Security issue in the TTC Tripwire WordPress plugin
September 1st, 2008 by Michael Hampton
The TTC Tripwire plugin for WordPress intends to notify users of files which have recently been modified. An issue exists where an attacker can trivially bypass this plugin’s check and modify a file without the plugin’s user being notified.
Discussion
This plugin checks the file modification times of all files in a given directory and displays to the user those files whose modification times are within the last n days, where n is selectable by the user. However, the modification time (mtime) is trivial to change using the utime system call (SetFileTime on Windows) or wrappers for this call such as touch. The inode change time (ctime) is more reliable as it cannot be changed to arbitrary values (except on Windows, which uses “creation time” and which can be changed by the user).
While the use of hashes and digital signatures would be more robust in detecting unauthorized changes to files, any warning is preferable to none, when an attacker means to make subtle changes to a Web site which will go unnoticed, such as recently when malicious attackers modified various WordPress web sites to add backlinks to the attackers’ own web sites for commercial gain.
Users of this plugin may falsely believe that files have not changed when they in fact have been altered.
Workaround
Change the occurrences of filemtime in lines 75 and 78 of ttc-tripwire/ttc-tripwire.php to filectime.
Use of Windows as a web server operating system is not recommended. Move to a Unix based server (e.g. Linux, Mac OS X) if possible.
Exploit
One would think something so trivial would not need a demonstration, but based on the plugin author’s response, apparently it does. This demonstration code has been wrapped into a WordPress plugin. The plugin modifies the “Hello Dolly” plugin which ships with WordPress, altering the lyrics that it displays, and preserving the file modification time. Upon activation, the Hello Dolly plugin will be modified, and the TTC Tripwire plugin will not report that it has been modified. The demonstration plugin works on most shared web hosting providers.
(Use of a WordPress plugin is only one of many ways in which an attacker might change files on a web server; it is the method used here solely for the convenience of users who may wish to prove this issue to themselves.)
Vendor Response
The author of the plugin publicly posted details of the issue which were disclosed to her privately and has stated her intention not to fix the plugin.
Not content with merely mishandling the issue from start to finish, the plugin author was also very unfriendly about the whole situation, as the comments she posted on her own blog illustrate. An example follows:
I asked you first thing this morning to leave a comment here, state your case and offer up something better. I encourage public comment.
In truth this person discourages public comment.
You didn’t have to threaten, I encouraged you to go public several hours ago. Which you chose not to do. I even offered to link to a better plugin or what ever you had to offer.
I don’t know what this means; I wrote no threats.
Please, we would all love for you to update Bad Behavior and write a better tripwire program. I write plugins to do what I need that has not yet been done. It is not my main interest. I would much rather just download what I need and not have to write everything myself.
So quit your bloody whining and do something constructive.
What whining?
And this author edited this particular comment to be more hostile than it originally was. At first it merely read: “I write in the hope that people will extend them and improve them. It is my hope that if you can do a better job you will in fact do so and release a better version of my plugin to the public.”
Miscellaneous
I may be using this situation as an example of what not to do when I make a presentation on WordPress security at WordCamp New York next month. Tickets are still available but they’re going fast.
Leslie Says
She said “Truth is if people can get far enough into your webserver to change the file time stamps it is out of this plugin’s league anyhow.”
I think that pretty much says it all. Too bad she is sullying the name “TripWire” with the silly little plugin that she freely admits can be hacked by any script kiddie.
How do they get the file onto your site? My WordPress installation was hacked a few months ago with some nastiness added to the footer. The logs showed an FTP into my site from the UK. How did they get in? Did they hammer on my password for however long it took to guess a fairly random 8-character string? Or is there a keylogger on one of my work computers? (A good argument for telling the boss to sit on his hands while I do a little maintenance, eh?)
In the same time frame my server logs show people trying to find the nasty on the main site. (WP is in a user directory.)
I’m on the verge of flat out banning all of Russia, Latvia, Poland and China from my phpbb3 site.
Ok, got to stop whining and try BB.
Have a great one!
Oct 6th, 2008 at 5:09 pm
Tom Wright Says
even if it is a matter atime not being an option for windows it would be fairly trivial to use an if switch to degrate to mtime for it
Jun 1st, 2009 at 2:52 pm
Greg Says
A cross platform way for her to verify files without diff:
The always available to PHP md5() command.
I’d post it over there but I don’t want to go through the rigmarole of registration just to suggest one thing.
Jun 7th, 2009 at 7:43 pm