Hello @jarrodwhitley0518
Thank you for your concern.
Disclaimer: I wrote every line of code in that file.
First of all “escapeshellarg” is not dangerous. It is used to escape a string to be used as a shell argument. You can read more about it here: https://php.net/manual/en/function.escapeshellarg.php .
However, there is another function in that file that is actually considered dangerous: exec. Below are the details of how I am using this function, and how unlikely it is to be used to attack your website.
—
All the code in that file is used to power one single feature in the plugin called “WordPress Integrity Diff Utility” that’s disabled by default. The button that allows you to enable it contains a warning with an explanation of the consequences of turning this tool on. The code is used to enable the execution of the Unix “diff” command to allow an admin to inspect corrupt WordPress files found during a malware scan.
The plugin firsts checks if the “diff” command exists executing this:
command -v diff 1>/dev/null
This command doesn’t accepts any user input, so it is 100% safe.
Then, for every corrupt file, it executes this command:
diff -u -- FOO BAR 2> /dev/null
Where “FOO” and “BAR” are two files generated like this:
$a = tempnam(sys_get_temp_dir(), SUCURISCAN . '-integrity-');
$b = tempnam(sys_get_temp_dir(), SUCURISCAN . '-integrity-');
The user cannot tamper these files paths, so it is 100% safe.
Possible Attack Vectors
Here is a step-by-step of how to attack your website with this code:
- The hacker tricks you (or any other admin user) to enable the “WordPress Integrity Diff Utility”
- The hacker adds, modifies, or deletes —using a different exploit— one of the WordPress core files
- The hacker injects malicious code into WordPress’ official GitHub or Subversion repository
- The hacker tricks you to click the corrupt file from the “WordPress Integrity” page in the Sucuri plugin
- The plugin creates safe temporary files, as explained above, using PHP “tempnam” function
- The plugin downloads the malicious file from WordPress’ GitHub or Subversion repository into “FOO”
- The plugin copies the —possibly infected— file (created in step #2) into “BAR”
- The hacker replaces the “diff” binary with a malicious program, without alerting your hosting provider
- The rogue “diff” program takes “FOO” and “BAR” and spits malformed text
- The plugin prints the malformed text into the Sucuri Dashboard page
- The malformed text, somehow, bypasses all WordPress HTML escape functions
- The admin user who’s currently in the page gets pwned!
All of this is necessary in order to use the “command.lib.php” file maliciously. As you can see, some of these steps are very difficult to accomplish, and at some points it doesn’t makes sense to continue because, for example, if the hacker is able to compromise WordPress’ official GitHub/Subversion repository, why would they bother with your website? They can do more harm by continue the attack against Automatic instead.
In the unlikely scenario where the hacker has a grudge against you, they need to trick You, WordPress, and your Hosting Provider multiple times in order to use, maliciously, the code that I wrote inside that file.
This attack vector is almost impossible to happen.
I appreciate you taking the time to audit the Sucuri plugin’s code.
Please let me know if you have other concerns.
