lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 12 Feb 2014 14:51:05 +0000
From: Harry Metcalfe <harry@....com>
To: MustLive <mustlive@...security.com.ua>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: DoS via tables corruption in WordPress

Hi MustLive,

Just to make things a bit easier, would you mind replying with links for 
the perishablepress.com article, the 2009 advisory and the 2012 article?

Many thanks!

Harry


On 12/02/2014 14:44, MustLive wrote:
> Hello Aris!
>
> First of all, I wrote all required information in my post in May 2009 at
> perishablepress.com. And I answered on all questions (including lame ones
> and scepsis) concerning attack on WordPress, which I proposed to owner of
> that site as explanation why his site was hacked that time (via engine
> reinstall). And since I developed conception of this attack yet in 
> 2007 (for
> IPB, because I have forum on this engine) and made advisories for 
> WordPress
> and IPB concerning possibility of attacks via table corruption, so in 
> 2012 I
> made detailed article "Attack via tables corruption in MySQL"
> (http://websecurity.com.ua/articles/attack-via-tables-corruption-in-mysql/), 
>
> which I published at my site and in WASC mailing list.
>
> So all aspects of attacks were described and all questions were 
> answered by
> me many years ago. Those who didn't read that information should read it,
> those who have questions should read my 2009's advisory and 2012's 
> article -
> AND THEY WILL HAVE NO QUESTIONS. And for those who have scepsis about
> database corruption attacks - that it's not possible to make reliable 
> attack
> with 100% chance to conduct attack on real web site - for those I made
> exploit and video of its use on web site in Internet. So unbelievers 
> should
> watch video and believe.
>
>> I have yet to determine if that was an accident or an attack.
>
> I'm sure that your case is an accident, not an attack. Since everyone 
> after
> I proposed this attack from 2009 and till now didn't believe in 
> possibility
> of this attack and considered it as "conceptual". I.e. that was "luck" 
> for
> attackers to hack perishablepress.com with using of tables corruption 
> that
> particular day and it'll not happen again for nobody as skeptics 
> thought. My
> video should change their mind.
>
> First of all it's hard attack and I didn't release my exploit (and 
> will not
> release it in near future) and not aware about anyone's exploit in the
> public for 5 years after my 2009's advisory. So you have exact 
> combination
> of hardware and software (MySQL and WordPress) that makes your site
> vulnerable to this attack. Most of web sites on WordPress can sleep tight
> until some day an attacker will test their site on "crashability" and 
> make
> them vulnerable to this attack.
>
> For all nuances of attacking on tables in MySQL read my article to
> understand your case and create scenario of possible attack on your 
> site to
> trigger table crash, which leads to DoS. Concerning your case I'll write
> more information to you privately. It's needed to you to find out the 
> exact
> way of crashing tables at site to prevent "accident" turn into "attack".
>
> Note, that WP developers later in 2009, after reading that my publication
> and thinking for 7 months, made a fix for this DoS in WP 2.9. But they 
> made
> not automated tables repair, but manual, so it can't be considered as 
> a fix,
> since tables can be crashed and site will be DoSed - until admin will 
> find
> it and manually repair the tables. So WP developers made lame fix for 
> this
> DoS attack, as I wrote in my 2012 advisory and WP is still vulnerable 
> (and
> also I described DoS vulnerability in protection functionality against 
> this
> DoS attack).
>
>> If Mustlive has any real and concrete information (URL, exploit code),
>> please share with us.
>
> All real and concrete information is in my 2009's advisory and 2012's
> article. With addition of my 2014's video (I was planning to make it in
> 2012, but found time only this month). So reading and watching of them 
> will
> help. For now I'll not release any exploits (don't need to create a 
> risk not
> for that lame site in my video, nor for all other WordPress sites, 
> since WP
> developers haven't fixed hole properly), but I'll do it in the future.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message ----- From: "Aris Adamantiadis" 
> <aris@...adc0de.be>
> To: "Andrew Nacin" <nacin@...dpress.org>; "MustLive"
> <mustlive@...security.com.ua>
> Cc: <full-disclosure@...ts.grok.org.uk>
> Sent: Tuesday, February 11, 2014 3:46 PM
> Subject: Re: [Full-disclosure] DoS via tables corruption in WordPress
>
>
>
> Le 11/02/14 09:34, Andrew Nacin a ?crit :
>> Aris mentions he experienced corruption in his own WordPress setup. It's
>> most likely the options table simply crashed, not as a result of any
>> particular exploit. This is, after all, why MySQL has a REPAIR command
>> (and why we have a script for users to use).
>>
> This happened again last night. The mysql corruption was caused by an
> OOM random kill (thanks linux) that chose mysql daemon as a victim. The
> cause of the OOM was either wordpress or piwik, probably made possible
> through apache misconfiguration (too many children). I have yet to
> determine if that was an accident or an attack.
>
> If Mustlive has any real and concrete information (URL, exploit code),
> please share with us.
>
> Aris
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ