Analysis of PHP forced conversion types and remote management plug-ins security hidden trouble _php skills

Source: Internet
Author: User
Tags numeric value managewp

The remote management plug-in is a popular utility for WordPress site administrators, which allows users to perform the same operations on multiple sites at the same time, such as updating to the latest release or installing Plug-ins. However, in order to implement these operations, the client plug-in needs to give the remote user considerable privileges. Therefore, it is important to ensure that communication between the Management Server and the client plug-in is secure and cannot be forged by the attacker. This article analyzes several available plug-ins, using its weaknesses, attackers can even completely endanger the running of these plug-ins site itself.

managewp, infinitewp, and CMS Commander

These three services have the same client-side plug-in base code (which is initially MANAGEWP implemented and then adjusted by the other two), so they all have signatures that bypass vulnerabilities and cause remote code execution.

The Management Server registers the private key of a client plug-in to compute the message authentication code for each message, rather than requiring the user to provide the administrator credentials (Mac, which we normally see as the MAC address of the hardware, here is the authentication code). A message digest is generated when a message is passed using a message digest algorithm that uses a shared key. The Mac is then appended to the message and sent, and the receiver computes the received message using a shared secret key, generates MAC2, and then compares it to MAC1. The message digest is used to verify the authenticity and integrity of the message (it should be known to students who have learned cryptography), which is a good way to ensure communication security, but the flaw in implementation of the three-service client-side plug-ins causes serious vulnerabilities.

An incoming message that is certified by helper.class.php is as follows:

$signature is the "sent" with the 
"message if" MD5 ($data. $this->get_rando M_signature ()) = = $signature) { 
//valid message 
}

Using a non strict equals means that the type "spoofing" [type conversion] occurs before the comparison. The output of the MD5 () function is always a string, but if the $signature is an integer, then the type conversion that occurs when the comparison is made can easily forge a matching Mac. For example, if the real Mac starts with "0" or the beginning of a non-numeric character, then 0 can match, and if it is "1xxx", then integer 1 can match, and so on. (This is actually a feature of PHP, of course, other languages will also have, when a string and the number is not strictly equal to the comparison, if the first character is a number will be converted to the corresponding integer for comparison, if the character is not 0-9, it will be as 0, Php.net Official Note: If you compare a number to a string or a string that involves numeric content, the string is converted to a numeric value and compared to a numeric value.

string conversion to numeric value:

When a string is taken as a numeric value, the result and type are as follows:

If the string does not contain '. ', ' e ' or ' e ' and its numeric value is within the range of the integral type (as defined by Php_int_max), the string is evaluated as an integer. All other cases are evaluated as float.

The beginning part of the string determines its value. If the string starts with a valid numeric value, the value is used. Otherwise, its value is 0 (0). The legal value consists of an optional positive sign followed by one or more digits (possibly a decimal number) followed by an optional exponential portion. The exponent portion is composed of an ' e ' or ' e ' followed by one or more digits.

<?php
var_dump (0 = = "a");/0 = 0-> true
var_dump ("1" = "=");//1 = 1-> true
var_dump ("10" = = "1e1"); -> true
var_dump (= = = 1e2);-> true
var_dump (' abcdefg ' = 0);//True 
Var_ Dump (' 1abcdef ' = 1); True 
var_dump (' 2abcdef ' = 2);//True 
?>

Unfortunately, an attacker could provide an integer as a signature. In init.php, incoming requests will be decoded using Base64_decode () and then deserialize their results. The use of unserialize () means that you can control the type of input data, and a spoofed serialization message is as follows:

A:4:{s:9: "Signature"; I:0;s:2: "id"; I:100000;s:6: "Action"; s:16: "Execute_php_code"; s:6: "Params"; A:2:{s:8: " Username "; s:5:" admin "; s:4:" Code "; s:25:" Exec (' touch/tmp/owned '); ";}}
This message uses integer 0 as the signature, and then executes arbitrary PHP code using the Execute_php_code provided by the plug-in.

$signature = 0; 
$data is the action concatenated with the message ID 
$data = ' execute_php_code '. 100000; 
if (MD5 ($data. $this->get_random_signature ()) = = $signature) { 
  //valid message if the output of 
  //MD5 () does N ' t start with a digit 
}

This fake example may not be used directly, first, the key value of the ID needs to be greater than the previous legal message (using the increased message ID to prevent replay attacks, today both request forgery and replay), which reminds me of CSRF, Cross station request forgery, is there a man-in-the-middle attack? Second, there are integers for matching signatures, and these two points require brute force cracking to break through.

For i from 100,000 to 100,500: for
  J from 0 to 9:
    submit request with ID I and signature j

The pseudocode above attempts to send a false message with a large ID and 10 separate digital fingerprint matches for each ID (as mentioned previously, for a string, a number can be matched in comparison, since 0-9 is a result of every situation).

This flaw can be repaired by using the strict equality operator [= =] and by checking the incoming fingerprint. These plug-in services are fixed by using strict equality operators (php.net: A===b, the values of A and B are equal and the types are equal; A==b to determine whether their values are equal after a type conversion occurs).

There are other problems, but they have not yet taken action. First, this approach is weak (the key is appended to the $data and then hashed) and should be generated using HMAC (hash-based message authentication Code, with a key and a message as input, generating a digest of messages as output). Second, action-only actions and message IDs are used to create signatures. This means that an active network attacker can change the parameters in the message and the signature is still valid (for example, by changing the Execute_php_code message to execute arbitrary code). For protection, the MAC should contain the entire message.

(Note that the MD5 message digest is a fallback that can be used by these plug-ins openssl_verify (); ***2014-04 published OpenSSL 1.0.F Heartbleed vulnerabilities known as century-level vulnerabilities * * *)

Worpit

Worpit is another remote administration service, but it uses a client plug-in built from scratch, and it also has a forced type conversion vulnerability that allows attackers to log on with administrator privileges.

The plug-in introduces a remote administrator login method, using only Woprit delivery system configurable temporary token values. This plugin checks whether the token value provided in the request matches the value stored in the database.

if ($_get[' token ']!= $oWpHelper->gettransient (' Worpit_login_token ')) { 
  die (' Worpiterror:invalid token '); 
   }

The token is removed from the database used once. This means that most of the time there is no token in the database. Therefore, the call to the Gettransient () method may return false. Non-strict comparisons are, which means that any "Falsey value, such as String 0, will be treated as a valid token." An example URL is logged in as an administrator:

This token is removed from the database once used, which means that most of the time there is no token in the database. Therefore, calls to the Gettransient () method are likely to return false. Non-rigorous comparisons are also used, which means that any value that is equivalent to false, such as String 0, will be treated as a valid token, as an example of an admin login as:http://victim/?worpit_api=1&m=login& Token=0

At this point, the site is controlled by an attacker who has permission to install a malicious plug-in or modify an existing plugin.

The fix here is to use!== and perform other checks and retrieve from the database.

Conclusion:

Be sure to remember to check that the user entered the expected type and use a strict comparison in a function that is important for security, such as checking the authentication token.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.