[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <5301DD52.3030605@dxw.com>
Date: Mon, 17 Feb 2014 09:58:42 +0000
From: Harry Metcalfe <harry@....com>
CC: full-disclosure@...ts.grok.org.uk
Subject: Re: DoS via tables corruption in WordPress
Hi MustLive,
I have read both of those carefully (the websecurity one, via Google
Translate) and watched the video.
I agree that someone who came across a WordPress site with crashed
tables might get an installer screen. That would be bad. But it is also
very unlikely to occur often. The nearest I can see to an actual attack
is that you could DoS a MySQL server, or WordPress itself, in the hope
that you might cause table corruption that would let you re-install,
thus siezing control. Again, though I suppose this is possible, it seems
fanciful.
I still can see no explanation, replication steps or proof of concept
code that would allow me to confirm that the attack shown in the video
-- denial of service via database unavailability on an arbitrary
WordPress site, irrespective of configuration -- is possible.
Obviously, the YouTube video by itself is not proof of anything.
Harry
On 12/02/2014 16:46, MustLive wrote:
> Hi Harry!
>
> The links to my advisories and article about attack via tables
> corruption in
> MySQL and link to proof video were in my first letter. The links are
> also in
> the description of the video, which I posted on Saturday on YouTube.
>
> Aris haven't mentioned those links in his letter (he didn't quoted
> original
> letter). And I was trying not to repeat the same links all the time.
>
> So these links can be found in the list. But if you want, here they
> are - to
> make things a bit easier.
>
> Link to my 2009's post, where I described my conception of attack on
> example
> of WordPress
> (http://perishablepress.com/important-security-fix-for-wordpress/comment-page-5/#comment-71666)
>
> and posted the same advisory at my site. Also read my answers on
> questions there in comments.
>
> Link to my 2012's article Attack via tables corruption in MySQL
> (http://websecurity.com.ua/articles/attack-via-tables-corruption-in-mysql/).
>
>
> Link to the video with my WordPress DoS exploit
> (http://www.youtube.com/watch?v=kwv5ni_qxXs). A proof of this
> vulnerability
> in WP and of the attack described in the article.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message ----- From: "Harry Metcalfe" <harry@....com>
> To: "MustLive" <mustlive@...security.com.ua>
> Cc: <full-disclosure@...ts.grok.org.uk>
> Sent: Wednesday, February 12, 2014 4:51 PM
> Subject: Re: [Full-disclosure] DoS via tables corruption in WordPress
>
>
>> Hi MustLive,
>>
>> Just to make things a bit easier, would you mind replying with links for
>> the perishablepress.com article, the 2009 advisory and the 2012 article?
>>
>> Many thanks!
>>
>> Harry
>>
>>
>> On 12/02/2014 14:44, MustLive wrote:
>>> Hello Aris!
>>>
>>> First of all, I wrote all required information in my post in May
>>> 2009 at
>>> perishablepress.com. And I answered on all questions (including lame
>>> ones
>>> and scepsis) concerning attack on WordPress, which I proposed to
>>> owner of
>>> that site as explanation why his site was hacked that time (via engine
>>> reinstall). And since I developed conception of this attack yet in 2007
>>> (for
>>> IPB, because I have forum on this engine) and made advisories for
>>> WordPress
>>> and IPB concerning possibility of attacks via table corruption, so in
>>> 2012 I
>>> made detailed article "Attack via tables corruption in MySQL"
>>> (http://websecurity.com.ua/articles/attack-via-tables-corruption-in-mysql/),
>>>
>>> which I published at my site and in WASC mailing list.
>>>
>>> So all aspects of attacks were described and all questions were
>>> answered
>>> by
>>> me many years ago. Those who didn't read that information should
>>> read it,
>>> those who have questions should read my 2009's advisory and 2012's
>>> article -
>>> AND THEY WILL HAVE NO QUESTIONS. And for those who have scepsis about
>>> database corruption attacks - that it's not possible to make reliable
>>> attack
>>> with 100% chance to conduct attack on real web site - for those I made
>>> exploit and video of its use on web site in Internet. So unbelievers
>>> should
>>> watch video and believe.
>>>
>>>> I have yet to determine if that was an accident or an attack.
>>>
>>> I'm sure that your case is an accident, not an attack. Since everyone
>>> after
>>> I proposed this attack from 2009 and till now didn't believe in
>>> possibility
>>> of this attack and considered it as "conceptual". I.e. that was "luck"
>>> for
>>> attackers to hack perishablepress.com with using of tables corruption
>>> that
>>> particular day and it'll not happen again for nobody as skeptics
>>> thought.
>>> My
>>> video should change their mind.
>>>
>>> First of all it's hard attack and I didn't release my exploit (and will
>>> not
>>> release it in near future) and not aware about anyone's exploit in the
>>> public for 5 years after my 2009's advisory. So you have exact
>>> combination
>>> of hardware and software (MySQL and WordPress) that makes your site
>>> vulnerable to this attack. Most of web sites on WordPress can sleep
>>> tight
>>> until some day an attacker will test their site on "crashability" and
>>> make
>>> them vulnerable to this attack.
>>>
>>> For all nuances of attacking on tables in MySQL read my article to
>>> understand your case and create scenario of possible attack on your
>>> site
>>> to
>>> trigger table crash, which leads to DoS. Concerning your case I'll
>>> write
>>> more information to you privately. It's needed to you to find out the
>>> exact
>>> way of crashing tables at site to prevent "accident" turn into
>>> "attack".
>>>
>>> Note, that WP developers later in 2009, after reading that my
>>> publication
>>> and thinking for 7 months, made a fix for this DoS in WP 2.9. But they
>>> made
>>> not automated tables repair, but manual, so it can't be considered as a
>>> fix,
>>> since tables can be crashed and site will be DoSed - until admin will
>>> find
>>> it and manually repair the tables. So WP developers made lame fix for
>>> this
>>> DoS attack, as I wrote in my 2012 advisory and WP is still vulnerable
>>> (and
>>> also I described DoS vulnerability in protection functionality against
>>> this
>>> DoS attack).
>>>
>>>> If Mustlive has any real and concrete information (URL, exploit code),
>>>> please share with us.
>>>
>>> All real and concrete information is in my 2009's advisory and 2012's
>>> article. With addition of my 2014's video (I was planning to make it in
>>> 2012, but found time only this month). So reading and watching of them
>>> will
>>> help. For now I'll not release any exploits (don't need to create a
>>> risk
>>> not
>>> for that lame site in my video, nor for all other WordPress sites,
>>> since
>>> WP
>>> developers haven't fixed hole properly), but I'll do it in the future.
>>>
>>> Best wishes & regards,
>>> MustLive
>>> Administrator of Websecurity web site
>>> http://websecurity.com.ua
>>>
>>> ----- Original Message ----- From: "Aris Adamantiadis"
>>> <aris@...adc0de.be>
>>> To: "Andrew Nacin" <nacin@...dpress.org>; "MustLive"
>>> <mustlive@...security.com.ua>
>>> Cc: <full-disclosure@...ts.grok.org.uk>
>>> Sent: Tuesday, February 11, 2014 3:46 PM
>>> Subject: Re: [Full-disclosure] DoS via tables corruption in WordPress
>>>
>>>
>>>
>>> Le 11/02/14 09:34, Andrew Nacin a ?crit :
>>>> Aris mentions he experienced corruption in his own WordPress setup.
>>>> It's
>>>> most likely the options table simply crashed, not as a result of any
>>>> particular exploit. This is, after all, why MySQL has a REPAIR command
>>>> (and why we have a script for users to use).
>>>>
>>> This happened again last night. The mysql corruption was caused by an
>>> OOM random kill (thanks linux) that chose mysql daemon as a victim. The
>>> cause of the OOM was either wordpress or piwik, probably made possible
>>> through apache misconfiguration (too many children). I have yet to
>>> determine if that was an accident or an attack.
>>>
>>> If Mustlive has any real and concrete information (URL, exploit code),
>>> please share with us.
>>>
>>> Aris
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists