User: Password:
|
|
Subscribe / Log in / New account

Security

Cryptographic splicing makes for a Wordpress vulnerability

By Jake Edge
May 7, 2008

Authentication bypass vulnerabilities are particularly painful because they allow an attacker to access and potentially modify things that should be off-limits. It is important to ensure that when fixing that kind of bug, one does not introduce a different, but equally potent, hole. A recent Wordpress vulnerability clearly demonstrates the care that needs to be taken.

The problem started in November 2007, when Steven Murdoch reported a problem with Wordpress authentication cookies. Essentially, the cookie that Wordpress used was an MD5 hash calculated using a value stored in the database's user table. Any attacker that could get read access to the database, via a SQL injection or looking inside a database backup for example, could generate a cookie value that would allow them access as that user.

The password itself was not stored in the database as plaintext, but the value used in the cookie was just a simple MD5 of the stored value. So, the value stored was MD5(password) and the cookie value was MD5(MD5(password)). Murdoch released his advisory in advance of a fix, because the vulnerability was being actively exploited. It was entered as bug #5367 into the Wordpress bug tracking system and a long conversation about how to properly fix it ensued.

As part of that discussion, Murdoch suggested that a paper entitled "Dos and Don'ts of Client Authentication on the Web" [PDF] be consulted. The paper covers various issues regarding cookies and the kinds of attacks that can be made against them. Some, but not all, of its recommendations were followed.

The new cookie scheme was released at the end of March as part of the Wordpress 2.5 release. Authentication cookie values were now calculated using the following (with the '.' operator representing concatenation):

    USERNAME . "|" . EXPIRATION . "|" . MD5(USERNAME . EXPIRATION . secret)
This took into account the hazards of a straightforward hash of a stored value and added an expiration to the cookie, but it failed to protect against a cryptographic splicing attack.

When calculating the hash of the concatenation of the username and expiration (along with a secret known by the server), no delimiter was used between the two. This means that the hash for username "foobar" with expiration "20080507" is the same as the hash for username "foo" with expiration "bar20080507". This allows anyone with a username that begins the same as another username, to generate a legitimate cookie for that other user. Using the example above, user "foobar" could create valid cookies for a user "foo" (or any other prefix substring).

Many Wordpress weblogs allow new users to create an account with any name they choose, so long as it is not already taken. By choosing one that starts with the administrator's username, an attacker can generate a cookie for themselves, modify it slightly, and have a valid cookie to access the administrator account. No password cracking is required, nor is any access to the database needed.

Wordpress 2.5.1 has been released to address this problem. Earlier versions could disable the registration feature and delete or suspend any user accounts with suspicious usernames as a workaround. Though if those suspicious accounts exist, it would not be surprising to find that the real administrator no longer knows the proper password for that account.

The paper that Murdoch referenced clearly indicated the danger from cryptographic splicing, but the Wordpress implementers must have missed it. Cookie authentication schemes are a necessary evil for web applications—it would be nearly unusable to have to authenticate on each page—but they are difficult to get right. A careful reading of the paper will help, as will using already vetted libraries or frameworks. It is one of those things that is hard to get right and extremely important to do so.

Comments (24 posted)

New vulnerabilities

b2evolution: cross-site scripting

Package(s):b2evolution CVE #(s):CVE-2007-0175
Created:May 5, 2008 Updated:May 7, 2008
Description:

From the CVE entry:

Cross-site scripting (XSS) vulnerability in htsrv/login.php in b2evolution 1.8.6 allows remote attackers to inject arbitrary web script or HTML via scriptable attributes in the redirect_to parameter.

Alerts:
Debian DSA-1568-1 b2evolution 2008-05-05

Comments (none posted)

emacs: insecure temp files

Package(s):emacs21, emacs22 CVE #(s):CVE-2008-1694
Created:May 6, 2008 Updated:May 7, 2008
Description: From the Ubuntu advisory: Steve Grubb discovered that the vcdiff script as included in Emacs created temporary files in an insecure way when used with SCCS. Local users could exploit a race condition to create or overwrite files with the privileges of the user invoking the program.
Alerts:
Ubuntu USN-607-1 emacs21, emacs22 2008-05-06
Mandriva MDVSA-2008:096 emacs 2007-05-06

Comments (none posted)

kernel: several vulnerabilities

Package(s):linux-2.6 CVE #(s):CVE-2008-1294 CVE-2008-1375
Created:May 2, 2008 Updated:April 3, 2009
Description: From the Debian advisory: David Peer discovered that users could escape administrator imposed cpu time limitations (RLIMIT_CPU) by setting a limit of 0. (CVE-2008-1294) Alexander Viro discovered a race condition in the directory notification subsystem that allows local users to cause a Denial of Service (oops) and possibly result in an escalation of privileges. (CVE-2008-1375)
Alerts:
SuSE SUSE-SA:2009:017 kernel 2009-04-03
Mandriva MDVSA-2008:167 kernel 2008-08-12
CentOS CESA-2008:0612 kernel 2008-08-06
Red Hat RHSA-2008:0612-01 kernel 2008-08-04
SuSE SUSE-SA:2008:032 kernel 2008-07-07
SuSE SUSE-SA:2008:031 kernel 2008-07-02
SuSE SUSE-SA:2008:030 kernel 2008-06-20
Ubuntu USN-618-1 linux-source-2.6.15/20/22 2008-06-19
Ubuntu USN-614-1 linux 2008-06-03
Mandriva MDVSA-2008:105 kernel 2007-05-21
Mandriva MDVSA-2008:104 kernel 2008-05-20
Fedora FEDORA-2008-3949 kernel 2008-05-14
Fedora FEDORA-2008-3873 kernel 2008-05-14
CentOS CESA-2008:0237 kernel 2008-05-09
CentOS CESA-2008:0233 kernel 2008-05-09
CentOS CESA-2008:0211 kernel 2008-05-07
Red Hat RHSA-2008:0233-01 kernel 2008-05-07
Red Hat RHSA-2008:0237-01 kernel 2008-05-07
Red Hat RHSA-2008:0211-01 kernel 2008-05-07
rPath rPSA-2008-0157-1 kernel 2008-05-02
Debian DSA-1565-1 linux-2.6 2008-05-01

Comments (none posted)

kernel: unspecified vulnerability

Package(s):kernel CVE #(s):CVE-2008-1675
Created:May 5, 2008 Updated:August 13, 2008
Description:

From the NVD Entry:

The bdx_ioctl_priv function in the tehuti driver (tehuti.c) in Linux kernel 2.6.x before 2.6.25 does not properly check certain information related to register size, which has unspecified impact and local attack vectors, probably related to reading or writing kernel memory.

Alerts:
Mandriva MDVSA-2008:167 kernel 2008-08-12
Ubuntu USN-614-1 linux 2008-06-03
Mandriva MDVSA-2008:109 kernel 2008-06-03
Fedora FEDORA-2008-3949 kernel 2008-05-14
Fedora FEDORA-2008-3873 kernel 2008-05-14
rPath rPSA-2008-0157-1 kernel 2008-05-02

Comments (none posted)

kernel: memory corruption

Package(s):kernel CVE #(s):CVE-2008-1367
Created:May 7, 2008 Updated:July 8, 2008
Description: GCC 4.3.x no longer sets the x86 direction flag in situations where the ABI standard says the flag should already be cleared; as a result, it may be possible for a local attacker to corrupt memory. See this LWN article for details.
Alerts:
SuSE SUSE-SA:2008:032 kernel 2008-07-07
SuSE SUSE-SA:2008:031 kernel 2008-07-02
CentOS CESA-2008:0508 kernel 2008-06-27
Red Hat RHSA-2008:0508-01 kernel 2008-06-25
SuSE SUSE-SA:2008:030 kernel 2008-06-20
CentOS CESA-2008:0233 kernel 2008-05-09
CentOS CESA-2008:0211 kernel 2008-05-07
Red Hat RHSA-2008:0233-01 kernel 2008-05-07
Red Hat RHSA-2008:0211-01 kernel 2008-05-07

Comments (none posted)

kernel: race condition

Package(s):kernel CVE #(s):CVE-2008-1669
Created:May 7, 2008 Updated:August 13, 2008
Description: The kernel's filesystem locking code suffers from a race condition which could possibly allow a local attacker to execute arbitrary code. This vulnerability has been fixed in the 2.6.25.2, 2.6.24.7, and 2.4.36.4 kernel updates.
Alerts:
Mandriva MDVSA-2008:167 kernel 2008-08-12
SuSE SUSE-SA:2008:035 kernel 2008-07-21
SuSE SUSE-SA:2008:038 kernel 2008-07-29
SuSE SUSE-SA:2008:032 kernel 2008-07-07
SuSE SUSE-SA:2008:030 kernel 2008-06-20
Ubuntu USN-618-1 linux-source-2.6.15/20/22 2008-06-19
Ubuntu USN-614-1 linux 2008-06-03
Mandriva MDVSA-2008:105 kernel 2007-05-21
Mandriva MDVSA-2008:104 kernel 2008-05-20
Fedora FEDORA-2008-4043 kernel 2008-05-17
Fedora FEDORA-2008-3949 kernel 2008-05-14
Fedora FEDORA-2008-3873 kernel 2008-05-14
Debian DSA-1575-1 linux-2.6 2008-05-12
CentOS CESA-2008:0237 kernel 2008-05-09
CentOS CESA-2008:0233 kernel 2008-05-09
rPath rPSA-2008-0162-1 kernel 2008-05-07
CentOS CESA-2008:0211 kernel 2008-05-07
Red Hat RHSA-2008:0233-01 kernel 2008-05-07
Red Hat RHSA-2008:0237-01 kernel 2008-05-07
Red Hat RHSA-2008:0211-01 kernel 2008-05-07

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2008-1615
Created:May 7, 2008 Updated:August 27, 2008
Description: From the Red Hat advisory: on AMD64 architectures, the possibility of a kernel crash was discovered by testing the Linux kernel process-trace ability. This could allow a local unprivileged user to cause a denial of service (kernel crash).
Alerts:
Red Hat RHSA-2008:0585-01 kernel 2008-08-26
Mandriva MDVSA-2008:167 kernel 2008-08-12
Mandriva MDVSA-2008:174 kernel 2008-08-19
SuSE SUSE-SA:2008:038 kernel 2008-07-29
SuSE SUSE-SA:2008:035 kernel 2008-07-21
Ubuntu USN-625-1 linux 2008-07-15
SuSE SUSE-SA:2008:032 kernel 2008-07-07
SuSE SUSE-SA:2008:031 kernel 2008-07-02
SuSE SUSE-SA:2008:030 kernel 2008-06-20
Debian DSA-1588-2 linux-2.6 2008-05-30
Debian DSA-1588-1 linux-2.6 2008-05-27
CentOS CESA-2008:0275 kernel 2008-05-21
Red Hat RHSA-2008:0275-01 kernel 2008-05-20
Fedora FEDORA-2008-4043 kernel 2008-05-17
CentOS CESA-2008:0237 kernel 2008-05-09
Red Hat RHSA-2008:0237-01 kernel 2008-05-07

Comments (none posted)

kernel: Xen-based denial of service

Package(s):kernel CVE #(s):CVE-2008-1619
Created:May 7, 2008 Updated:May 9, 2008
Description: Certain kinds of stress tests on ia-64-based systems running Xen can cause the hypervisor to panic.
Alerts:
CentOS CESA-2008:0233 kernel 2008-05-09
Red Hat RHSA-2008:0233-01 kernel 2008-05-07

Comments (none posted)

wordpress: multiple vulnerabilities

Package(s):wordpress CVE #(s):CVE-2007-3639 CVE-2007-4153 CVE-2007-4154 CVE-2007-0540
Created:May 1, 2008 Updated:May 7, 2008
Description: The wordpress weblog manager has a number of vulnerabilities. From the Debian alert:

CVE-2007-3639 Insufficient input sanitising allowed for remote attackers to redirect visitors to external websites.

CVE-2007-4153 Multiple cross-site scripting vulnerabilities allowed remote authenticated administrators to inject arbitrary web script or HTML.

CVE-2007-4154 SQL injection vulnerability allowed allowed remote authenticated administrators to execute arbitrary SQL commands.

CVE-2007-0540 WordPress allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a file with a binary content type, which is downloaded even though it cannot contain usable pingback data.

[no CVE name yet] Insufficient input sanitising caused an attacker with a normal user account to access the administrative interface.

Alerts:
Debian DSA-1564-1 wordpress 2008-05-01

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds