[UNIX] Wordpress Cookie Integrity Protection Vulnerability



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Wordpress Cookie Integrity Protection Vulnerability
------------------------------------------------------------------------


SUMMARY

An attacker, who is able to register a specially crafted username on a
Wordpress 2.5 installation, is able to generate authentication cookies for
other chosen accounts.

This vulnerability exists because it is possible to modify authentication
cookies without invalidating the cryptographic integrity protection.

If a Wordpress blog is configured to freely permit account creation, a
remote attacker can gain Wordpress-administrator access and then elevate
this to arbitrary code execution as the web server user.

The vulnerability is fixed in Wordpress 2.5.1.

DETAILS

Vulnerable Systems:
* Wordpress version 2.5

Immune Systems:
* Wordpress version 2.51

Since version 2.5, Wordpress authenticates logged-in users through a
cryptographically protected cookie, based on papers by Fu et al [1] and
Liu et al [2]. This measure was introduced partly in response to
vulnerability CVE-2007-6013 [3,4].

The new cookies are of the form:
"wordpress_".COOKIEHASH = USERNAME . "|" . EXPIRY_TIME . "|" . MAC

Where:
COOKIEHASH: MD5 hash of the site URL (to maintain cookie uniqueness)
USERNAME: The username for the authenticated user
EXPIRY_TIME: When cookie should expire, in seconds since start of epoch
MAC: HMAC-MD5(USERNAME . EXPIRY_TIME) under a key derived from a secret
and USERNAME . EXPIRY_TIME.

The flaw in this scheme is that USERNAME and EXPIRY_TIME are not delimited
in the MAC calculation. Hence the cookie may be modified, without altering
MAC, provided that the concatenation of USERNAME and EXPIRY_TIME remains
unchanged.

This class of vulnerability, the cryptographic splicing attack, was
commented on by Fu et al [1], but Wordpress does not employ their
recommended defence.

An attacker wishing to exploit this vulnerability would therefore create
an unprivileged account with its username starting with "admin". The
cookie returned on logging into this account can then be manipulated so as
to be valid for the administrator account.

Impact:
A remote attacker, who can create an account with specially crafted
username, is able to gain administrator level access to the Wordpress
installation. Through standard techniques, this can be escalated to
arbitrary PHP code execution as the web server system user.

Solution:
Upgrade to Wordpress 2.5.1

Workarounds:
- De-select "Anyone can register" in the Membership section of General
Settings to disable account creation.

References:
[1] Dos and Don'ts of Client Authentication on the Web, Kevin Fu, Emil
Sit, Kendra Smith, Nick Feamster
<http://pdos.csail.mit.edu/papers/webauth:tr.pdf>
http://pdos.csail.mit.edu/papers/webauth:tr.pdf

[2] A Secure Cookie Protocol, Alex X. Liu, Jason M. Kovacs, Chin-Tser
Huang, Mohamed G. Gouda
<http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf>
http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf

[3] Wordpress Cookie Authentication Vulnerability: CVE-2007-6013 Steven J.
Murdoch,
<http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-auth.txt> http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-auth.txt

[4] <http://trac.wordpress.org/ticket/5367>
http://trac.wordpress.org/ticket/5367

Timeline:
2008-04-22: security@xxxxxxxxxxxxx notified - Confirmation of receipt
received
2008-04-25: Wordpress 2.5.1 released incorporating patch - Vulnerability
notice published

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1930>
CVE-2008-1930


ADDITIONAL INFORMATION

The information has been provided by
<mailto:bugtraq+Steven.Murdoch@xxxxxxxxxxxx> Steven J. Murdoch.
The original article can be found at:
<http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-integrity.txt> http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-integrity.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages