Thursday, December 11, 2014

W3 Total Cache's W3TotalFail Vulnerability That Leads to Full Deface

W3 Total Cache's W3TotalFail Vulnerability That Leads to Full Deface  

CVE-2014-9414


     In this post, I will be talking about a critical vulnerability that affects W3 Total Cache, the most popular Wordpress plugin in the world. W3 Total Cache used by most of the major companies, as it provides a vital service that every Wordpress website needs.

Overview on W3 Total Cache:
"W3 Total Cache improves the user experience of your site by increasing server performance, reducing the download times and providing transparent content delivery network (CDN) integration."
-source: https://wordpress.org/plugins/w3-total-cache/

     After I have downloaded the plugin (v0.9.4) on my testing wordpress site, I have started testing it for less than 15 minutes. In that duration, I have noticed that there is a CSRF token called “_wp_nonce”, so I started checking for bugs on it. I have noticed that the CSRF token is not being validated, and there is no additional methods is used to prevent CSRF issues. So by deleting it's value from the request, a successful CSRF attack can be performed.

     Then I started verifying the issue, and I was able to reproduce the same issue in all the plugin's requests.
     After that, I started making  scenarios on how the CSRF issue can be used to make the biggest damage, and the highest impact on W3 Total Cache users.
     One of the features that W3 Total Cache is providing is the ability to redirect user-agents that contains a phrase that is mentioned in the plugin's settings to a specified link. The feature is made so administrators can redirect users to mobile version of the site, or similar uses for example. It's a nice feature, but it's a a great feature to be  used to in exploiting the bug and defacing websites.

     I have made a research to gather all the common phrases that is on most user-agents. The results of the research showed that the following phrases is used on more than %97 of all user-agents, and %100 of all checked user-agents.


     Then, I started writing an exploit for the issue. All authenticated wordpress users who loads the exploit, will setup a policy that all user-agents that contains the previous phrases will be redirected to a malicious page. Because of the phrases that I wrote exist on more than %97 of all user-agents, everyone will be redirected to the attacker's page using the exploit.

POC: http://packetstormsecurity.com/files/129512/W3-Total-Cache-0.9.4-Cross-Site-Request-Forgery.html

Demo Video:
 


The following screenshot shows the response before & after using the exploit:



Steps to Reproduce:
1- An attacker post a comment that contains a link of the exploit to the wordpress victim that uses W3 Total Cache
2- The victim opens the comments section and clicks on the link.
3- The exploit is loaded while the victim is authenticated with administration privileges.
4- Anyone opens the victim's website will be redirected to the attacker's deface page.


     I quickly contacted W3-Edge, the company who is responsible for W3 Total Cache, and the main developer of the project Fredrick Towns contacted me asking about the details  regarding vulnerability that exists on v0.9.4, and he replied that the fix will be released soon (the patch has been released now).

Recommendations:
*Update to the latest version of W3 Total Cache, ( v0.9.4 is vulnerable, and all versions that released before might be vulnerable as well ).

Summary:
* W3 Total Cache v0.9.4 is vulnerable to a critical CSRF vulnerability that may leads to full deface of users who are using the vulnerable plugin. Versions before 0.9.4 might be affected too.
* The exploit can be used by researching all phrases that is used on most user-agents.
* This issue is not difficult to exploit and can be used to cause different impacts on Wordpress users who are using a vulnerable version of W3 Total Cache.
* The W3TotalFail vulnerability are easy to exploit, any malicious user a little experience can use the vulnerability to cause major damages and defaces.

Final Thoughts:
     I din't expect that I will be finding a critical issue like that on a popular plugin such as W3 Total Cache that easily. If that's the condition of the most used Wordpress plugin, I guess there are many vulnerabilities on Wordpress plugins that might be publicly exploited on the black-hats community. Wordpress is secured by itself, but plugins are having the biggest impact on Wordpress  security. Users should be careful about what plugin they are using, and how much effort they put to secure it.

     Some companies don't care about their security, neither are professional in handling a security vulnerability. W3-Edge was one of them in my opinion. When I reported the issue on October 7th, I expected that W3-Edge team will be patching the issue quickly, but instead, their responses were unkind at all, and they were not cooperating with me.  I really have not appreciate that from them.

 If you need any help securing your web-application or service, you can contact me by E-Mail, or Twitter.

Best Regards,
Mazin Ahmed