lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 11 Aug 2009 01:11:07 -0400
From: laurent gaffie <laurent.gaffie@...il.com>
To: "Fabio N Sarmento [ Gmail ]" <fabior2@...il.com>,
	full-disclosure@...ts.grok.org.uk
Subject: Re: WordPress <= 2.8.3 Remote admin reset password

Mr Fabio,

You dont even understand the bug, so please shut the hell up.






2009/8/11 Fabio N Sarmento [ Gmail ] <fabior2@...il.com>

> if this is an bug, please close Twitter.com, MSN.com and other services,
> because they have the same stupid "Reset password" service.
>
> So please make my day, and create a stupid script to flood with mutiple
> request to reset password.
>
> LOL
>
> 2009/8/10 Jeremy Brown <0xjbrown41@...il.com>
>
> I'm guessing your not a Wordpress administrator, Fabio. Nice find
>> Laurent, as usual.
>>
>> On Mon, Aug 10, 2009 at 10:48 PM, laurent
>> gaffie<laurent.gaffie@...il.com> wrote:
>> > Oh ok.
>> > Then, let's avoid that function.
>> > If it's useless to have a function who validate a reset passwd before
>> > resetting it, let's just avoid it smartass.
>> >
>> >
>> > 2009/8/10 Fabio N Sarmento [ Gmail ] <fabior2@...il.com>
>> >>
>> >> There is no risk on this.
>> >> It's just a little flaw, it doesn't broke anything or put your admin
>> >> access in risk.
>> >>
>> >> :-P to me , this vulnerability is more "BUZZ" then real deal. LOL
>> >>
>> >> 2009/8/10 laurent gaffie <laurent.gaffie@...il.com>
>> >>>
>> >>> Hi there,
>> >>>
>> >>> This wasn't tested on the 2.7* branch.
>> >>> It as been tested on the  2.8.* branch, with php 5.3.0 & php 5.2.9 as
>> an
>> >>> Apache 2.2.12 module, on a linux env.
>> >>>
>> >>>
>> >>> Regards Laurent Gaffié
>> >>>
>> >>>
>> >>>
>> >>> 2009/8/10 Nicolas Valcárcel Scerpella <
>> nicolas.valcarcel@...onical.com>
>> >>>>
>> >>>> I don't see the issue with wp 2.7.1
>> >>>>
>> >>>> On Mon, 10 Aug 2009, laurent gaffie wrote:
>> >>>>
>> >>>> > Errata:
>> >>>> >
>> >>>> > "V. BUSINESS IMPACT
>> >>>> > -------------------------
>> >>>> > An attacker could exploit this vulnerability to compromise the
>> admin
>> >>>> > account
>> >>>> > of any wordpress/wordpress-mu <= 2.8.3"
>> >>>> >
>> >>>> > -->
>> >>>> >
>> >>>> > "V. BUSINESS IMPACT
>> >>>> > -------------------------
>> >>>> > An attacker could exploit this vulnerability to reset the admin
>> >>>> > account of
>> >>>> > any wordpress/wordpress-mu <= 2.8.3"
>> >>>> >
>> >>>> >
>> >>>> > Regards Laurent Gaffié
>> >>>> >
>> >>>> >
>> >>>> > 2009/8/10 laurent gaffie <laurent.gaffie@...il.com>
>> >>>> >
>> >>>> > > =============================================
>> >>>> > > - Release date: August 10th, 2009
>> >>>> > > - Discovered by: Laurent Gaffié
>> >>>> > > - Severity: Medium
>> >>>> > > =============================================
>> >>>> > >
>> >>>> > > I. VULNERABILITY
>> >>>> > > -------------------------
>> >>>> > > WordPress <= 2.8.3 Remote admin reset password
>> >>>> > >
>> >>>> > > II. BACKGROUND
>> >>>> > > -------------------------
>> >>>> > > WordPress is a state-of-the-art publishing platform with a focus
>> on
>> >>>> > > aesthetics, web standards, and usability.
>> >>>> > > WordPress is both free and priceless at the same time.
>> >>>> > > More simply, WordPress is what you use when you want to work with
>> >>>> > > your
>> >>>> > > blogging software, not fight it.
>> >>>> > >
>> >>>> > > III. DESCRIPTION
>> >>>> > > -------------------------
>> >>>> > > The way Wordpress handle a password reset looks like this:
>> >>>> > > You submit your email adress or username via this form
>> >>>> > > /wp-login.php?action=lostpassword ;
>> >>>> > > Wordpress send you a reset confirmation like that via email:
>> >>>> > >
>> >>>> > > "
>> >>>> > > Someone has asked to reset the password for the following site
>> and
>> >>>> > > username.
>> >>>> > > http://DOMAIN_NAME.TLD/wordpress
>> >>>> > > Username: admin
>> >>>> > > To reset your password visit the following address, otherwise
>> just
>> >>>> > > ignore
>> >>>> > > this email and nothing will happen
>> >>>> > >
>> >>>> > >
>> >>>> > >
>> >>>> > >
>> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
>> >>>> > > "
>> >>>> > >
>> >>>> > > You click on the link, and then Wordpress reset your admin
>> password,
>> >>>> > > and
>> >>>> > > sends you over another email with your new credentials.
>> >>>> > >
>> >>>> > > Let's see how it works:
>> >>>> > >
>> >>>> > >
>> >>>> > > wp-login.php:
>> >>>> > > ...[snip]....
>> >>>> > > line 186:
>> >>>> > > function reset_password($key) {
>> >>>> > >     global $wpdb;
>> >>>> > >
>> >>>> > >     $key = preg_replace('/[^a-z0-9]/i', '', $key);
>> >>>> > >
>> >>>> > >     if ( empty( $key ) )
>> >>>> > >         return new WP_Error('invalid_key', __('Invalid key'));
>> >>>> > >
>> >>>> > >     $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM
>> >>>> > > $wpdb->users WHERE
>> >>>> > > user_activation_key = %s", $key));
>> >>>> > >     if ( empty( $user ) )
>> >>>> > >         return new WP_Error('invalid_key', __('Invalid key'));
>> >>>> > > ...[snip]....
>> >>>> > > line 276:
>> >>>> > > $action = isset($_REQUEST['action']) ? $_REQUEST['action'] :
>> >>>> > > 'login';
>> >>>> > > $errors = new WP_Error();
>> >>>> > >
>> >>>> > > if ( isset($_GET['key']) )
>> >>>> > >     $action = 'resetpass';
>> >>>> > >
>> >>>> > > // validate action so as to default to the login screen
>> >>>> > > if ( !in_array($action, array('logout', 'lostpassword',
>> >>>> > > 'retrievepassword',
>> >>>> > > 'resetpass', 'rp', 'register', 'login')) && false ===
>> >>>> > > has_filter('login_form_' . $action) )
>> >>>> > >     $action = 'login';
>> >>>> > > ...[snip]....
>> >>>> > >
>> >>>> > > line 370:
>> >>>> > >
>> >>>> > > break;
>> >>>> > >
>> >>>> > > case 'resetpass' :
>> >>>> > > case 'rp' :
>> >>>> > >     $errors = reset_password($_GET['key']);
>> >>>> > >
>> >>>> > >     if ( ! is_wp_error($errors) ) {
>> >>>> > >         wp_redirect('wp-login.php?checkemail=newpass');
>> >>>> > >         exit();
>> >>>> > >     }
>> >>>> > >
>> >>>> > >
>> >>>> > > wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
>> >>>> > >     exit();
>> >>>> > >
>> >>>> > > break;
>> >>>> > > ...[snip ]...
>> >>>> > >
>> >>>> > > You can abuse the password reset function, and bypass the first
>> step
>> >>>> > > and
>> >>>> > > then reset the admin password by submiting an array to the $key
>> >>>> > > variable.
>> >>>> > >
>> >>>> > >
>> >>>> > > IV. PROOF OF CONCEPT
>> >>>> > > -------------------------
>> >>>> > > A web browser is sufficiant to reproduce this Proof of concept:
>> >>>> > >
>> >>>> > > http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
>> <http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
>> >>>> > > The password will be reset without any confirmation.
>> >>>> > >
>> >>>> > > V. BUSINESS IMPACT
>> >>>> > > -------------------------
>> >>>> > > An attacker could exploit this vulnerability to compromise the
>> admin
>> >>>> > > account of any wordpress/wordpress-mu <= 2.8.3
>> >>>> > >
>> >>>> > > VI. SYSTEMS AFFECTED
>> >>>> > > -------------------------
>> >>>> > > All
>> >>>> > >
>> >>>> > > VII. SOLUTION
>> >>>> > > -------------------------
>> >>>> > > No patch aviable for the moment.
>> >>>> > >
>> >>>> > > VIII. REFERENCES
>> >>>> > > -------------------------
>> >>>> > > http://www.wordpress.org
>> >>>> > >
>> >>>> > > IX. CREDITS
>> >>>> > > -------------------------
>> >>>> > > This vulnerability has been discovered by Laurent Gaffié
>> >>>> > > Laurent.gaffie{remove-this}(at)gmail.com
>> >>>> > > I'd like to shoot some greetz to securityreason.com for them
>> great
>> >>>> > > research on PHP, as for this under-estimated vulnerability
>> >>>> > > discovered by
>> >>>> > > Maksymilian Arciemowicz :
>> >>>> > > http://securityreason.com/achievement_securityalert/38
>> >>>> > >
>> >>>> > > X. REVISION HISTORY
>> >>>> > > -------------------------
>> >>>> > > August 10th, 2009: Initial release
>> >>>> > >
>> >>>> > > XI. LEGAL NOTICES
>> >>>> > > -------------------------
>> >>>> > > The information contained within this advisory is supplied
>> "as-is"
>> >>>> > > with no warranties or guarantees of fitness of use or otherwise.
>> >>>> > > I accept no responsibility for any damage caused by the use or
>> >>>> > > misuse of this information.
>> >>>> > >
>> >>>>
>> >>>> > _______________________________________________
>> >>>> > Full-Disclosure - We believe in it.
>> >>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >>>> > Hosted and sponsored by Secunia - http://secunia.com/
>> >>>>
>> >>>> --
>> >>>> Nicolas Valcárcel
>> >>>> Security Engineer
>> >>>> Custom Engineering Solutions Group
>> >>>> Canonical OEM Services
>> >>>> Mobile: +511 994 293 200
>> >>>> Key fingerprint = 5C4D 0C85 D9C0 98FE 11F9  DD12 524E C3CD EF58 4970
>> >>>> gpg --keyserver keyserver.ubuntu.com --recv-keys 654597FE
>> >>>>
>> >>>> -----BEGIN PGP SIGNATURE-----
>> >>>> Version: GnuPG v1.4.9 (GNU/Linux)
>> >>>>
>> >>>> iQEcBAEBCAAGBQJKgNe5AAoJEFJOw83vWElwLj4H/3dk7RW9WJoUpzI6E5QKdXsF
>> >>>> 7uNeGL8Yho9RZuPEK93IecImLa25Jy7KhzL+P4FfCCyYXVG8hxaUlUQss77PhsjK
>> >>>> VG/YkDChiNJi2tj7jixcdpVy7MLiDxMiHBGNSzI2piBiZb3/toSBvZslSW2yqgIk
>> >>>> OkqbJ7AE5yTu4sulhO29DRYzFUjvZHGKR2akRu/3RlOUHhwVDJw0m2ZO4M3MHz4+
>> >>>> 1x/w7HhzmbMo/kioxJpPsU7f+axVnRMia9dZmvakfhmNdht98qAE/a7UlpT+ft1w
>> >>>> Vua7DRYwOn4o5UYXhBmUL/uCUt3CLeT9Jgu0/bWZ3G3gR1Rw1edS7E5Q7A9wlEY=
>> >>>> =UdOl
>> >>>> -----END PGP SIGNATURE-----
>> >>>>
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> Full-Disclosure - We believe in it.
>> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >>> Hosted and sponsored by Secunia - http://secunia.com/
>> >>
>> >>
>> >>
>> >> --
>> >>
>> >> If you have questions please let me know.
>> >> Best regards,
>> >> - Fábio - IT Manager
>> >
>> >
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>> >
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
>
> If you have questions please let me know.
> Best regards,
> - Fábio - IT Manager
>



-- 
follow me @twitter ! : http://twitter.com/laurentgaffie

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ