You are on page 1of 17

CVE-2008-1930: WORDPRESS 2.

5 COOKIE INTEGRITY PROTECTION VULNERABILITY
By Louis Nyffenegger <Louis@PentesterLab.com>

com » CVE-2008-1930 Table of Content Table of Content Introduction About this exercise License Syntax of this course The web application 2 4 5 5 5 6 The issue Introduction The code The vulnerability 8 8 8 12 Exploitation Patch Conclusion 13 16 17 2/17 .PentesterLab.

PentesterLab.com » CVE-2008-1930 3/17 .

com » CVE-2008-1930 Introduction This course details the exploitation of an issue in the cookies integrity mechanism of Wordpress. 4/17 . This issue was found in 2008 and allowed an attacker to gain administrator access to a wordpress instance if user registration is enabled. This issue is a really good example of what can go wrong with cryptographic function and I thought it will do a really good exercise.PentesterLab.

0 Unported License. Syntax of this course 5/17 .0/.com » CVE-2008-1930 About this exercise License This exercise by PentesterLab is licensed under the Creative Commons AttributionNonCommercial-NoDerivs 3.org/licenses/by-nc-nd/3.PentesterLab. visit http://creativecommons. To view a copy of this license.

0 inet6 addr: fe80::5054:ff:fe12:3456/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:88 errors:0 dropped:0 overruns:0 frame:0 TX packets:77 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:10300 (10.255 Mask:255..0.2..2.15.255. 6/17 .255.. The green boxes provide tips and information if you want to go further. You should probably check. you can then retrieve the current IP address of the system using the command ifconfig: $ ifconfig eth0 eth0 Link encap:Ethernet HWaddr 52:54:00:12:34:56 inet addr:10..0.com » CVE-2008-1930 The red boxes provide information on mistakes/issues that are likely to happen while testing: An issue that you may encounter.0 KiB) TX bytes:10243 (10.15 Bcast:10.0. The web application Once the system has booted.0 KiB) Interrupt:11 Base address:0x8000 In this example the IP address is 10.PentesterLab.2.

The IP address can change if you restart the system. you can either replace it by the IP address of the machine.com » CVE-2008-1930 Throughout the training. on Unix/Linux and Mac OS X. It can be easily done by modifying: on Windows. your /etc/hosts file. the hostname vulnerable is used for the vulnerable machine. 7/17 . your C:\Windows\System32\Drivers\etc\hosts file. don't forget to update your hosts file.PentesterLab. or you can just add an entry to your host file with this name and the corresponding IP address.

php (line 470 to 499).com » CVE-2008-1930 The issue Introduction This functionnality was used to remember users after they close their browser.) is created by the application and sent back to users. The full code of the function is below: 8/17 . Only the application is able to generate this cookie since it's generated using the WordPress "secret key".PentesterLab. The code The vulnerable function is wp_validate_auth_cookie included in the file wpincludes/pluggable.. A cookie "AUTH_COOKIE" (named wordpress_..

9/17 . return $user->ID. if ( ! $user ) return false. if ( $hmac != $hash ) return false. if ( $expired < time() ) return false. $expired = $expiration. $expiration. $username .com » CVE-2008-1930 function wp_validate_auth_cookie($cookie = '') { if ( empty($cookie) ) { if ( empty($_COOKIE[AUTH_COOKIE]) ) return false.PentesterLab. $user = get_userdatabylogin($username). $hash = hash_hmac('md5'. $key). } list($username. // Allow a grace period for POST and AJAX requests if ( defined('DOING_AJAX') || 'POST' == $_SERVER['REQUEST_METHOD'] ) $expired += 3600. $hmac) = explode('|'. $key = wp_hash($username . $expiration). $cookie = $_COOKIE[AUTH_COOKIE]. $expiration. $cookie).

$hmac: the signature of the previous values to make sure it's a guenuine cookie.com » CVE-2008-1930 } First the code retrieves the cookie AUTH_COOKIE if no cookie was provided during the function call. Then the code makes sure the $expired value (based on the value $expiration) is greater than the current time: if ( $expired < time() ) return false. $hmac) = explode('|'. Once the cookie is retrieved. The code ensures that the signature is correct: 10/17 . The following code performs this action. $expiration. $expiration: its expiration date. it gets split into 3 values: $username: the user name. the function returns false and the authentication fails. $cookie). If no cookie was provided and the cookie AUTH_COOKIE is empty.PentesterLab. | (%7C) is used as a separator: list($username.

the current user $user is retrieved using the value $username: $user = get_userdatabylogin($username).com » CVE-2008-1930 $key = wp_hash($username .PentesterLab. only the application can generate the key used to sign the cookie and this key is unique and not predictable. if ( ! $user ) return false. it's based on Worpress SECRET_KEY and use $username and $expiration to generate an unique key. You can check this function's behaviour in the file wp-includes/pluggable. return $user->ID. $username . everything seems perfect: the cookie expired at a given time. If you look at the code quickly. Once the hash is validated. the cookie is signed based on a unique key and can't be tampered (theorically). if ( $hmac != $hash ) return false. $expiration). $key). $hash = hash_hmac('md5'.php starting line 1071. The function wp_hash provide the encryption. $expiration. 11/17 .

The $expiration value will become even bigger for the user admin since we added the final 1 from admin1. 12/17 .$expiration)` 1ba7d82099dd6119781b54ecf8b79259 1ba7d82099dd6119781b54ecf8b79259 We see that it's possible to get a collision between two hashes even if the usernames are different. $username . For example. the following values will give the same hash: `$username` admin1 admin `$expiration` 1353464343 11353464343 `HASH($username. $key). $expiration. The collision is interesting because it is possible to have a valid hash generated by the application for a user (admin1) and use it to pretend to be another user admin.com » CVE-2008-1930 The vulnerability The issue comes from this line: $hash = hash_hmac('md5'.PentesterLab. It is possible to generate a collision between two chosen values.

If you create a user admin1 and log in with this user. You should receive a valid cookie: 13/17 . This can be done using the registration page: http://vulnerable/wp-login. the attacker need to provide a valid email address and will set his own password. you need to be able to create a user named admin1 for example (any users followed by an integer will actually work). an attacker is able to get the application to generate a valid hash for a user admin1 and reuse this signature for the user admin.PentesterLab.com » CVE-2008-1930 Exploitation As we saw above.php?action=register. In a traditional Wordpress. To exploit this vulnerability. Here the source code of Wordpress has been modified to create users with the hardcoded password `pentesterlab`.

1 200 OK [. you can use the following extension to modify your cookies: Cookie manager +..] Once you log in... you should be able to see the "Admin version" of the website: 14/17 .com » CVE-2008-1930 HTTP/1.] Set-Cookie: wordpress_test_cookie=WP+Cookie+check.. If you're using Firefox. wordpress_177e685d5ab0d655bdbe4896d7cdadf4=admin1%7C1353464343%7C1ba7 d82099dd6119781b54ecf8b79259 [. After reloading the page.PentesterLab. you should see the traditional Worpdress page: Now that we have a valid cookie we can use this vulnerability to gain access to the admin account: Using the a valid cookie: admin1%7C1210158445%7C49718d2581bd399916b90a088a11ec84 We can generate a new valid cookie for the user admin: admin%7C11210158445%7C49718d2581bd399916b90a088a11ec84.

PentesterLab.com » CVE-2008-1930 15/17 .

16/17 . $expiration. $key). to avoid the vulnerability. it not possible for an attacker to tamper the cookie and still get a valid signature since $expiration and/or $username are not simply concatenate to generate the signature. '|' . Worpdress' developers just had to make sure that $username and $expiration were correctly separated. To do so they introduced the following change: $hash = hash_hmac('md5'.com » CVE-2008-1930 Patch The patch for this vulnerabilty was pretty simple.PentesterLab. $username . With this simple |.

PentesterLab. And since Code review is mostly a matter of “déjà vu”. To me this issue represents perfectly a common pattern in most interesting vulnerabilities: "The devil is in the detail". And that even a ridiculous small change can make a lot the difference between secure and vulnerable code.com » CVE-2008-1930 Conclusion This exercise explained how this vulnerability works and how it was possible to use it to gain access to Wordpress administration pages. you will have another thing to check for if you search for vulnerabilities. 17/17 .