exploit the possibilities

WordPress W3 Total Cache Amazon SNS Push Messages Weak Validation

WordPress W3 Total Cache Amazon SNS Push Messages Weak Validation
Posted Nov 11, 2016
Authored by Securify B.V., Sipke Mellema

A vulnerability in the validation of Amazon SNS messages was found in the W3 Total Cache plugin. This issue allows an attacker to perform a variety of actions concerning the server's cache, which may result in a denial of service attack. Version 0.9.4.1 is affected.

tags | exploit, denial of service
MD5 | 530b6c7891343fb9d1140ce5cbda0d8a

WordPress W3 Total Cache Amazon SNS Push Messages Weak Validation

Change Mirror Download
------------------------------------------------------------------------
Weak validation of Amazon SNS push messages in W3 Total Cache WordPress
Plugin
------------------------------------------------------------------------
Sipke Mellema, July 2016

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A vulnerability in the validation of Amazon SNS messages was found in
the W3 Total Cache plugin. This issue allows an attacker to perform a
variety of actions concerning the server's cache, which may result in a
Denial of Service attack.

------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160724-0012

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully tested on the W3 Total Cache WordPress
Plugin version 0.9.4.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is resolved in W3 Total Cache version 0.9.5.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2016/weak_validation_of_amazon_sns_push_messages_in_w3_total_cache_wordpress_plugin.html

The file /pub/sns.php contains the W3 Total Cache SNS module and is publicly accessible. It listens for push messages from the Amazon SNS service. There exists a validation issue in the validation of the SNS message. The message is validated in /lib/SNS/services/MessageValidator/MessageValidator.php::validate. Here, a parameter SigningCertURL is pulled from the push message. This parameter is used as a URL to retrieve the public key from. The URL is validated by checking if it ends with .amazonaws.com.

// Get the cert's URL and ensure it is from AWS
$certUrl = $message->get('SigningCertURL');
$host = parse_url($certUrl, PHP_URL_HOST);
if ('.amazonaws.com' != substr($host, -14)) {
throw new CertificateFromUnrecognizedSourceException($host . ' did not match .amazonaws.com');
}

The validation of the URL is not sufficient because anyone can create an amazonaws domain. By pointing the SigningCertURL parameter to one's own domain, it's possible to forge signed SNS messages. This makes it possible to execute any action from the /lib/W3/Enterprise/SnsServer.php::_execute method, allowing an attacker to flush the cache or to load files to the cache.

The impact of this attack is low to medium. It's possible to flush and load files to and from the cache, depending on the available PHP extensions. By constantly loading and flushing the cache, a server can be made to respond slower to incoming requests. In some cases this may lead to a Denial of Service attack.

I suggest using the regex from the Amazon SNS SDK:
/aws/Aws/Sns/MessageValidator/MessageValidator.php

private function validateUrl(Url $url)
{
// The host must match the following pattern
$hostPattern = '/^sns\.[a-zA-Z0-9\-]{3,}\.amazonaws\.com(\.cn)?$/';

A different property in the validation was noted. It seems that the string being signed is not the full message sent by the client. Replay attacks might be possible. This has not been further investigated.
Proof of Concept

This request was tested on PHP Version 7.0.9-1.

A POST request to /wp-content/plugins/w3-total-cache/pub/sns.php with the following body will result in the action apc_compile_file will be executed.

{"Type":"Notification","Signature":"IulYAhFLEwx1ecyyk0mWqsdYxYY/x+84GyD6c0T4YTJrUzIhDRkajQkgsq9HDDJmGv5TiqeTUfatfxv6xmNNiXc4
95ktc2txPxjPZkDn2d1Sr3qXc9rqyH/NvoHFa2Uwq0gQLzeSTtwmjPZx3JilP6rba4zy/EicIPALNNnmP4A=","SigningCertURL":"http://ec2-52-40-123-111.us-west-2.compute.amazonaws.com/foo.cert","Message":"{\"action\":{\"action\":\"apc_compile_file\",\"filename\":\"Testfile\"}}"}

The mentioned Amazon domain is not publicly accessible. Reproduction steps are:
1. Register an Amazon AWS account
2. Create a public/private key pair
3. Put the public key on the AWS domain
4. Create a POST message like the one above with the SigningCertURL parameter pointing to your public key and the Signature parameter containing a valid signature for your message, generated with your own private key, using the logic from /lib/SNS/services/MessageValidator/Message.php::getStringToSign.

------------------------------------------------------------------------
Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its
goal is to contribute to the security of popular, widely used OSS
projects in a fun and educational way.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    16 Files
  • 18
    Sep 18th
    8 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close