The tale of 100 cve's

986 views
875 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
986
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The tale of 100 cve's

  1. 1. Prajal Kulkarni @prajalkulkarni The Tale of 100 CVE’s
  2. 2. @about me • Security Engineer @Flipkart • Likes to do Bug Hunting! • Loves coding in Python • Member of null security community • Lead vocalist @Sathee @prajalkulkarni
  3. 3.  WordPress Security Ecosystem!  100 CVE’s in less than a month!  How we did it? What Tale?
  4. 4. 60 Million Websites Worldwide Powers 1 in 5 of all the worlds websites in the world -Matt Current stable release 3.9.1 Version 3.8 downloads > 20 Million times -Stats from Wikipedia
  5. 5. Wordpress Ecosytem
  6. 6. Scary Enough?
  7. 7. Still not??
  8. 8. WordPress Core – Stable 3.9.1 31,154 Plugins More than 2.5K Themes Wordpress Security Ecosytem
  9. 9. Our attempt to Improve the Ecosystem
  10. 10. Once Upon a Time Credits - Anant Shrivastava
  11. 11. Wait Something not right!
  12. 12. Vulnerabilities Found! Full path disclosure -pma/error.php -pma/libraries/PMA_List_Database.class.php PHP info disclosure -pma/phpinfo.php Security Bypass Allows direct access. -pma/server_databases.php - Full access to all features including SQL window -pma/main.php – reveals all the details of the database
  13. 13. Timeliness • Author Contacted: 24 July 2013 • No positive response from the author • Wordpress Security Team contacted: 11 September 2013 • Plugin Disabled in the repository : 21 October 2013
  14. 14. End Result? Plugin Closed! CVE-2013-4462 http://seclists.org/oss-sec/2013/q4/144
  15. 15. Started Project CodeVigilant • Spot new issues in Plugins/Themes • Report to the relevant author • Get the patch released • Else close the Plugin/Theme
  16. 16. What is required? Apache/MySQL/PHP XAMPP/WAMP Python 2.7
  17. 17. Our Approach Download the latest WordPress and install locally Download all Plugins (31k) Download all Themes (2.5k)
  18. 18. From Where do I get plugins/themes??
  19. 19. http://themes.svn.wordpress.org/
  20. 20. Download Themes Locally
  21. 21. Now What?
  22. 22. Started with Manual Approach! Analyze Plugin/Theme source code Understand the logic Find Issues Report !
  23. 23. Slow Results!!
  24. 24. Two Weeks Stats ?? Vulnerability Chart LFI Xss Auth Bypass Using Components With Known Vulnerabilities 10 9 1 1
  25. 25. Took a Lot of Time!
  26. 26. Lets Automate Everything!
  27. 27. Started with Cross site Scripting!
  28. 28. Simple Logic! Find all $_GET parameters Replace their value with chk_string: '><script>alert(document.cookie)</script> Send the request with the appropriate URL structure Check if the response contains the chk_string
  29. 29. Guess What! • More than 100 valid XSS! • Testing for XSS we also stumbled upon: – SSRF – LFI – Unvalidated Redirects and Forwards
  30. 30. Stats for the next 3 weeks! A3-Cross-Site Scripting 211 Unvalidated Redirects and Forwards 4 Local File Inclusion 6 Information Disclosure 1 Direct access & Auth Bypass 1 Using Components with Known Vulnerabilities 30 SSRF/XSPA 4 Injection 9
  31. 31. http://codevigilant.com/
  32. 32. Future for codevigilant Automation frameworks for other vulnerabilities Explore other platforms like Drupal & Jumla Encourage External Researchers to contribute.
  33. 33. Prajal Kulkarni @prajakulkarni http://www.prajalkulkarni.com Anant Shrivastava @anantshri http://www.anantshri.info Project Leads
  34. 34. Questions?

×