Authentication bypass vulnerabilities are particularly painful because they allow an attacker to access and potentially modify things that should be off-limits. It is important to ensure that when fixing that kind of bug, one does not introduce a different, but equally potent, hole. A recent Wordpress vulnerability clearly demonstrates the care that needs to be taken.
The problem started in November 2007, when Steven Murdoch reported a problem with Wordpress authentication cookies. Essentially, the cookie that Wordpress used was an MD5 hash calculated using a value stored in the database's user table. Any attacker that could get read access to the database, via a SQL injection or looking inside a database backup for example, could generate a cookie value that would allow them access as that user.
The password itself was not stored in the database as plaintext, but the value used in the cookie was just a simple MD5 of the stored value. So, the value stored was MD5(password) and the cookie value was MD5(MD5(password)). Murdoch released his advisory in advance of a fix, because the vulnerability was being actively exploited. It was entered as bug #5367 into the Wordpress bug tracking system and a long conversation about how to properly fix it ensued.
As part of that discussion, Murdoch suggested that a paper entitled "Dos and Don'ts of Client Authentication on the Web" [PDF] be consulted. The paper covers various issues regarding cookies and the kinds of attacks that can be made against them. Some, but not all, of its recommendations were followed.
The new cookie scheme was released at the end of March as part of the Wordpress 2.5 release. Authentication cookie values were now calculated using the following (with the '.' operator representing concatenation):
USERNAME . "|" . EXPIRATION . "|" . MD5(USERNAME . EXPIRATION . secret)This took into account the hazards of a straightforward hash of a stored value and added an expiration to the cookie, but it failed to protect against a cryptographic splicing attack.
When calculating the hash of the concatenation of the username and expiration (along with a secret known by the server), no delimiter was used between the two. This means that the hash for username "foobar" with expiration "20080507" is the same as the hash for username "foo" with expiration "bar20080507". This allows anyone with a username that begins the same as another username, to generate a legitimate cookie for that other user. Using the example above, user "foobar" could create valid cookies for a user "foo" (or any other prefix substring).
Many Wordpress weblogs allow new users to create an account with any name they choose, so long as it is not already taken. By choosing one that starts with the administrator's username, an attacker can generate a cookie for themselves, modify it slightly, and have a valid cookie to access the administrator account. No password cracking is required, nor is any access to the database needed.
Wordpress 2.5.1 has been released to address this problem. Earlier versions could disable the registration feature and delete or suspend any user accounts with suspicious usernames as a workaround. Though if those suspicious accounts exist, it would not be surprising to find that the real administrator no longer knows the proper password for that account.
The paper that Murdoch referenced clearly indicated the danger from cryptographic splicing, but the Wordpress implementers must have missed it. Cookie authentication schemes are a necessary evil for web applications—it would be nearly unusable to have to authenticate on each page—but they are difficult to get right. A careful reading of the paper will help, as will using already vetted libraries or frameworks. It is one of those things that is hard to get right and extremely important to do so.
|Created:||May 5, 2008||Updated:||May 7, 2008|
From the CVE entry:
Cross-site scripting (XSS) vulnerability in htsrv/login.php in b2evolution 1.8.6 allows remote attackers to inject arbitrary web script or HTML via scriptable attributes in the redirect_to parameter.
|Package(s):||emacs21, emacs22||CVE #(s):||CVE-2008-1694|
|Created:||May 6, 2008||Updated:||May 7, 2008|
|Description:||From the Ubuntu advisory: Steve Grubb discovered that the vcdiff script as included in Emacs created temporary files in an insecure way when used with SCCS. Local users could exploit a race condition to create or overwrite files with the privileges of the user invoking the program.|
|Package(s):||linux-2.6||CVE #(s):||CVE-2008-1294 CVE-2008-1375|
|Created:||May 2, 2008||Updated:||April 3, 2009|
|Description:||From the Debian advisory: David Peer discovered that users could escape administrator imposed cpu time limitations (RLIMIT_CPU) by setting a limit of 0. (CVE-2008-1294) Alexander Viro discovered a race condition in the directory notification subsystem that allows local users to cause a Denial of Service (oops) and possibly result in an escalation of privileges. (CVE-2008-1375)|
|Created:||May 5, 2008||Updated:||August 13, 2008|
From the NVD Entry:
The bdx_ioctl_priv function in the tehuti driver (tehuti.c) in Linux kernel 2.6.x before 2.6.25 does not properly check certain information related to register size, which has unspecified impact and local attack vectors, probably related to reading or writing kernel memory.
|Created:||May 7, 2008||Updated:||July 8, 2008|
|Description:||GCC 4.3.x no longer sets the x86 direction flag in situations where the ABI standard says the flag should already be cleared; as a result, it may be possible for a local attacker to corrupt memory. See this LWN article for details.|
|Created:||May 7, 2008||Updated:||August 13, 2008|
|Description:||The kernel's filesystem locking code suffers from a race condition which could possibly allow a local attacker to execute arbitrary code. This vulnerability has been fixed in the 220.127.116.11, 18.104.22.168, and 22.214.171.124 kernel updates.|
|Created:||May 7, 2008||Updated:||August 27, 2008|
|Description:||From the Red Hat advisory: on AMD64 architectures, the possibility of a kernel crash was discovered by testing the Linux kernel process-trace ability. This could allow a local unprivileged user to cause a denial of service (kernel crash).|
|Created:||May 7, 2008||Updated:||May 9, 2008|
|Description:||Certain kinds of stress tests on ia-64-based systems running Xen can cause the hypervisor to panic.|
|Package(s):||wordpress||CVE #(s):||CVE-2007-3639 CVE-2007-4153 CVE-2007-4154 CVE-2007-0540|
|Created:||May 1, 2008||Updated:||May 7, 2008|
|Description:||The wordpress weblog manager has a number of vulnerabilities.
From the Debian alert:
CVE-2007-3639 Insufficient input sanitising allowed for remote attackers to redirect visitors to external websites.
CVE-2007-4153 Multiple cross-site scripting vulnerabilities allowed remote authenticated administrators to inject arbitrary web script or HTML.
CVE-2007-4154 SQL injection vulnerability allowed allowed remote authenticated administrators to execute arbitrary SQL commands.
CVE-2007-0540 WordPress allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a file with a binary content type, which is downloaded even though it cannot contain usable pingback data.
[no CVE name yet] Insufficient input sanitising caused an attacker with a normal user account to access the administrative interface.
Page editor: Jake Edge
Next page: Kernel development>>
Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds