SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   WordPress Vendors:   wordpress.org
WordPress Cookie Authentication Flaw Lets Remote Users Access Accounts in Certain Cases
SecurityTracker Alert ID:  1018980
SecurityTracker URL:  http://securitytracker.com/id/1018980
CVE Reference:   CVE-2007-6013   (Links to External Site)
Updated:  Feb 17 2008
Original Entry Date:  Nov 19 2007
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.3.1 and prior versions
Description:   A vulnerability was reported in WordPress. A remote user can access arbitrary user accounts in certain cases.

A remote user with read-only access to the Wordpress database wp_user table can generate a valid authentication cookie for arbitrary users on the target application.

This vulnerability is being actively exploited.

The vendor was notified on October 29, 2007, without response.

The original advisory is available at:

http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-auth.txt

Steven J. Murdoch reported this vulnerability.

Impact:   A remote user with read-only access to the Wordpress database can generate a valid authentication cookie for arbitrary users on the target application.
Solution:   The vendor has issued a source code fix.
Vendor URL:  www.wordpress.org/ (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Wordpress Cookie Authentication Vulnerability


--27ZtN5FSuKKSZcBU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Wordpress Cookie Authentication Vulnerability

Original release date: 2007-11-19
Last revised: 2007-11-19
Latest version: http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-c=
ookie-auth.txt
CVE ID: <pending>
Source: Steven J. Murdoch <http://www.cl.cam.ac.uk/users/sjm217/>


Systems Affected:

 Wordpress 1.5 -- 2.3.1 (including current version, as of 2007-11-19)


Overview:

 With read-only access to the Wordpress database, it is possible to
 generate a valid login cookie for any account, without resorting to a
 brute force attack. This allows a limited SQL injection vulnerability
 to be escalated into administrator access.

 This vulnerability is known to be actively exploited, hence the
 expedited public release.


I. Description

 For authentication, the Wordpress user database stores the MD5 hash
 of login passwords. A client is permitted access if they can present a
 password whose hash matches the stored one.

 $ mysql -u wordpress -p wordpress
   Enter password: ********

   mysql> SELECT ID, user_login, user_pass FROM wp_users;
   +----+-------------+----------------------------------+
   | ID | user_login  | user_pass                        |
   +----+-------------+----------------------------------+
   |  1 | admin       | 4cee2c84f6de6d89a4db4f2894d14e38 |
   ...

 Of course, entering your password after each action that requires
 authorization would be exceptionally tedious. So, after logging in,
 Wordpress presents the client with two cookies:

  wordpressuser_6092254072ca971c70b3ff302411aa5f=3Dadmin
  wordpresspass_6092254072ca971c70b3ff302411aa5f=3D813cadd8658c4776afbe5de8=
f304a684

 The cookie names contains the MD5 hash (6092...1a5f) of the blog URL.
 The value of wordpressuser_... is the login name, and the value of
 wordpresspass is the double-MD5 hash of the user password.

 Wordpress will permit access to a given user account if the
 wordpressuserpass_... cookie matches the hash of the specified user's
 wp_users.user_pass database entry.

 In other words, the database contains MD5(password) and the cookie
 contains MD5(MD5(password)). It is thus trivial to convert a database
 entry into an authentication cookie.

 At this point the vulnerability should be clear. If an attacker can
 gain read access to the wp_user table, for example due to a publicly
 visible backup or SQL injection vulnerability, a valid cookie can be
 generated for any account.=20

 This applies even if the user's password is sufficiently complex to
 resist brute force and rainbow table attacks. While it should be
 computationally infeasible to go backwards from MD5(password) to
 password, the attacker needs only to go forwards.

 The exploitation steps are therefore:
  1) Find the hash of the blog URL: Either just look at the URL, or
     create an account to get a user cookie
  2) Read the user_pass entry from wp_users table: Look for
     backups, perform SQL injection, etc...
  3) Set the following cookies:
      wordpressuser_<MD5(url)>=3Dadmin
      wordpresspass_<MD5(url)>=3DMD5(user_pass)
  4) You have admin access to the blog


II. Impact

 A remote attacker, with read access to the password database can gain
 administrator rights. This may be used in conjunction with an SQL
 injection attack, or after locating a database backup.

 An attacker who has alternatively compromised the database of one
 Wordpress blog can also gain access to any other whose users have the
 same password on both.


III. Solution

 No vendor patch is available.
 No timeline for a vendor patch has been announced.

 Workarounds:

 - Protect the Wordpress database, and do not allow backups to be
   released.
 - Keep your Wordpress installation up to date. This should reduce the
   risk that your database will be compromised.
 - Do not share passwords across different sites.
 - If you suspect a database to be compromised, change all passwords
   to different ones. It is not adequate to change the passwords to
   the same ones, since Wordpress does not "salt" [1] the password
   database.
 - Remove write permissions on the Wordpress files for the system
   account that the webserver runs as. This will disable the theme
   editor, but make it more difficult to escalate Wordpress
   administrator access into the capability to execute arbitrary code
 - Configure the webserver to not execute files in any directory
   writable by the webserver system account (e.g. the upload
   directory).

 Potential fixes:

  The problem occurs because it is easy to go from the password hash
  in the database to a cookie (i.e the application of MD5 is the wrong
  way around). The simplest fix is to store MD5(MD5(password)) in the
  database, and make the cookie MD5(password). This still makes it
  infeasible to retrieve the password from a cookie, but means that it
  is also infeasible to generate a valid cookie from the database
  entry.

  However, there are other vulnerabilities in the Wordpress cookie and
  password handling, which should be resolved too:

  - Passwords are unsalted [2], leaving them open to brute force, rainbow
    table and other attacks [3].
  - It is impossible to revoke a cookie without changing the user's
    password.
  - Cookies do not contain an expiry time, so are always valid (until
    the user's password changes)
  - There ought to be an option to limit cookies to a particular
    IP address or range.


References:

  [1] http://en.wikipedia.org/wiki/Salt_(cryptography)
  [2] http://trac.wordpress.org/ticket/2394
  [3] http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cr=
acker/


Timeline:

 2007-10-29: security@wordpress.org notified; no response
 2007-11-02: security@wordpress.org notified;
             Confirmation of active exploitation requested by Wordpress
 2007-11-02: Confirmation sent; no response
 2007-11-19: Advisory released to full-disclosure and BugTraq

--=20
w: http://www.cl.cam.ac.uk/users/sjm217/

--27ZtN5FSuKKSZcBU
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFHQdmbZJO2QFHioccRArayAJ96NCUig8B6TgDl+06gE9IrI/1ZwQCdGciU
qi/Hif4lV9EtRVBXEvploMQ=
=J0Va
-----END PGP SIGNATURE-----

--27ZtN5FSuKKSZcBU--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC