lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080425160235.GG24814@tern.cl.cam.ac.uk>
Date: Fri, 25 Apr 2008 17:02:35 +0100
From: "Steven J. Murdoch" <fulldisc+Steven.Murdoch@...cam.ac.uk>
To: full-disclosure@...ts.grok.org.uk
Subject: Wordpress 2.5 Cookie Integrity Protection
	Vulnerability

Wordpress 2.5 Cookie Integrity Protection Vulnerability

Original release date: 2008-04-25
Last revised: 2008-04-25
Latest version: http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-integrity.txt
CVE ID: CVE-2008-1930
Source: Steven J. Murdoch <http://www.cl.cam.ac.uk/users/sjm217/>


Systems Affected:

 Wordpress 2.5


Overview:

 An attacker, who is able to register a specially crafted username on
 a Wordpress 2.5 installation, is able to generate authentication
 cookies for other chosen accounts.

 This vulnerability exists because it is possible to modify
 authentication cookies without invalidating the cryptographic
 integrity protection.

 If a Wordpress blog is configured to freely permit account creation,
 a remote attacker can gain Wordpress-administrator access and then
 elevate this to arbitrary code execution as the web server user.

 The vulnerability is fixed in Wordpress 2.5.1

I. Description

 Since version 2.5, Wordpress authenticates logged-in users through a
 cryptographically protected cookie, based on papers by Fu et al [1]
 and Liu et al [2]. This measure was introduced partly in response to
 vulnerability CVE-2007-6013 [3,4].

 The new cookies are of the form:
  
  "wordpress_".COOKIEHASH = USERNAME . "|" . EXPIRY_TIME . "|" . MAC 

 Where:
  
  COOKIEHASH:  MD5 hash of the site URL (to maintain cookie uniqueness)
  USERNAME:    The username for the authenticated user
  EXPIRY_TIME: When cookie should expire, in seconds since start of epoch
  MAC:         HMAC-MD5(USERNAME . EXPIRY_TIME) under a key derived
               from a secret and USERNAME . EXPIRY_TIME.

 The flaw in this scheme is that USERNAME and EXPIRY_TIME are not
 delimited in the MAC calculation. Hence the cookie may be modified,
 without altering MAC, provided that the concatenation of USERNAME and
 EXPIRY_TIME remains unchanged.

 This class of vulnerability, the cryptographic splicing attack, was
 commented on by Fu et al [1], but Wordpress does not employ their
 recommended defence.

 An attacker wishing to exploit this vulnerability would therefore
 create an unprivileged account with its username starting with
 "admin". The cookie returned on logging into this account can then be
 manipulated so as to be valid for the administrator account.

II. Impact

 A remote attacker, who can create an account with specially crafted
 username, is able to gain administrator level access to the Wordpress
 installation. Through standard techniques, this can be escalated to
 arbitrary PHP code execution as the web server system user.

III. Solution

 Upgrade to Wordpress 2.5.1

 Workarounds:

 - De-select "Anyone can register" in the Membership section of
   General Settings to disable account creation.

References:

  [1] Dos and Don'ts of Client Authentication on the Web,
      Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster
      http://pdos.csail.mit.edu/papers/webauth:tr.pdf
  [2] A Secure Cookie Protocol,
      Alex X. Liu, Jason M. Kovacs, Chin-Tser Huang, Mohamed G. Gouda
      http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf
  [3] Wordpress Cookie Authentication Vulnerability: CVE-2007-6013
      Steven J. Murdoch,
      http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-auth.txt
  [4] http://trac.wordpress.org/ticket/5367

Timeline:

 2008-04-22: security@...dpress.com notified
             Confirmation of receipt received
 2008-04-25: Wordpress 2.5.1 released incorporating patch
             Vulnerability notice published

-- 
w: http://www.cl.cam.ac.uk/users/sjm217/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ