Tue Sep 9 12:35:58 CEST 2008

wordpress admin takeover

As stated in my previous post, the remote admin-password reset vulnerabilty at current wordpress 2.6.1 can be extended to completely takeover the admin account. Since the cat is out of the bag more or less and wordpress has released a new version which fixes this problem, I can go ahead and complete the description of the attack.

To sum up my previous post, there is an extremely easy way to reset the admin pass based on the fact that the username input is not truncated, while the sql column will truncate it. Therefore you can receive the reset-link of the admin-user and by following that link reset the password to a value computed by wordpress. Wordpress then sends that new password to the original admin. So far, no real harm done.

But since you have received the generated key within the resetpass-link, it is now possible to compute the state of the random number generator, since wordpress uses mt_rand() within its wp_generate_password() function which is used both in generating the key and the new password. And when the random number generator is not reseeded in between the generation of the key and the next request to generate the password (for example by issuing both requests via the same http keep-alive connection), a rainbow table of all seed-resetkey relations (to be precise you would need one for php versions <5.2.1 and one for versions >=5.2.1) is all you need to quickly compute the generated password.
Then logging in, changing email+password of the admin user to you own values will complete the takeover of the admin account.
I have a working fully automated exploit for this issue, but since the rainbow tables are >100GB and calculating the seed on the fly takes way too long (even when relying on the fact that <5.2.1 will only have 31bit random seed), there's no real use publishing it at the moment.

By the way, both vulnerabilities this attack relies upon, sql column truncation as well as the weak mt_rand() have previously been found by Stefan Esser, and while this article reflects my own findings, it's no surprise that he has announced the wordpress vulnerability more or less at the same time - and I'm curious about what his soon to be expected description will look like.

Posted by iso | Permanent Link | Tags: php, security, hpa | comments >>