Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Wordpress Exploit

  1. #1
    nux
    nux is offline Moderator
    Join Date
    Dec 2008
    Location
    Minneapolis
    Posts
    534
    Thanks
    28
    Thanked 77 Times in 54 Posts

    Wordpress Exploit

    The latest version of Wordpress is exploitable by what seems to be an 0day exploit. There is no patch on wordpress.org. Here's the actual exploit:
    pastebin - collaborative debugging tool

    It looks like it's an issue in wp-trackback.php

    Temporarily disabling trackbacks should be a work around for now. Nothing has been testing though....
    Submit Your Proxies @ NewProxySites.com

  2. Thanked by:

    Snak3 (20 October, 2009)

  3. #2
    nux
    nux is offline Moderator
    Join Date
    Dec 2008
    Location
    Minneapolis
    Posts
    534
    Thanks
    28
    Thanked 77 Times in 54 Posts
    Update: I just tested it on my server and it hurts. Dirty exploit:

    top - 13:29:56 up 36 days, 1:06, 12 users, load average: 45.95, 13.40, 4.66

    I'm working on a workaround...and

    <Files ~ "wp-trackback.php">
    Order allow,deny
    Deny from all
    </Files>


    Add that to your apache config file to disallow wp-trackback.php on every site hosted on the server.

    A nasty workaround, but will help until a real fix is out.
    Submit Your Proxies @ NewProxySites.com

  4. #3
    nux
    nux is offline Moderator
    Join Date
    Dec 2008
    Location
    Minneapolis
    Posts
    534
    Thanks
    28
    Thanked 77 Times in 54 Posts
    I made a post about it on my blog:
    New 0-Day Wordpress Exploit | Steve Fortuna
    Submit Your Proxies @ NewProxySites.com

  5. #4
    Keldorn's Avatar
    Keldorn is offline Net Builder
    Join Date
    Dec 2008
    Location
    Canada
    Posts
    400
    Thanks
    21
    Thanked 60 Times in 52 Posts
    Imagine if they change to this.

    PHP Code:
    for($n 0$n <= 10000000$n++){

    //fputs attack  stuff


    It will loop 10 million times. Imagine if they put usleep(); at a Quarter second to prevent crashing your server, then hitting page over and over for oh about 7 days. You will have a page with 2,419,200 tackback comment on it saying "lol", now imagine having to delete that shit to clean up. Priceless. xD
    Hopefully wordpress has some of mechasim to block repeated trackbacks from the same IP...
    Submit new proxies -

  6. #5
    nux
    nux is offline Moderator
    Join Date
    Dec 2008
    Location
    Minneapolis
    Posts
    534
    Thanks
    28
    Thanked 77 Times in 54 Posts
    I have come up with a fix for this exploit. It's posted on my blog, linked above.
    Submit Your Proxies @ NewProxySites.com

  7. #6
    garfish's Avatar
    garfish is offline I'm Not Sure.
    Join Date
    May 2009
    Posts
    846
    Blog Entries
    12
    Thanks
    155
    Thanked 57 Times in 54 Posts
    thanks guys. i'm adding the code. dyou have any idea when will wp fix be release?

  8. #7
    Keldorn's Avatar
    Keldorn is offline Net Builder
    Join Date
    Dec 2008
    Location
    Canada
    Posts
    400
    Thanks
    21
    Thanked 60 Times in 52 Posts
    Quote Originally Posted by nux View Post
    I have come up with a fix for this exploit. It's posted on my blog, linked above.
    What is $charset and does check if it greater then 50 characters stop the attack?
    Submit new proxies -

  9. #8
    nux
    nux is offline Moderator
    Join Date
    Dec 2008
    Location
    Minneapolis
    Posts
    534
    Thanks
    28
    Thanked 77 Times in 54 Posts
    the problem is in this function: PHP: mb_convert_encoding - Manual

    what the exploit does is tell the server that there's thousands of charsets to convert it to the fix limits the input on the charset value to 50 chars. I tested on my server and it works. 50 might be too much anyways, but it stops the exploit
    Submit Your Proxies @ NewProxySites.com

  10. #9
    Keldorn's Avatar
    Keldorn is offline Net Builder
    Join Date
    Dec 2008
    Location
    Canada
    Posts
    400
    Thanks
    21
    Thanked 60 Times in 52 Posts
    okay, I think I understand. So wp-trackback accept a Character encoding with a var called $_POST['charset'],
    with this code they generate thousands of things saying "UTF-8"
    $charset = str_pad($charset,140000,"UTF-8,");

    for a payload to mb_convert_encoding, which will loop over then thousands of times. Running up the load on the server.
    So I guess checking if $charset is less then 50 might work and is probably too much anways. Must character encodign name will around 10 char right?
    Looks good..

    Keldorn.
    Submit new proxies -

  11. #10
    Snak3's Avatar
    Snak3 is offline Moderator
    Join Date
    Jul 2009
    Location
    Undisclosed Location
    Posts
    629
    Thanks
    155
    Thanked 190 Times in 121 Posts
    @nux
    can you show where exactly in wp-trackback.php have we to paste the following code as mentioned by you in your blog post :
    Code:
    if(strlen($charset) > 50)
    die;
    I understand line 47 but to be precise
    I mean, before what and after what piece of code should it come/appear.

Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 19
    Last Post: 9 July, 2011, 06:44 AM
  2. Replies: 0
    Last Post: 1 December, 2009, 15:30 PM
  3. Fix Proxy Listing Exploit
    By chetan in forum Web Proxies
    Replies: 24
    Last Post: 25 September, 2009, 18:34 PM
  4. iPhone Exploit Exposed at Black Hat
    By m42 in forum Tech-Talk
    Replies: 5
    Last Post: 1 August, 2009, 12:03 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •