The dangers of the PHP cast type and remote management plug-in

Type casts in PHP are very similar to those in C: precede the variables to be converted with the target type enclosed in parentheses.

The allowed casts are:

(int), (integer)-Convert to integral type

(bool), (Boolean)-Convert to Boolean

(float), (double), (real)-Convert to floating-point type

(string)-Convert to String

(array)-Convert array

(object)-Convert to Object

Note spaces and tabs are allowed in parentheses

You can also cast with Settype (mixed var, string type).

Remote management plug-ins are a very popular tool for WordPress site administrators, which allows users to perform the same operations on multiple sites at the same time, such as updating to the latest release or installing Plug-ins. However, in order to implement these operations, the client plug-in needs to give the remote user a great privilege. Therefore, it is important to ensure that communication between the Management Server and the client plug-in is secure and cannot be forged by the attacker. This article will talk about some of the available plug-ins, using their vulnerabilities, attackers can even completely endanger the site running these plug-ins.

MANAGEWP, INFINITEWP, and CMS commander

These three services have the same client-side plug-in base code (which is initially MANAGEWP implemented and then adjusted by the other two), so they all have signatures that bypass vulnerabilities and cause remote code execution.

The Management Server registers a client-side plug-in's private key to compute the message authentication code for each message, rather than requiring the user to provide the administrator credentials [Mac, which we normally see as the MAC address of the hardware, which is authentication code]. A message digest is generated when a message is passed using a message digest algorithm that uses a shared key. The Mac is then appended to the message and sent, and the receiver computes the received message using a shared secret key, generates MAC2, and then compares it to MAC1. The message digest is used to verify the authenticity and integrity of the message [learned cryptography students should know], is a good way to ensure communication security, but the three services in the implementation of the client plug-in flaw caused a serious vulnerability.

An incoming message that is certified by helper.class.php is as follows:

$signature is the "sent" with the "message if" MD5 ($data. $this->get_random_signat Ure ()) = = $signature) {//valid message}

Using a non strict equals means that the type "spoofing" [type conversion] occurs before the comparison. The output of the MD5 () function is always a string, but if the $signature is an integer, then the type conversion that occurs when the comparison is made can easily forge a matching Mac. For example, if the real Mac starts with "0" or the beginning of a non-numeric character, then 0 can match, and if it is "1xxx", then integer 1 can match, one analogy. [This is actually a feature of PHP, of course, other languages will also have, when a string and a number is not strictly equal to the comparison, if the first character is a number will be converted to the corresponding integer for comparison, if the character is not 0-9, it will be as 0, Php.net: If you compare a number to a string or a string that involves numeric content, the string is converted to a numeric value and compared to a numeric value.

string conversion to numeric value:

When a string is taken as a numeric value, the result and type are as follows:

If the string does not contain '. ', ' e ' or ' e ' and its numeric value is within the range of the integral type (as defined by Php_int_max), the string is evaluated as an integer. All other cases are evaluated as float.

The beginning part of the string determines its value. If the string starts with a valid numeric value, the value is used. Otherwise, its value is 0 (0). The legal value consists of an optional positive sign followed by one or more digits (possibly a decimal number) followed by an optional exponential portion. The exponent portion is composed of an ' e ' or ' e ' followed by one or more digits.

$signature is the "MAC sent with the" message

$data is part of the message

if (MD5 ($data. $this->get_random_signature ()) = = $signature) {

Valid message}

Unfortunately, an attacker could provide an integer as a signature. In init.php, incoming requests will be decoded using Base64_decode () and then deserialize their results. The use of unserialize () means that you can control the type of input data, and a spoofed serialization message is as follows:

A:4:{s:9: "Signature"; I:0;s:2: "id"; I:100000;s:6: "Action"; s:16: "Execute_php_code"; s:6: "Params"; A:2:{s:8: " Username "; s:5:" admin "; s:4:" Code "; s:25:" Exec (' touch/tmp/owned '); ";}}

This message uses integer 0 as the signature, and then executes arbitrary PHP code using the Execute_php_code provided by the plug-in.

$signature = 0; $data is the action concatenated with the message ID $data = ' Execute_php_code '. 100000; if (MD5 ($data. $this->get_random_signature ()) = = $signature) {//valid message if the output of//MD5 () doesn ' t star T with a digit}

This fake example may not be used directly, first, the key value of the ID needs to be greater than the previous legal message [use the increased message ID to prevent replay attacks, today both request forgery and replay, which reminds me of CSRF, Cross station request forgery, is there a man-in-the-middle attack? Second, there are integers for matching signatures, and these two points require brute force cracking to break through.

For i from 100,000 to 100,500:for J from 0 to 9:submit request with ID I and signature j

The pseudocode above attempts to send a false message with a large ID and 10 separate digital fingerprint matches for each ID [previously, for a string, as long as a number can be compared to match, here from 0-9 because every situation can be encountered.]

This flaw can be repaired by using the strict equality operator [= =] and by checking the incoming fingerprint. These plug-in services are fixed by using strict equality operators [php.net Description: A===b, the values of A and B are equal and the types are equal; A==b to determine whether the values are equal after the type conversion occurs].

There are other problems, but they have not yet taken action. First of all, this approach is weak [the key is appended to the $data and then hashed], should be used hmac[hash-based message authentication Code, with a key and a message for input, generate a digest of messages as output]. Second, action-only actions and message IDs are used to create signatures. This means that an active network attacker can change the parameters in the message and the signature is still valid [such as changing the Execute_php_code message to execute arbitrary code]. For protection, the MAC should contain the entire message.

[Note that the message digest based on MD5 is a fallback that can be used by these plug-ins openssl_verify (); ***2014-04 published OpenSSL 1.0.F Heartbleed vulnerabilities known as century-level vulnerabilities * * * *

Worpit

Worpit is another remote administration service, but it uses a client plug-in built from scratch, and it also has a forced type conversion vulnerability that allows attackers to log on with administrator privileges.

The plug-in introduces a remote administrator login method, using only Woprit delivery system configurable temporary token values. This plugin checks whether the token value provided in the request matches the value stored in the database.

if ($_get[' token ']!= $oWpHelper->gettransient (' Worpit_login_token ')) {die (' worpiterror:invalid token ');}

The token is removed from the database used once. This means that most of the time there is no token in the database. Therefore, the call to the Gettransient () method may return false. Non-strict comparisons are, which means that any "Falsey value, such as String 0, will be treated as a valid token." An example URL is logged in as an administrator:

This token is removed from the database once used, which means that most of the time there is no token in the database. Therefore, calls to the Gettransient () method are likely to return false. Non-rigorous comparisons are also used, which means that any value equivalent to false, such as String 0, will be treated as an effective token, as an example of an admin login: Http://victim/?worpit_api=1&m=login&token =0

At this point, the attacker has control over the site, he has the right to install malicious plug-ins or modify existing plug-ins.

The fix here is to use!== and perform other checks and retrieve from the database.

Conclusion:

Be sure to remember to check that the user entered the expected type and use a strict comparison in a function that is important for security, such as checking the authentication token.