Wordpress Exploit

nux · 19 October, 2009, 18:26 PM

The latest version of Wordpress is exploitable by what seems to be an 0day exploit. There is no patch on wordpress.org. Here's the actual exploit:
pastebin - collaborative debugging tool

It looks like it's an issue in wp-trackback.php

Temporarily disabling trackbacks should be a work around for now. Nothing has been testing though....

nux · 19 October, 2009, 18:32 PM

Update: I just tested it on my server and it hurts. Dirty exploit:

top - 13:29:56 up 36 days, 1:06, 12 users, load average: 45.95, 13.40, 4.66

I'm working on a workaround...and

<Files ~ "wp-trackback.php">
Order allow,deny
Deny from all
</Files>

Add that to your apache config file to disallow wp-trackback.php on every site hosted on the server.

A nasty workaround, but will help until a real fix is out.

nux · 19 October, 2009, 18:56 PM

I made a post about it on my blog:
New 0-Day Wordpress Exploit | Steve Fortuna

Keldorn · 19 October, 2009, 19:03 PM

Imagine if they change to this.

PHP Code:


			
for($n = 0; $n <= 10000000; $n++){

//fputs attack  stuff

}

It will loop 10 million times. Imagine if they put usleep(); at a Quarter second to prevent crashing your server, then hitting page over and over for oh about 7 days. You will have a page with 2,419,200 tackback comment on it saying "lol", now imagine having to delete that shit to clean up. Priceless. xD
Hopefully wordpress has some of mechasim to block repeated trackbacks from the same IP...

nux · 19 October, 2009, 19:13 PM

I have come up with a fix for this exploit. It's posted on my blog, linked above.

garfish · 19 October, 2009, 19:23 PM

thanks guys. i'm adding the code. dyou have any idea when will wp fix be release?

Keldorn · 19 October, 2009, 19:38 PM

Quote:

Originally Posted by nux

I have come up with a fix for this exploit. It's posted on my blog, linked above.

What is $charset and does check if it greater then 50 characters stop the attack?

nux · 19 October, 2009, 19:44 PM

the problem is in this function: PHP: mb_convert_encoding - Manual

what the exploit does is tell the server that there's thousands of charsets to convert it to the fix limits the input on the charset value to 50 chars. I tested on my server and it works. 50 might be too much anyways, but it stops the exploit

Keldorn · 19 October, 2009, 19:51 PM

okay, I think I understand. So wp-trackback accept a Character encoding with a var called $_POST['charset'],
with this code they generate thousands of things saying "UTF-8"
$charset = str_pad($charset,140000,"UTF-8,");

for a payload to mb_convert_encoding, which will loop over then thousands of times. Running up the load on the server.
So I guess checking if $charset is less then 50 might work and is probably too much anways. Must character encodign name will around 10 char right?
Looks good..

Keldorn.