what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

wordpress-cookie-auth.txt

wordpress-cookie-auth.txt
Posted Nov 26, 2007
Authored by Steven J. Murdoch | Site cl.cam.ac.uk

Wordpress versions 1.5 through 2.3.1 suffer from a cookie authentication vulnerability.

tags | advisory
SHA-256 | dcf620597516557871bd390192f9dd05e32ea32acc9591a2243559cb230b97ad

wordpress-cookie-auth.txt

Change Mirror Download
Wordpress Cookie Authentication Vulnerability

Original release date: 2007-11-19
Last revised: 2007-11-19
Latest version: http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-auth.txt
CVE ID: <pending>
Source: Steven J. Murdoch <http://www.cl.cam.ac.uk/users/sjm217/>


Systems Affected:

Wordpress 1.5 -- 2.3.1 (including current version, as of 2007-11-19)


Overview:

With read-only access to the Wordpress database, it is possible to
generate a valid login cookie for any account, without resorting to a
brute force attack. This allows a limited SQL injection vulnerability
to be escalated into administrator access.

This vulnerability is known to be actively exploited, hence the
expedited public release.


I. Description

For authentication, the Wordpress user database stores the MD5 hash
of login passwords. A client is permitted access if they can present a
password whose hash matches the stored one.

$ mysql -u wordpress -p wordpress
Enter password: ********

mysql> SELECT ID, user_login, user_pass FROM wp_users;
+----+-------------+----------------------------------+
| ID | user_login | user_pass |
+----+-------------+----------------------------------+
| 1 | admin | 4cee2c84f6de6d89a4db4f2894d14e38 |
...

Of course, entering your password after each action that requires
authorization would be exceptionally tedious. So, after logging in,
Wordpress presents the client with two cookies:

wordpressuser_6092254072ca971c70b3ff302411aa5f=admin
wordpresspass_6092254072ca971c70b3ff302411aa5f=813cadd8658c4776afbe5de8f304a684

The cookie names contains the MD5 hash (6092...1a5f) of the blog URL.
The value of wordpressuser_... is the login name, and the value of
wordpresspass is the double-MD5 hash of the user password.

Wordpress will permit access to a given user account if the
wordpressuserpass_... cookie matches the hash of the specified user's
wp_users.user_pass database entry.

In other words, the database contains MD5(password) and the cookie
contains MD5(MD5(password)). It is thus trivial to convert a database
entry into an authentication cookie.

At this point the vulnerability should be clear. If an attacker can
gain read access to the wp_user table, for example due to a publicly
visible backup or SQL injection vulnerability, a valid cookie can be
generated for any account.

This applies even if the user's password is sufficiently complex to
resist brute force and rainbow table attacks. While it should be
computationally infeasible to go backwards from MD5(password) to
password, the attacker needs only to go forwards.

The exploitation steps are therefore:
1) Find the hash of the blog URL: Either just look at the URL, or
create an account to get a user cookie
2) Read the user_pass entry from wp_users table: Look for
backups, perform SQL injection, etc...
3) Set the following cookies:
wordpressuser_<MD5(url)>=admin
wordpresspass_<MD5(url)>=MD5(user_pass)
4) You have admin access to the blog


II. Impact

A remote attacker, with read access to the password database can gain
administrator rights. This may be used in conjunction with an SQL
injection attack, or after locating a database backup.

An attacker who has alternatively compromised the database of one
Wordpress blog can also gain access to any other whose users have the
same password on both.


III. Solution

No vendor patch is available.
No timeline for a vendor patch has been announced.

Workarounds:

- Protect the Wordpress database, and do not allow backups to be
released.
- Keep your Wordpress installation up to date. This should reduce the
risk that your database will be compromised.
- Do not share passwords across different sites.
- If you suspect a database to be compromised, change all passwords
to different ones. It is not adequate to change the passwords to
the same ones, since Wordpress does not "salt" [1] the password
database.
- Remove write permissions on the Wordpress files for the system
account that the webserver runs as. This will disable the theme
editor, but make it more difficult to escalate Wordpress
administrator access into the capability to execute arbitrary code
- Configure the webserver to not execute files in any directory
writable by the webserver system account (e.g. the upload
directory).

Potential fixes:

The problem occurs because it is easy to go from the password hash
in the database to a cookie (i.e the application of MD5 is the wrong
way around). The simplest fix is to store MD5(MD5(password)) in the
database, and make the cookie MD5(password). This still makes it
infeasible to retrieve the password from a cookie, but means that it
is also infeasible to generate a valid cookie from the database
entry.

However, there are other vulnerabilities in the Wordpress cookie and
password handling, which should be resolved too:

- Passwords are unsalted [2], leaving them open to brute force, rainbow
table and other attacks [3].
- It is impossible to revoke a cookie without changing the user's
password.
- Cookies do not contain an expiry time, so are always valid (until
the user's password changes)
- There ought to be an option to limit cookies to a particular
IP address or range.


References:

[1] http://en.wikipedia.org/wiki/Salt_(cryptography)
[2] http://trac.wordpress.org/ticket/2394
[3] http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/


Timeline:

2007-10-29: security@wordpress.org notified; no response
2007-11-02: security@wordpress.org notified;
Confirmation of active exploitation requested by Wordpress
2007-11-02: Confirmation sent; no response
2007-11-19: Advisory released to full-disclosure and BugTraq

--
w: http://www.cl.cam.ac.uk/users/sjm217/
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close