-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SektionEins GmbH
www.sektioneins.de
-= Security Advisory =-
Advisory: Wordpress user_login Column SQL Truncation Vulnerability
Release Date: 2008/09/12
Last Modified: 2008/09/12
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Wordpress <= 2.6.1
Severity: MySQL column truncation allows resetting the passwords of
wordpress users to random strings. Combined with weaknesses
in PHP's PRNG this allows determining the admin password.
Risk: High
Vendor Status: Vendor has released Wordpress 2.6.2 which fixes this issue
Reference: http://www.sektioneins.de/advisories/SE-2008-05.txt
http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/
http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/
Overview:
Quote from http://www.wordpress.org
"WordPress is a state-of-the-art publishing platform with a focus
on aesthetics, web standards, and usability. WordPress is both
free and priceless at the same time."
During research on MySQL Column Truncation Vulnerabilities it was
discovered that the user registration system of Wordpress is not
protected against this kind of attack. Further research then
discovered that this vulnerability can be used to reset the passwords
of users to a random string when user registration is activated
in the blog.
In addition to this it was discovered that Wordpress uses mt_rand()
to create passwords and reset tokens, which is not secure enough
for cryptographic secrets. The use of mt_rand() allows predicting
the randomly generated passwords when the PRNG is freshly seeded
and output of the PRNG is leaked to the user.
Combined this means on servers reusing PHP processes for multiple
requests (mod_php, fastcgi) it is possible to determine the internal
generated random tokens and passwords, which might lead to a blog
(and maybe server) compromise.
Details:
The term SQL column truncation vulnerability and the problems that
might arise from this kind of vulnerability is explained in the
blog post "mysql and sql column truncation vulnerabilities" which is
available here:
http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/
The problems arising from using mt_(s)rand for cryptographic secrets
and possible attacks against PHP's PRNG and PHP applications using it
are explained by the blog post "mt_(s)rand and not so random numbers"
which is available here:
http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/
In Wordpress the situation is that when open registration is activated
an attacker can register the username 'admin' + 55 times ' ' + 'x' to
register a new user that will end up as 'admin' + 55 times ' ' in the
database.
Because of the relaxation on string comparison that ignores trailing
whitespace characters this might disturb how Wordpress uses the user
table. An analysis revealed that a problem occurs in the password
reset. It is however possible that other areas of Wordpress can also
be exploited through the same vector.
When the password reset is triggered with the email address of the fake
admin Wordpress will generate a random password reset token, will write
it into the database as current password reset token for the fake admin
AND ALSO for the real admin. The password reset token is then sent to
the fake admin.
When the password reset token is used Wordpress will reset the password
of the first user that token is valid for, which is the real admin user.
It will auto generate a random password and send it to the real admin.
At this point the real admin has his password changed to something
random that is only known to the email he gets until he reads it.
Using a fresh PHP process for the password reset in combination with the
Keep-Alive attack that is described in the previously mentioned blog
posting, it is however possible for an attacker to lookup the 32 bit seed
used for seeding the random number generator and determine the randomly
generated password for it.
The seed lookup can be performed by a pre-generated table that is around
60 GB in size, which takes a day to generate (depending on your hardware)
but allows resetting admin passwords in seconds.
Wordpress has fixed these vulnerabilities by consolidating space characters
in the user name prior to registration and by changing from plain mt_rand()
usage to some better random number generator that is not easily predicted
from the outside.
Proof of Concept:
SektionEins GmbH is not going to release a proof of concept
exploit for this vulnerability.
Disclosure Timeline:
Recommendation:
It is recommended to upgrade to the latest version of Wordpress
which might also fixes additional vulnerabilities or bugs reported
by third parties,
Grab your copy at:
CVE Information:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
not assigned a name to this vulnerability yet.
GPG-Key:
pub 1024D/15ABDA78 2004-10-17 Stefan Esser <[email protected]>
Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78
Copyright 2008 SektionEins GmbH. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAkjJzEAACgkQSuF5XhWr2nhllwCfRBe4vOtgbb494BvUJcPh/IZV
vHMAn3FxK5bbd7I3v69Vc+t4LcgaVWvQ
=TCpu
-----END PGP SIGNATURE-----