STE WILLIAMS

Bsides Manchester A newly discovered WordPress flaw has left installs of the ubiquitous content management system potentially vulnerable to hacking.

Security shortcomings let attackers exploit weaknesses within WordPress’s PHP framework, allowing already registered users without admin privileges to run exploit code, infosec consultancy Secarma has warned.

The hole offers a previously undiscovered way to expose “unserialization” in the platform’s code using a combination of XML external entity (XXE) attacks and server-side request forgery (SSRF).

To make the attack work, a miscreant would need to upload a booby-trapped file onto the target application, then trigger a file operation through a crafted file name (that accesses the file through the phar:// stream wrapper), causing the target application to “unserialize” metadata contained in the file.

The flaw by itself would not allow an attacker to break into a targeted system and only expands the scope for mischief once a toehold on targeted systems is obtained through some other means.

Unserialization of attacker-controlled data is a known class of vulnerability that is liable to lead in the execution of malicious code. German security researcher Stefan Esser first documented the class of flaw 10 years ago.

Secarma’s research demonstrates a new technique which allows an attacker to transition from a type of vulnerability not previously considered that bad to one that can have severe impact.

WordPress was informed of the issue in February 2017 but has yet to take action, according to Secarma. PDF generation library TCPDP is similarly vulnerable. Content management system Typo3 was vulnerable up until early June – before it released updates to protect users.

Research into the vulnerability was presented by Secarma’s Sam Thomas at Thursday’s BSides cybersecurity conference in Manchester, UK – days after it was first unveiled at Black Hat in Las Vegas last week. His presentation (video below) was entitled It’s A PHP Unserialization Vulnerability Jim, But Not As We Know It. The part between the 30 and 38 minutes concentrates on the WordPress issue.

Youtube Video

A white paper, File Operation Induced Unserialization via the phar:// Stream Wrapper (PDF), explains the issue in more depth.

Thomas told El Reg immediately after his Manchester gig that he had reported the serious PHP-related vulnerability in WordPress through HackerOne – which runs its bug bounty programme – months ago but despite this the vuln had not been properly resolved. El Reg contacted both WordPress and HackerOne for comment.

We have yet to hear back from WordPress. HackerOne confirmed it worked with WordPress but declined to offer anything much beyond that.

“Due to our confidentiality obligations to our customers, HackerOne does not comment on customer bug bounty programs,” the outfit told El Reg.

Thomas said the WordPress flaw involves a “subtle vulnerability in thumbnail processing which allows an attacker to reach a ‘file_exists’ call with control of the start of the parameter”.

As things stand, the objective scope of the vulnerability and how easy it might be to exploit is unclear. Thomas’s presentation contained a number of caveats omitted from Secarma’s press release about the presentation, which boldly claimed the flaw left “30 per cent of the world’s top 1,000 websites vulnerable to hacking and data breaches”.

After careful analysis and a review of available material, El Reg‘s security desk has concluded claims of a “massive WordPress vulnerability” are a load of tribble’s testicles.

There’s an issue here but the premise that millions of websites are at risk of “complete system compromise” above and beyond the general widely known risk of running WordPress hasn’t been substantiated by Secarma, a security business owned by hosting outfit UKFast.

WordPress hasn’t issued a patch and we have no information about mitigation from the CMS vendor to go on either. During his presentation Thomas said that the “issue is only exposed to authenticated users… they are certainly not supposed to be able to execute [code]”.

In the absence of a fix, WordPress users need to be careful about new accounts that are author level and above, Thomas advised. These accounts should be locked down because the now-public hacking technique can be used to elevate privileges to admin. “Ultimately it’s an issue within PHP,” Thomas said, adding during a Twitter exchange that “the issue works against the default configuration of WordPress and PHP, [as far as I know] it is not dependent on network or system setup”.

Chinese researcher Orange Tsai had discovered the same problem, Thomas acknowledged during his Manchester presentation.

WordPress is widely used by bloggers, news outlets and all manner of businesses as a content management system. It’s no stranger to security problems of one sort or another, to put it mildly. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/08/20/php_unserialisation_wordpress_vuln/