[UNIX]Wordpress user_login Column SQL Truncation Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 4 Oct 2008 18:19:38 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Wordpress user_login Column SQL Truncation Vulnerability
------------------------------------------------------------------------
SUMMARY
MySQL column truncation allows resetting the passwords of wordpress users
to random strings. Combined with weaknesses in PHP's PRNG this allows
determining the admin password.
DETAILS
Vulnerable Systems:
* Wordpress version 2.6.1
Immune Systems:
* Wordpress version 2.6.2
"WordPress is a state-of-the-art publishing platform with a focus on
aesthetics, web standards, and usability. WordPress is both free and
priceless at the same time."
During research on MySQL Column Truncation Vulnerabilities it was
discovered that the user registration system of Wordpress is not protected
against this kind of attack. Further research then discovered that this
vulnerability can be used to reset the passwords of users to a random
string when user registration is activated in the blog.
In addition to this it was discovered that Wordpress uses mt_rand() to
create passwords and reset tokens, which is not secure enough for
cryptographic secrets. The use of mt_rand() allows predicting the randomly
generated passwords when the PRNG is freshly seeded and output of the PRNG
is leaked to the user.
Combined this means on servers reusing PHP processes for multiple requests
(mod_php, fastcgi) it is possible to determine the internal generated
random tokens and passwords, which might lead to a blog (and maybe server)
compromise.
Details:
The term SQL column truncation vulnerability and the problems that might
arise from this kind of vulnerability is explained in the blog post "mysql
and sql column truncation vulnerabilities" which is available here:
<http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/> http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/
The problems arising from using mt_(s)rand for cryptographic secrets and
possible attacks against PHP's PRNG and PHP applications using it are
explained by the blog post "mt_(s)rand and not so random numbers" which is
available here:
<http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/>
http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/
In Wordpress the situation is that when open registration is activated an
attacker can register the username 'admin' + 55 times ' ' + 'x' to
register a new user that will end up as 'admin' + 55 times ' ' in the
database.
Because of the relaxation on string comparison that ignores trailing
whitespace characters this might disturb how Wordpress uses the user
table. An analysis revealed that a problem occurs in the password reset.
It is however possible that other areas of Wordpress can also be exploited
through the same vector.
When the password reset is triggered with the email address of the fake
admin Wordpress will generate a random password reset token, will write it
into the database as current password reset token for the fake admin AND
ALSO for the real admin. The password reset token is then sent to the fake
admin.
When the password reset token is used Wordpress will reset the password of
the first user that token is valid for, which is the real admin user. It
will auto generate a random password and send it to the real admin. At
this point the real admin has his password changed to something random
that is only known to the email he gets until he reads it.
Using a fresh PHP process for the password reset in combination with the
Keep-Alive attack that is described in the previously mentioned blog
posting, it is however possible for an attacker to lookup the 32 bit seed
used for seeding the random number generator and determine the randomly
generated password for it.
The seed lookup can be performed by a pre-generated table that is around
60 GB in size, which takes a day to generate (depending on your hardware)
but allows resetting admin passwords in seconds.
Wordpress has fixed these vulnerabilities by consolidating space
characters in the user name prior to registration and by changing from
plain mt_rand() usage to some better random number generator that is not
easily predicted from the outside.
Disclosure Timeline:
17. Aug 2008 - Sent notification to Wordpress about the vulnerability
21. Aug 2008 - Received confirmation that notification was received but
waited in the spam folder for manual review
22. Aug 2008 - Notification that the column truncation is now fixed in SVN
and that discussion how to fix the mt_rand() problem is running
22. Aug 2008 - Sent recommendation how to fix the mt_rand() issue as PHP
pseudo code
25. Aug 2008 - Received and commented about PHP code to fix the issue
27. Aug 2008 - Notification that the mt_rand() problem is now fixed in SVN
30. Aug 2008 - Discussion about a possible release date that allows fixing
some other problems contained in Wordpress 2.6.1
09. Sep 2008 - The Wordpress Development Team releases Wordpress 2.6.2
early in response to a description of a possible attack that appeared on
milw0rm and was most probably reversed from the SVN commits
12. Sep 2008 - Public Disclosure
ADDITIONAL INFORMATION
The information has been provided by <mailto:stefan.esser@xxxxxxxxxxxxxx>
Stefan Esser.
The original article can be found at:
<http://www.sektioneins.de/advisories/SE-2008-05.txt>
http://www.sektioneins.de/advisories/SE-2008-05.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT]Trend Micro OfficeScan "cgiRecvFile.exe" Buffer Overflow
- Next by Date: [NT]Landesk QIP Server Service Heal Packet Buffer OverflowVulnerability
- Previous by thread: [NT]Trend Micro OfficeScan "cgiRecvFile.exe" Buffer Overflow
- Next by thread: [NT]Landesk QIP Server Service Heal Packet Buffer OverflowVulnerability
- Index(es):
Relevant Pages
|
