Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: WordPress <= 2.8.3 Remote admin reset password

From: laurent gaffie <laurent.gaffie () gmail com>
Date: Mon, 10 Aug 2009 22:48:16 -0400
Oh ok.
Then, let's avoid that function.
If it's useless to have a function who validate a reset passwd before
resetting it, let's just avoid it smartass.


2009/8/10 Fabio N Sarmento [ Gmail ] <fabior2 () gmail com>

There is no risk on this.

It's just a little flaw, it doesn't broke anything or put your admin access
in risk.

:-P to me , this vulnerability is more "BUZZ" then real deal. LOL


2009/8/10 laurent gaffie <laurent.gaffie () gmail com>


Hi there,

This wasn't tested on the 2.7* branch.
It as been tested on the  2.8.* branch, with php 5.3.0 & php 5.2.9 as an
Apache 2.2.12 module, on a linux env.


Regards Laurent Gaffié



2009/8/10 Nicolas Valcárcel Scerpella <nicolas.valcarcel () canonical com>


I don't see the issue with wp 2.7.1

On Mon, 10 Aug 2009, laurent gaffie wrote:


Errata:

"V. BUSINESS IMPACT
-------------------------
An attacker could exploit this vulnerability to compromise the admin

account

of any wordpress/wordpress-mu <= 2.8.3"

-->

"V. BUSINESS IMPACT
-------------------------
An attacker could exploit this vulnerability to reset the admin account

of

any wordpress/wordpress-mu <= 2.8.3"


Regards Laurent Gaffié


2009/8/10 laurent gaffie <laurent.gaffie () gmail com>


=============================================
- Release date: August 10th, 2009
- Discovered by: Laurent Gaffié
- Severity: Medium
=============================================

I. VULNERABILITY
-------------------------
WordPress <= 2.8.3 Remote admin reset password

II. BACKGROUND
-------------------------
WordPress is a state-of-the-art publishing platform with a focus on
aesthetics, web standards, and usability.
WordPress is both free and priceless at the same time.
More simply, WordPress is what you use when you want to work with

your

blogging software, not fight it.

III. DESCRIPTION
-------------------------
The way Wordpress handle a password reset looks like this:
You submit your email adress or username via this form
/wp-login.php?action=lostpassword ;
Wordpress send you a reset confirmation like that via email:

"
Someone has asked to reset the password for the following site and
username.
http://DOMAIN_NAME.TLD/wordpress
Username: admin
To reset your password visit the following address, otherwise just

ignore

this email and nothing will happen




http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key=o7naCKN3OoeU2KJMMsag

"

You click on the link, and then Wordpress reset your admin password,

and

sends you over another email with your new credentials.

Let's see how it works:


wp-login.php:
...[snip]....
line 186:
function reset_password($key) {
    global $wpdb;

    $key = preg_replace('/[^a-z0-9]/i', '', $key);

    if ( empty( $key ) )
        return new WP_Error('invalid_key', __('Invalid key'));

    $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users

WHERE

user_activation_key = %s", $key));
    if ( empty( $user ) )
        return new WP_Error('invalid_key', __('Invalid key'));
...[snip]....
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
$errors = new WP_Error();

if ( isset($_GET['key']) )
    $action = 'resetpass';

// validate action so as to default to the login screen
if ( !in_array($action, array('logout', 'lostpassword',

'retrievepassword',

'resetpass', 'rp', 'register', 'login')) && false ===
has_filter('login_form_' . $action) )
    $action = 'login';
...[snip]....

line 370:

break;

case 'resetpass' :
case 'rp' :
    $errors = reset_password($_GET['key']);

    if ( ! is_wp_error($errors) ) {
        wp_redirect('wp-login.php?checkemail=newpass');
        exit();
    }

    wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
    exit();

break;
...[snip ]...

You can abuse the password reset function, and bypass the first step

and

then reset the admin password by submiting an array to the $key

variable.



IV. PROOF OF CONCEPT
-------------------------
A web browser is sufficiant to reproduce this Proof of concept:
http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>

<http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key%5B%5D=>

The password will be reset without any confirmation.

V. BUSINESS IMPACT
-------------------------
An attacker could exploit this vulnerability to compromise the admin
account of any wordpress/wordpress-mu <= 2.8.3

VI. SYSTEMS AFFECTED
-------------------------
All

VII. SOLUTION
-------------------------
No patch aviable for the moment.

VIII. REFERENCES
-------------------------
http://www.wordpress.org

IX. CREDITS
-------------------------
This vulnerability has been discovered by Laurent Gaffié
Laurent.gaffie{remove-this}(at)gmail.com
I'd like to shoot some greetz to securityreason.com for them great
research on PHP, as for this under-estimated vulnerability discovered

by

Maksymilian Arciemowicz :
http://securityreason.com/achievement_securityalert/38

X. REVISION HISTORY
-------------------------
August 10th, 2009: Initial release

XI. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or
misuse of this information.




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


--
Nicolas Valcárcel
Security Engineer
Custom Engineering Solutions Group
Canonical OEM Services
Mobile: +511 994 293 200
Key fingerprint = 5C4D 0C85 D9C0 98FE 11F9  DD12 524E C3CD EF58 4970
gpg --keyserver keyserver.ubuntu.com --recv-keys 654597FE

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBCAAGBQJKgNe5AAoJEFJOw83vWElwLj4H/3dk7RW9WJoUpzI6E5QKdXsF
7uNeGL8Yho9RZuPEK93IecImLa25Jy7KhzL+P4FfCCyYXVG8hxaUlUQss77PhsjK
VG/YkDChiNJi2tj7jixcdpVy7MLiDxMiHBGNSzI2piBiZb3/toSBvZslSW2yqgIk
OkqbJ7AE5yTu4sulhO29DRYzFUjvZHGKR2akRu/3RlOUHhwVDJw0m2ZO4M3MHz4+
1x/w7HhzmbMo/kioxJpPsU7f+axVnRMia9dZmvakfhmNdht98qAE/a7UlpT+ft1w
Vua7DRYwOn4o5UYXhBmUL/uCUt3CLeT9Jgu0/bWZ3G3gR1Rw1edS7E5Q7A9wlEY=
=UdOl
-----END PGP SIGNATURE-----




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





--

If you have questions please let me know.
Best regards,
- Fábio - IT Manager


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: