Twenty Year Anniversary

WordPress All-In-One Security / Firewall 4.1.2 CAPTCHA Bypass

WordPress All-In-One Security / Firewall 4.1.2 CAPTCHA Bypass
Posted Aug 1, 2016
Authored by Securify B.V., Sipke Mellema

WordPress All-In-On Security and Firewall plugin version 4.1.2 suffers from multiple CAPTCHA bypass vulnerabilities.

tags | exploit, vulnerability, bypass
MD5 | eadcee9144c7f7cbaad656157117c8dc

WordPress All-In-One Security / Firewall 4.1.2 CAPTCHA Bypass

Change Mirror Download
------------------------------------------------------------------------
Multiple vulnerabilities in All In One WP Security & Firewall plugin
login CAPTCHA
------------------------------------------------------------------------
Sipke Mellema, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
The login CAPTCHA provided by the All In One WP Security & Firewall
plugin can be circumvented in multiple ways, allowing an attacker to
automate login attempts when the CAPTCHA is enabled.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160719-0001

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
These issues were successfully tested on the All In One WP Security &
Firewall WordPress Plugin version 4.1.2.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
The first two findings are resolved in the All In One WP Security &
Firewall plugin version 4.1.3.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/multiple_vulnerabilities_in_all_in_one_wp_security___firewall_plugin_login_captcha.html

Details finding 1: Complete bypass of CAPTCHA answer validation

When the login CAPTCHA is enabled, the plugin will check if the user provided a CAPTCHA answer. If so, the answer will be checked for validity. However, the code does not account for the case where no CAPTCHA answer is provided. If no answer is sent, the login will continue as normal, even though the CAPTCHA setting is enabled.

The vulnerable code is located in wp-security-user-login.php:

//Check if captcha enabled
if ($aio_wp_security->configs->get_value('aiowps_enable_login_captcha') == '1')
{
if (array_key_exists('aiowps-captcha-answer', $_POST)) //If the login form with captcha was submitted then do some processing
{
[.. captcha logic ..]
}
[.. missing else statement ..]
}

Details finding 2: CAPTCHA answer forgery


The CAPTCHA answers leak the secret key used to create valid answers. By extracting the secret keys it's possible to forge valid CAPTCHA answers.

The vulnerable code is located at /classes/wp-security-captcha.php:

//Let's encode correct answer
$captcha_secret_string = $aio_wp_security->configs->get_value('aiowps_captcha_secret_key');
$current_time = time();
$enc_result = base64_encode($current_time.$captcha_secret_string.$result);
$equation_string .= '<input type="hidden" name="aiowps-captcha-string-info" id="aiowps-captcha-string-info" value="'.$enc_result.'" />';
$equation_string .= '<input type="hidden" name="aiowps-captcha-temp-string" id="aiowps-captcha-temp-string" value="'.$current_time.'" />';
$equation_string .= '<input type="text" size="2" id="aiowps-captcha-answer" name="aiowps-captcha-answer" value="" />';
return $equation_string;

The CAPTCHA form adds three fields to the login form:
aiowps-captcha-string-info - A timestamp, a secret CAPTCHA key and the valid answer, base64 encoded
aiowps-captcha-temp-string - The timestamp
aiowps-captcha-answer - Answer to be filled in by the user
For validating the correct answer, aiowps-captcha-string-info is checked against the timestamp provided by the user, combined with the answer provided by the user and the secret CAPTCHA key (base64 encoded).

By decoding the value for aiowps-captcha-string-info, a user can extract the secret key and create valid answers.
Details finding 3: CAPTCHA answer replay attack


The CAPTCHA mechanism (which is described above) is created in such a way that the CAPTCHA answer never expires. A valid answer can be re-used, allowing automated login attempts.
Details finding 4: Easy automatable CAPTCHA solving


Math questions created by the login CAPTCHA are not obfuscated in any way. The math questions (such as "five + 2") can easily be parsed by a program to generate valid answers.
Proofs of concepts

1. Enable the login CAPTCHA and remove the aiowps-captcha-answer parameter from the POST request. The login will succeed as normal.

2. Base64 decode the hidden field aiowps-captcha-string-info to obtain the CAPTCHA secret and a valid answer.

3. Send two login attempt with the same (valid) aiowps-captcha-string-info, aiowps-captcha-temp-string and aiowps-captcha-answer parameters. The login attempt will be accepted.

4. A programmer can use the array from the number_word_mapping method to evaluate the questions created by the CAPTCHA.



------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    1 Files
  • 10
    Dec 10th
    15 Files
  • 11
    Dec 11th
    30 Files
  • 12
    Dec 12th
    25 Files
  • 13
    Dec 13th
    14 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close