SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Forum/Board/Portal)  >   WordPress Vendors:   wordpress.org
WordPress SQL Truncation and Password Generation Flaw Lets Remote Users Determine the Administrator's Password
SecurityTracker Alert ID:  1020869
SecurityTracker URL:  http://securitytracker.com/id/1020869
CVE Reference:   CVE-2008-4106, CVE-2008-4107   (Links to External Site)
Updated:  Sep 25 2008
Original Entry Date:  Sep 15 2008
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.6.1 and prior versions
Description:   A vulnerability was reported in WordPress. A remote user can determine the administrator's password.

The user registration feature does not properly validate user-supplied input. A remote user can supply a specially crafted parameter value to cause the system to reset the administrator's password to a randomly generated value.

The system uses mt_rand() to create passwords and password reset tokens. As a result, a user can predict generated passwords in certain cases.

Because of the validation flaw and password generation flaw, a remote user may be able to obtain the newly reset administrative password.

Wordpress systems that are configured to allow open registration are affected.

The vendor was notified on August 17, 2008.

Stefan Esser of SektionEins GmbH reported this vulnerability.

The original advisory is available at:

http://www.sektioneins.de/advisories/SE-2008-05.txt

Impact:   A remote user can determine the administrator's password.
Solution:   The vendor has issued a fix (2.6.2).

The vendor's advisory is available at:

http://wordpress.org/development/2008/09/wordpress-262/

Vendor URL:  wordpress.org/development/2008/09/wordpress-262/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Fri, 12 Sep 2008 01:39:16 +0200
Subject:  Advisory 05/2008: Wordpress user_login Column SQL Truncation Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                          SektionEins GmbH
                         www.sektioneins.de

                      -= Security  Advisory =-


     Advisory: Wordpress user_login Column SQL Truncation Vulnerability
 Release Date: 2008/09/12
Last Modified: 2008/09/12
       Author: Stefan Esser [stefan.esser[at]sektioneins.de]

  Application: Wordpress <= 2.6.1
     Severity: MySQL column truncation allows resetting the passwords of
               wordpress users to random strings. Combined with weaknesses
               in PHP's PRNG this allows determining the admin password.
         Risk: High
Vendor Status: Vendor has released Wordpress 2.6.2 which fixes this issue
    Reference: http://www.sektioneins.de/advisories/SE-2008-05.txt
               http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/
               http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/


Overview:

   Quote from http://www.wordpress.org
   "WordPress is a state-of-the-art publishing platform with a focus 
    on aesthetics, web standards, and usability. WordPress is both 
    free and priceless at the same time."

   During research on MySQL Column Truncation Vulnerabilities it was
   discovered that the user registration system of Wordpress is not
   protected against this kind of attack. Further research then
   discovered that this vulnerability can be used to reset the passwords
   of users to a random string when user registration is activated 
   in the blog.

   In addition to this it was discovered that Wordpress uses mt_rand()
   to create passwords and reset tokens, which is not secure enough 
   for cryptographic secrets. The use of mt_rand() allows predicting
   the randomly generated passwords when the PRNG is freshly seeded
   and output of the PRNG is leaked to the user.

   Combined this means on servers reusing PHP processes for multiple
   requests (mod_php, fastcgi) it is possible to determine the internal
   generated random tokens and passwords, which might lead to a blog
   (and maybe server) compromise.


Details:

   The term SQL column truncation vulnerability and the problems that 
   might arise from this kind of vulnerability is explained in the
   blog post "mysql and sql column truncation vulnerabilities" which is
   available here:

   http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/

   The problems arising from using mt_(s)rand for cryptographic secrets
   and possible attacks against PHP's PRNG and PHP applications using it
   are explained by the blog post "mt_(s)rand and not so random numbers" 
   which is available here:

   http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/

   In Wordpress the situation is that when open registration is activated
   an attacker can register the username 'admin' + 55 times ' ' + 'x' to
   register a new user that will end up as 'admin' + 55 times ' ' in the
   database.

   Because of the relaxation on string comparison that ignores trailing
   whitespace characters this might disturb how Wordpress uses the user
   table. An analysis revealed that a problem occurs in the password
   reset. It is however possible that other areas of Wordpress can also
   be exploited through the same vector.

   When the password reset is triggered with the email address of the fake
   admin Wordpress will generate a random password reset token, will write
   it into the database as current password reset token for the fake admin
   AND ALSO for the real admin. The password reset token is then sent to
   the fake admin.

   When the password reset token is used Wordpress will reset the password
   of the first user that token is valid for, which is the real admin user.
   It will auto generate a random password and send it to the real admin.
   At this point the real admin has his password changed to something
   random that is only known to the email he gets until he reads it.

   Using a fresh PHP process for the password reset in combination with the
   Keep-Alive attack that is described in the previously mentioned blog
   posting, it is however possible for an attacker to lookup the 32 bit seed
   used for seeding the random number generator and determine the randomly
   generated password for it.

   The seed lookup can be performed by a pre-generated table that is around
   60 GB in size, which takes a day to generate (depending on your hardware)
   but allows resetting admin passwords in seconds.

   Wordpress has fixed these vulnerabilities by consolidating space characters
   in the user name prior to registration and by changing from plain mt_rand()
   usage to some better random number generator that is not easily predicted
   from the outside.


Proof of Concept:

   SektionEins GmbH is not going to release a proof of concept 
   exploit for this vulnerability.


Disclosure Timeline:

   17. Aug 2008 - Sent notification to Wordpress about the vulnerability
   21. Aug 2008 - Received confirmation that notification was received but
                  waited in the spam folder for manual review
   22. Aug 2008 - Notification that the column truncation is now fixed in SVN
                  and that discussion how to fix the mt_rand() problem is running
   22. Aug 2008 - Sent recommendation how to fix the mt_rand() issue as
                  PHP pseudo code
   25. Aug 2008 - Received and commented about PHP code to fix the issue
   27. Aug 2008 - Notification that the mt_rand() problem is now fixed in SVN
   30. Aug 2008 - Discussion about a possible release date that allows fixing
                  some other problems contained in Wordpress 2.6.1
   09. Sep 2008 - The Wordpress Development Team releases Wordpress 2.6.2
                  early in response to a description of a possible attack that
                  appeared on milw0rm and was most probably reversed from
                  the SVN commits
   12. Sep 2008 - Public Disclosure


Recommendation:

   It is recommended to upgrade to the latest version of Wordpress
   which might also fixes additional vulnerabilities or bugs reported 
   by third parties,

   Grab your copy at:
   
   http://www.wordpress.org


CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   not assigned a name to this vulnerability yet.


GPG-Key:

   pub  1024D/15ABDA78 2004-10-17 Stefan Esser <stefan.esser@sektioneins.de>
   Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C  57DD 4AE1 795E 15AB DA78


Copyright 2008 SektionEins GmbH. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkjJzEAACgkQSuF5XhWr2nhllwCfRBe4vOtgbb494BvUJcPh/IZV
vHMAn3FxK5bbd7I3v69Vc+t4LcgaVWvQ
=TCpu
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC