Hackers have abused a zero-day in one of the most popular jQuery plugins to plant web shells and take over vulnerable web servers.
Thousands of plugins for the jQuery framework, one of the most popular of them harbored for at least three years an oversight in code that eluded the security community, despite public availability of tutorials that explained how it could be exploited.
The bug affects the widely used jQuery File Upload widget and allowed an attacker to upload arbitrary files on web servers, including command shells for sending out commands.
Bug enabled by security upgrade eight years ago
Larry Cashdollar, a security researcher with Akamai’s SIRT (Security Intelligence Response Team), found the flaw while analyzing the widget’s code and was able to upload a web shell and run commands on a test server he set up.
Together with Sebastian Tschan, the developer of the plugin, the researcher discovered that the flaw was caused by a change introduced in Apache 2.3.9, which disabled by default the .htaccess files that stored folder-related security settings. Unless specifically enabled by the administrator, .htaccess files are ignored.
One reason for this was to protect the system configuration of the administrator by disabling users from customizing security settings on individual folders. Another one was to improve performance since the server no longer had to check the .htaccess file when accessing a directory.
After Apache 2.3.9, plugins using .htaccess files to impose access restrictions no longer benefited from the custom folder access security configuration. This was also the case with jQuery File Upload, which adds files to a root directory.
Now tracked as CVE-2018-9206, the coding flaw is no longer present in the latest version of jQuery File Upload. Tschan changed the code to allow only image file types GIF, JPG, JPEG, and PNG by default; he provides instructions on how to enable more content without running a security risk.
Flaw propagates to other projects
The popularity of jQuery File Upload caused thousands of derivations of the project, many of them carrying the flawed code. There are over 7,800 variations at the moment, and Cashdollar says that there are cases where the vulnerability exists even if the original code was modified to meet custom needs.
The researcher reached this conclusion after checking some of the forks, where he noticed three common variations. He created a proof-of-concept exploit that tries to find one of the differences and uploads a PHP shell.
“I’ve done some testing against the 1000 forks of the original code and it seems only 36 were not vulnerable. I found these only required a slight tweak to my exploit to get the majority of them working,” Cashdollar notes.
Exploit described in YouTube videos
jQuery File Upload has been vulnerable for eight years, since the Apache 2.3.9 release in 2010. The coding faux pas did not go unnoticed all this time, and the method for exploiting it has been shared for at least three years. for at least three years.
A video from 2015 is currently available on YoutTube with step-by-step instructions on how to find vulnerable websites and how to deface them. More recent videos are available, too.
Public distribution channels are the last ones a cybercriminal would turn to for documentation, which could suggest that the exploitation method has been distributed on hacker forums before 2015.