lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <005c01cdf676$89f45f40$9b7a6fd5@pc>
Date: Sat, 19 Jan 2013 20:53:24 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <full-disclosure@...ts.grok.org.uk>, <submissions@...ketstormsecurity.org>
Subject: Re: Wordpress Pingback Port Scanner

Hi Chris!

It's good that you've drew attention on possibility of port scanning and 
made nice software for abusing this WP feature.

But I want to remind about another vulnerability in XML-RPC, which I've 
disclosed in 2012. The most important hole in WordPress XML-RPC is Brute 
Force (http://securityvulns.ru/docs27916.html, 
http://lists.grok.org.uk/pipermail/full-disclosure/2012-March/086271.html). 
I've wrote on example of WordPress, but it concerns every web application 
with in XML-RPC support. To BF are vulnerable all versions of WP, but since 
WordPress 2.6 XML-RPC was turned on by default.

And when WordPress developers turned in on in WordPress 3.5 they returned 
the hole back to the masses. Earlier for WP 2.6 - 3.4.2 only those web sites 
were vulnerable, which had turned it on, then since WP 3.5 all web sites 
would be vulnerable again.

The interesting part with Brute Force attacks via XML-RPC and the same with 
Atom Publishing Protocol (to which vulnerable are WP 2.3 - 3.4.2), this hole 
I've also disclosed in 2012 (http://securityvulns.ru/docs27917.html, 
http://lists.grok.org.uk/pipermail/full-disclosure/2012-March/086328.html), 
as I've wrote at my site - it's better reliability then brute forcing via 
login form. Because unlike login form (for which there are plugins to 
protect against BF), no plugins can protect against attacks via XML-RPC and 
AtomPub.

WP developers removed AtomPub from the core (made it as a plugin), so they 
"removed" this BF hole from the core, but at that they enabled BF hole via 
XML-RPC (plus added port scanning functionality). Such wise decision :-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

From: FireFart_(at)_gmail.com <FireFart_(at)_gmail.com>
Date: 18.12.2012
Subject: Wordpress Pingback Port Scanner

> Hi folks,
> Wordpress 3.5 has it's XML-RPC Interface enabled by default. See here for 
> more information:
> http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api
> /
> http://codex.wordpress.org/Version_3.5#Settings
>
> I read through the article and took a look at the Pinback API since it is 
> public available on many Wordpress installations.
> The cool thing is: you can do a port scan using the Pingback API
> You can even scan the server itself or discover some hosts on the internal 
> Network this server is on.
> So i wrote this little Ruby Script to utilize this "feature":
>
> https://github.com/FireFart/WordpressPingbackPortScanner
>
> You can even use multiple Wordpress XML-RPC Interfaces to scan a single 
> host so this can be some kind of distributed port scanning.
>
> Chris 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ