WordPress plugin: fancy-product-designer-rest-api <= 1.4.5 - user authentication backdoor
##Abstract
This plugin registers all required routes and methods for the Fancy Product Designer Admin. So you can manage your Fancy Product Designer with the Admin hosted on https://admin.fancyproductdesigner.com. [1]
A non-required filter hooked to WP’s Authenticate hook exposes a secondary password that can be used by acquire full control over a WordPress site.
##Privilege Escalation: REST API password -> Site Administrator
The following code exists in the main plugin file in versions prior to 1.4.6:
public function authenticate( $input_user, $username, $password ) {
$user = get_user_by( 'login', $username );
// If the login name is invalid, short circuit.
if ( ! $user ) {
return $input_user;
}
$hashed_password = get_option( 'fpd_rest_auth_password_hashed', false );
if ( $hashed_password && wp_check_password( $password, $hashed_password, $user->ID ) ) {
return $user;
}
// By default, return what we've been passed.
return $input_user;
}
This function is hooked to WP’s “authenticate” hook via a filter:
add_filter( 'authenticate', array( &$this, 'authenticate' ), 10, 3 );
This unfortunately means that any attacker who knows or guesses the REST API password can authenticate as any valid user, regardless of that user’s password, resulting in privilege escalation. We’ve seen attackers exploiting this (guessing trivial REST API passwords and logging in to WP-Admin when the admin account is present, despite a strong password being set on the admin account), and it’s repeatable using the following method:
- Install and activate the plugin on a fresh, empty WP site.
- Run:
wp option set 'fpd_rest_auth_password_hashed' '$P$B7cdIdjNH6djsrt8TA3MmHT1A/rGi./' - Login with any username and the password ‘abc123’ and you’re logged in regardless of the actual password of the user.
##Solutions/workarounds
Remove the add_filter line from the plugin which hooks to the authenticate hook - it’s not required for operation of the plugin. Alternatively, simply upgrade to 1.4.6 which removes the filter.
##Disclosure Timeline
- 2019-04-24: Vendor contacted.
- 2019-04-25: Patch applied in SVN, imminent 1.4.6 release.
- 2019-04-27: Public disclosure.
##References