-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SektionEins GmbH www.sektioneins.de -= Security Advisory =- Advisory: Wordpress user_login Column SQL Truncation Vulnerability Release Date: 2008/09/12 Last Modified: 2008/09/12 Author: Stefan Esser [stefan.esser[at]sektioneins.de] Application: Wordpress <= 2.6.1 Severity: MySQL column truncation allows resetting the passwords of wordpress users to random strings. Combined with weaknesses in PHP's PRNG this allows determining the admin password. Risk: High Vendor Status: Vendor has released Wordpress 2.6.2 which fixes this issue Reference: http://www.sektioneins.de/advisories/SE-2008-05.txt http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/ http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/ Overview: Quote from http://www.wordpress.org "WordPress is a state-of-the-art publishing platform with a focus on aesthetics, web standards, and usability. WordPress is both free and priceless at the same time." During research on MySQL Column Truncation Vulnerabilities it was discovered that the user registration system of Wordpress is not protected against this kind of attack. Further research then discovered that this vulnerability can be used to reset the passwords of users to a random string when user registration is activated in the blog. In addition to this it was discovered that Wordpress uses mt_rand() to create passwords and reset tokens, which is not secure enough for cryptographic secrets. The use of mt_rand() allows predicting the randomly generated passwords when the PRNG is freshly seeded and output of the PRNG is leaked to the user. Combined this means on servers reusing PHP processes for multiple requests (mod_php, fastcgi) it is possible to determine the internal generated random tokens and passwords, which might lead to a blog (and maybe server) compromise. Details: The term SQL column truncation vulnerability and the problems that might arise from this kind of vulnerability is explained in the blog post "mysql and sql column truncation vulnerabilities" which is available here: http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/ The problems arising from using mt_(s)rand for cryptographic secrets and possible attacks against PHP's PRNG and PHP applications using it are explained by the blog post "mt_(s)rand and not so random numbers" which is available here: http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/ In Wordpress the situation is that when open registration is activated an attacker can register the username 'admin' + 55 times ' ' + 'x' to register a new user that will end up as 'admin' + 55 times ' ' in the database. Because of the relaxation on string comparison that ignores trailing whitespace characters this might disturb how Wordpress uses the user table. An analysis revealed that a problem occurs in the password reset. It is however possible that other areas of Wordpress can also be exploited through the same vector. When the password reset is triggered with the email address of the fake admin Wordpress will generate a random password reset token, will write it into the database as current password reset token for the fake admin AND ALSO for the real admin. The password reset token is then sent to the fake admin. When the password reset token is used Wordpress will reset the password of the first user that token is valid for, which is the real admin user. It will auto generate a random password and send it to the real admin. At this point the real admin has his password changed to something random that is only known to the email he gets until he reads it. Using a fresh PHP process for the password reset in combination with the Keep-Alive attack that is described in the previously mentioned blog posting, it is however possible for an attacker to lookup the 32 bit seed used for seeding the random number generator and determine the randomly generated password for it. The seed lookup can be performed by a pre-generated table that is around 60 GB in size, which takes a day to generate (depending on your hardware) but allows resetting admin passwords in seconds. Wordpress has fixed these vulnerabilities by consolidating space characters in the user name prior to registration and by changing from plain mt_rand() usage to some better random number generator that is not easily predicted from the outside. Proof of Concept: SektionEins GmbH is not going to release a proof of concept exploit for this vulnerability. Disclosure Timeline: 17. Aug 2008 - Sent notification to Wordpress about the vulnerability 21. Aug 2008 - Received confirmation that notification was received but waited in the spam folder for manual review 22. Aug 2008 - Notification that the column truncation is now fixed in SVN and that discussion how to fix the mt_rand() problem is running 22. Aug 2008 - Sent recommendation how to fix the mt_rand() issue as PHP pseudo code 25. Aug 2008 - Received and commented about PHP code to fix the issue 27. Aug 2008 - Notification that the mt_rand() problem is now fixed in SVN 30. Aug 2008 - Discussion about a possible release date that allows fixing some other problems contained in Wordpress 2.6.1 09. Sep 2008 - The Wordpress Development Team releases Wordpress 2.6.2 early in response to a description of a possible attack that appeared on milw0rm and was most probably reversed from the SVN commits 12. Sep 2008 - Public Disclosure Recommendation: It is recommended to upgrade to the latest version of Wordpress which might also fixes additional vulnerabilities or bugs reported by third parties, Grab your copy at: http://www.wordpress.org CVE Information: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a name to this vulnerability yet. GPG-Key: pub 1024D/15ABDA78 2004-10-17 Stefan Esser <stefan.esser@xxxxxxxxxxxxxx> Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78 Copyright 2008 SektionEins GmbH. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkjJzEAACgkQSuF5XhWr2nhllwCfRBe4vOtgbb494BvUJcPh/IZV vHMAn3FxK5bbd7I3v69Vc+t4LcgaVWvQ =TCpu -----END PGP SIGNATURE-----