[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20141028200027.0000768e@unknown>
Date: Tue, 28 Oct 2014 20:00:27 -0400
From: Scott Arciszewski <scott@...iszewski.me>
To: fulldisclosure@...lists.org
Subject: [FD] Go Home WP-API, You're Drunk...
... or more accurately, asleep at the wheel!
_______________________________________________________
_________/ STORY TIME (feel free to skip this if you don't care) \__________
| |
| Recently, I made a quick analysis of all of the public projects listed |
| on HackerOne. https://gist.github.com/sarciszewski/04ee71ad2bcddc9c33b9 |
| |
| If you scroll to the bottom, I listed several projects in the "sweet |
| spot": open source AND a minimum bounty. Outside of the Internet Bug |
| Bounty project, there are only two projects listed: WP-API and Ian Dunn (a |
| WordPress developer who has many projects). |
| |
| In the past three weeks, I have opened a handful of bug reports for other |
| projects using the HackerOne platform, and they all responded immediately. |
| Joola.io, for example, had a fix ready within a day of being notified. |
| Concrete5 asked me to send a pull request to fix the issue I raised. Both |
| projects, in my opinion, deserve further scrutiny and assistance. Srsly. |
| |
| WP-API, however, still has yet to even acknowledge the bug report sitting |
| in the issue tracker for 17 days (and counting). Even when pressed for a |
| simple "We got your report, here's an estimate on when we can get to it," |
| I was met with complete radio silence. I sent one last update to my bug |
| reports asking to respond before 8 PM or I will post on Full Disclosure |
| everything I have found (which, while not exactly the most impressive bugs |
| anyone will see on this list this month, are at least deserving of some |
| sort of response). |
| |
| So here we are. |
|____________________________________________________________________________|
I. WP-API/Key-Auth
https://github.com/WP-API/Key-Auth/blob/f9b74b3e4df667cfb44baba556eafde65fa3aec9/key-auth.php#L50
https://github.com/WP-API/Key-Auth/blob/f9b74b3e4df667cfb44baba556eafde65fa3aec9/key-auth.php#L65
This is pretty much a textbook example of "How Not to Implement Signature
Verification." Let's count the things wrong with it!
1. json_encode() can return FALSE and there is no error checking employed (I
am pretty sure an attacker can trigger this condition easily).
2. md5($arbitrary . $secret) is almost the ideal situation for length-
extension attacks.
hash_hmac('sha256', $arbitrary, $secret) would be considerably safer.
3. Signature not compared in constant time (while timing attacks are not the
most trivial attack to perform, and are noisy as all hell, it's still
problematic for authentication code to not provide this protection).
4. Signatures are compared with a non-strict != operator.
PROTIP: https://eval.in/108854
II. WP-API/OAuth1
https://github.com/WP-API/OAuth1/blob/45197eca2925f5022192903d3639decd0ae1811c/lib/class-wp-json-authentication-oauth1.php#L290
https://github.com/WP-API/OAuth1/blob/45197eca2925f5022192903d3639decd0ae1811c/lib/class-wp-json-authentication-oauth1.php#L562
Same as point 3 from Key-Auth with regard to timing attacks. However, this is
not an isolated incident. Many OAuth1 and OAuth2 libraries have the exact same
problem. In fact, feel free to reuse a solution I submitted to one of these
projects to patch it.
* https://github.com/bshaffer/oauth2-server-php/pull/480
If I were a betting man, I would wager that most OAuth server implementations
fail to take the necessary precautions when handling cryptographic signatures.
Which is sort of funny when you think about the fact that that's their entire
reason for existing.
Point being: I don't blame WP-API for this one, considering how many OAuth1/2
server implementations I've seen with similar weaknesses, and also considering
that there aren't many (any?) botnets spawned from timing attacks. Yet.
#============================================================================#
If the WP-API team would like to still honor their bounty, I encourage them
to instead donate it to the PayPal 14, whom are being sentenced tomorrow.
http://www.gofundme.com/Paypal14
That's all from me. Hopefully someone can kick the right person in the ass to
prompt the maintainers into action to actually respond to reports on HackerOne
for a change.
Download attachment "signature.asc" of type "application/pgp-signature" (835 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists