability present in ThemeREX Addons, a WordPress plugin installed on approximately 44,000 sites. We took immediate action to release a firewall rule to protect Wordfence Premium users. As this vulnerability was being actively attacked, we also publicly notified the community of the vulnerability to help protect users from being compromised.

As an update to that notification, we’re happy to share that ThemeREX has released updates for all of their themes that included the vulnerable ThemeREX Addons plugin. In today’s post we provide the technical details of the vulnerability along with the steps you need to take to ensure your site is running an updated version of the plugin.

Description: Remote Code Execution
Affected Plugin: ThemeREX Addons
Plugin Slug: trx_addons
Affected Versions: Various.
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Patched Versions: See “The Fix” below.

Deeper Analysis of the Problem

As previously noted, the ThemeREX Addons plugin was designed as a companion plugin to a variety of ThemeREX themes. It provides several theme enhancing features and widgets to extend functionality of these themes.

The vulnerable code was present within the ~/includes/plugin.rest-api.php file, where there were a few issues. In order to provide compatibility with the Gutenberg plugin, the ThemeREX Addons plugin registered a REST-API endpoint (/trx_addons/v2/get/sc_layout)that would call the trx_addons_rest_get_sc_layout function anytime the endpoint was invoked.

// Register endpoints
if ( !function_exists( 'trx_addons_rest_register_endpoints' ) ) {
   add_action( 'rest_api_init', 'trx_addons_rest_register_endpoints');
   function trx_addons_rest_register_endpoints() {
      // Return layouts for the Gutenberg blocks
      register_rest_route( 'trx_addons/v2', '/get/sc_layout', array(
         'methods' => 'GET,POST',
         'callback' => 'trx_addons_rest_get_sc_layout',
         ));
      }
}

// Return layout
if ( !function_exists( 'trx_addons_rest_get_sc_layout' ) && class_exists( 'WP_REST_Request' ) ) {
   function trx_addons_rest_get_sc_layout(WP_REST_Request $request) {

There were no capability checks on this endpoint that would block users that were not administrators or currently signed in, so any user had the ability to call the endpoint regardless of capability. In addition, there was no nonce check to verify the authenticity of the source. Access control and cross-site request forgery (CSRF) protection aside, the core of the problem was within the functionality of the code itself.

A few lines later, we see the functionality to get parameters from widgets, presumably widgets that worked with the Gutenberg plugin. This is where the core of the remote code execution vulnerability was present. There were no restrictions on the PHP functions that could be used or the parameters that were provided as input. Instead, we see a simple if (function_exists($sc)) allowing for any PHP function to be called and executed.

       // Get params from widget
      $params = $request->get_params();
      if (!empty($params['sc'])) {
         $sc = str_replace('trx_sc_', 'trx_addons_sc_', $params['sc']);
         if (function_exists($sc)) {
            $response['data'] = $sc($params);
         } else {
            $response['data'] = '<div class="sc_error">' . esc_html(sprintf(__("Unknown block %s", 'trx_addons'), $params['sc'])) . '</div>';
         }
      }
   
      return new WP_REST_Response($response);
   }
}

This ultimately allowed for WordPress functions like wp_insert_user to be executed allowing attackers the ability to inject administrative user accounts and take over sites.

The Fix

In order to resolve the security issue, ThemeREX opted to completely remove the affected ~/plugin.rest-api.php file from the plugin considering it was no longer required for its functionality, as the Gutenberg plugin has been fully integrated as part WordPress core.

The following is a list of all affected ThemeREX themes and their patched versions, along with the vulnerable versions of the ThemeREX Addons plugin and the corresponding newly patched versions, courtesy of ThemeREX:

Theme NamePatched Theme VersionThemeREX Addons Vulnerable Versions ThemeREX Addons Patched Version
Ozeum – Museum1.0.21.70.31.70.3.1
Chit Club – Board Games1.0.11.70.31.70.3.1
Yottis – Simple Portfolio1.0.11.6.671.6.67.1
Helion – Agency & Portfolio Theme1.0.31.6.661.6.66.1
Amuli1.0.21.6.661.6.66.1
Nelson – Barbershop + Tattoo Salon1.1.20011.6.651.6.65.1
Hallelujah – Church1.0.11.6.651.6.65.1
Right Way4.0.11.6.651.6.65.1
Prider – Pride Fest1.0.21.6.651.6.65.1
Mystik – Esoterics1.0.11.6.62.31.6.62.3.1
Skydiving and Flying Company1.0.11.6.62.31.6.62.4
DroneX – Aerial Photography Services1.1.20011.6.62.11.6.62.1.1
Samadhi – Buddhist1.0.11.6.61.21.6.61.2.1
TanTum – Rent a car, Rent a bike, Rent a scooter Multiskin theme1.0.21.6.61.31.6.61.3.1
Scientia – Public Library1.0.11.6.61.21.6.61.2.1
Blabber1.5.20091.6.61.21.6.61.2.1
Impacto Patronus Multi-landing1.1.20011.6.61.11.6.61.1.1
Rare Radio1.0.11.6.611.6.61.1
Piqes – Creative Startup & Agency WordPress Theme1.0.11.6.601.6.60.1
Kratz – Digital Agency1.0.21.6.59.31.6.59.4
Pixefy1.0.11.6.59.21.6.59.3
Netmix – Broadband & Telecom1.0.21.6.59.1.11.6.59.1.2
Kids Care3.0.51.6.591.6.59.1
Briny – Diving WordPress Theme 1.2.20001.6.58.21.6.58.3
Tornados1.1.20011.6.57.31.6.57.4
Gridiron1.0.21.6.57.41.6.57.5
Yungen – Digital/Marketing Agency1.0.11.6.57.21.6.57.2.1
FC United – Football1.0.71.6.57.31.6.57.3.1
Bugster – Pests Control1.0.21.6.57.21.6.57.3
Rumble – Single Fighter Boxer, News, Gym, Store.1.0.41.6.571.6.57.1
Tacticool – Shooting Range WordPress Theme1.0.11.6.561.6.56.1
Coinpress – Cryptocurrency Magazine & Blog WordPress Theme1.0.21.6.55.41.6.55.5
Vihara – Ashram, Buddhist1.1.20011.6.55.71.6.55.8
Katelyn – Gutenberg WordPress Blog Theme1.0.41.6.55.31.6.55.5
Heaven 11 – Multiskin Property Theme1.0.21.6.55.11.6.55.2
Especio – Food Gutenberg Theme1.0.11.6.541.6.54.1
Partiso_ElectionCampaign1.1.20021.6.53.11.6.53.2
Kargo – Freight Transport1.1.20041.6.53.31.6.53.4
Maxify – Startup Blog1.0.41.6.53.21.6.53.3
Lingvico – Language Learning School1.0.31.6.53.11.6.53.3
Aldo – Gutenberg WordPress Blog Theme1.0.21.6.53.21.6.53.3
Vixus – Startup / Mobile Application1.0.41.6.52.21.6.52.3
WellSpring _ Water Filter Systems1.0.31.6.52.11.6.52.3
Nazareth – Church1.0.51.6.52.11.6.52.2
Tediss – Soft Play Area, Cafe & Child Care Center1.0.31.6.531.6.53.1
Yolox – Startup Magazine & Blog WordPress Theme1.0.31.6.51.31.6.51.4
Meals and Wheels – Food Truck1.0.31.6.51.31.6.51.4
Rosalinda – Vegetarian & Health Coach1.0.31.6.51.11.6.51.2
Vapester1.1.20011.6.501.6.50.1
Modern Housewife – Housewife and Family Blog1.0.21.6.501.6.50.1
ChainPress1.0.31.6.50.11.6.50.2
Justitia – Multiskin Lawyer Theme1.0.31.6.51.11.6.51.2
Hobo_Digital Nomad Blog1.0.31.6.501.6.50.1
Rhodos – Creative Corporate WordPress Theme1.3.20011.6.50.11.6.50.2
Buzz Stone – Magazine & Blog1.0.31.6.501.6.50.1
Corredo_Sport Event1.1.20031.0.49.101.6.49.10
SaveJulia Personal Fundraising Campaign1.0.31.6.49.81.6.49.9
BonkoZoo_Zoo1.0.31.6.49.61.6.49.7
Renewal – Plastic Surgeon Clinic1.0.31.6.49.6.21.6.49.6.3
Gloss_blog1.0.11.6.49.51.6.49.6
Plumbing – Repair, Building & Construction WordPress Theme3.0.11.6.58.21.6.58.2.1
Topper Theme and SkinsVarious1.6.61.21.6.61.3

How to Update to the Latest Version of ThemeREX Addons

It is important to note that you may not be notified that there is a new version available for update in the WordPress dashboard like most other plugins. If the plugin page doesn’t allow you to update, please follow this guide.

  1. Update the ThemeREX theme you have installed on your site. You can do this through the Dashboard > Updates or Appearance > Themes sections of your WordPress administrative area, if you have the ThemeREX Updater plugin installed. If you do not have the ThemeREX Updater plugin installed, you will need to download the most up-to-date version of the theme and do a manual update.
  2. Once you have updated your ThemeREX theme, you will need to deactivate and uninstall the vulnerable version of the ThemeREX Addons plugin.
  3. You’ll be prompted to install the ThemeREX Addons plugin. Follow the prompts to re-install the patched version of ThemeREX Addons. The prompt should look like this:

    Zero-Day Vulnerability in ThemeREX Addons Now Patched 5

    Prompt to install ThemeREX Addons.

  4. Once you have re-installed the plugin you should have a patched version. Please check your theme above and compare the fixed version to the version that is now installed on your site from the plugins page:

    Zero-Day Vulnerability in ThemeREX Addons Now Patched 6

    A Patched Version of ThemeREX Addons.

If you would like to verify that your site is no longer running the vulnerable code, please navigate to your hosting account file manager, or connect via FTP/SFTP/SSH, and navigate to the ~/wp-content/plugins/trx_addons/includes/ folder. If the file /plugin.rest-api.php is not present then you can rest assured that you are not running the vulnerable code on your site.

If you do see this file still, we recommend reaching out to the ThemeREX team directly through their support forum as there may have been an issue with your update.

Insight on Attacks

We have blocked over 267,000 exploit attempts during the past 2 weeks since we were initially alerted to the vulnerability’s presence. The good news, however, is that the vast majority of the attempts we have blocked appear to have been discovery attempts from attackers unsuccessfully trying to find sites running the ThemeREX Addons plugin or attackers simply trying to uncover the workings of the vulnerability. Unsuccessful exploit attempts have looked like this:

example.com/wp-json/trx_addons/v2/get/sc_layout?sc=sdw1dd1

Successful exploit attempts have looked like this and cause the creation of a new administrative level user account on a vulnerable site:

example.com/wp-json/trx_addons/v2/get/sc_layout?sc=wp_insert_user&role=administrator&user_login=TEST&user_pass=TEST

We ensured our disclosure on February 18th included minimal details to prevent attackers from exploiting this vulnerability while still alerting users to a critical issue requiring their immediate attention.

Now that patches have been released, we feel comfortable in disclosing the details of this vulnerability. However, as with most full disclosures we expect to see an increase in effective exploit attempts, therefore we urge users to update to the latest version available as soon as possible.

PoC Walkthrough

Disclosure Timeline

February 18th, 2020 – Wordfence notified of active exploitation of vulnerability. Wordfence releases a firewall rule immediately to Wordfence Premium users and notifies the ThemeREX plugin team. We publish a post to inform users that they need to remove the plugin until a patch is released.
February 19th, 2020 – Irvin McDowell at ThemeREX responds and acknowledges the security issues and confirms they are working on a fix.
February 20th, 2020 – Notification that all themes on ThemeForest have been updated to include patched copies of ThemeREX Addons.
March 9th, 2020 – Final ThemeREX theme updated to include a patched copy of ThemeREX Addons
March 9th, 2020 – Full disclosure provided.
March 19th, 2020 – Wordfence free users receive firewall rule.

Conclusion

In today’s post, we provided the technical details of the vulnerability found in the ThemeREX Addons plugin. This flaw has been patched in all ThemeREX themes that were running vulnerable versions of this plugin and we recommend that users update to the latest version available immediately. Sites running Wordfence Premium have been protected from attacks against this vulnerability since February 18th. Sites running the free version of Wordfence will receive the firewall rule update on March 19th, 2020.

Special thanks to Irvin McDowell, the CIO of ThemeREX, for working with us and providing details as needed and to the whole team at ThemeREX for working quickly to get this resolved. Also, thank you to Ramuel Gall, Sean Murphy and Matt Rusnak from the Wordfence team for assistance analyzing the vulnerability and for quickly releasing a firewall rule to Wordfence users. And again, thank you to Tobias Westphal and Arne Breitsprecher for reporting this vulnerability to Wordfence.

The post Zero-Day Vulnerability in ThemeREX Addons Now Patched appeared first on Wordfence.

 


This *post* was originally posted *here*

Share this page
Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on email
How to Choose WordPress Hosting

Pixallus WordPress Hosting. Simplified. Enjoy blazing fast WordPress website loading speeds and 99.9% uptime. Whether you’re a freelancer, small business, or a large organization, we

Read More »
Episode 86: War of the Hackers

https://www.wordfence.com/wp-content/uploads/2020/09/News_1200x628-1-1024×536.png Millions of attacks have been targeting the recent File Manager plugin zero-day vulnerability discovered last week. Two attackers are vying for control over sites

Read More »
sendinblue