Posted: October 28th, 2009 | Author: xanda | Filed under: IT Related | Tags: firefox, mozilla, patch, remote code execution, update | No Comments »
Have you update your Firefox? Kindly tell me if you haven’t 😉
Naahh.. Just kidding.. Updates are available now.. Patch.. Patch.. and Patch.. Before its too late
Read more here:
[credit: IMG source]
Posted: August 11th, 2009 | Author: xanda | Filed under: IT Related | Tags: 2.8.3, patch, Remote Admin Reset Password Vulnerability, wordpress | 6 Comments »
[at the time this entry was posted, this is still a 0day]
[level: medium]
For those who subscribe to Milw0rm’s RSS, you might have read about the WordPress <= 2.8.3 Remote Admin Reset Password Vulnerability earlier.
Let take a look at the vulnerable code in wp-login.php:
wp-login.php:
...[snip]....
line 186:
function reset_password($key) {
global $wpdb;
$key = preg_replace('/[^a-z0-9]/i', '', $key);
if ( empty( $key ) )
return new WP_Error('invalid_key', __('Invalid key'));
$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));
if ( empty( $user ) )
return new WP_Error('invalid_key', __('Invalid key'));
...[snip]....
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
$errors = new WP_Error();
if ( isset($_GET['key']) )
$action = 'resetpass';
// validate action so as to default to the login screen
if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login')) && false === has_filter('login_form_' . $action) )
$action = 'login';
...[snip]....
line 370:
break;
case 'resetpass' :
case 'rp' :
$errors = reset_password($_GET['key']);
if ( ! is_wp_error($errors) ) {
wp_redirect('wp-login.php?checkemail=newpass');
exit();
}
wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
exit();
break;
...[snip ]... |
wp-login.php:
...[snip]....
line 186:
function reset_password($key) {
global $wpdb;
$key = preg_replace('/[^a-z0-9]/i', '', $key);
if ( empty( $key ) )
return new WP_Error('invalid_key', __('Invalid key'));
$user = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->users WHERE user_activation_key = %s", $key));
if ( empty( $user ) )
return new WP_Error('invalid_key', __('Invalid key'));
...[snip]....
line 276:
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : 'login';
$errors = new WP_Error();
if ( isset($_GET['key']) )
$action = 'resetpass';
// validate action so as to default to the login screen
if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login')) && false === has_filter('login_form_' . $action) )
$action = 'login';
...[snip]....
line 370:
break;
case 'resetpass' :
case 'rp' :
$errors = reset_password($_GET['key']);
if ( ! is_wp_error($errors) ) {
wp_redirect('wp-login.php?checkemail=newpass');
exit();
}
wp_redirect('wp-login.php?action=lostpassword&error=invalidkey');
exit();
break;
...[snip ]...
You can abuse the password reset function, and bypass the first step and
then reset the admin password by submiting an array to the $key
variable.
(Laurent Gaffié)
wanna see some PoC?
http://blog.example.com/wp-login.php?action=rp&key[]= |
http://blog.example.com/wp-login.php?action=rp&key[]=
Hehehe.. ok.. now lets patch it.. change the code in line 188 into the following code
if(is_array($key)) {
$key = '';
return new WP_Error('invalid_key', __('Invalid key'));
}
else
$key = preg_replace('/[^a-z0-9]/i', '', $key); |
if(is_array($key)) {
$key = '';
return new WP_Error('invalid_key', __('Invalid key'));
}
else
$key = preg_replace('/[^a-z0-9]/i', '', $key);
Now you are done.
P/S: This is not the official patch from WordPress. So far there is still no patch yet. You can temporarily use this method and please upgrade to the next version of WordPress when the patch is available. If you found that my patch is still vulnerable to this attack, kindly ‘patch’ me in the comment section
Greetz to Laurent Gaffié & Leong Jaan Yeh
Reference:
- http://www.milw0rm.com/exploits/9410
- http://my.php.net/is_array
The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.