2. 2
4
5
5
5
6
8
8
8
12
13
16
17
Table of Content
Table of Content
Introduction
About this exercise
License
Syntax of this course
The web application
The issue
Introduction
The code
The vulnerability
Exploitation
Patch
Conclusion
2/17
PentesterLab.com » CVE-2008-1930
4. Introduction
This course details the exploitation of an issue in the cookies integrity mechanism of
Wordpress. This issue was found in 2008 and allowed an attacker to gain
administrator access to a wordpress instance if user registration is enabled. This
issue is a really good example of what can go wrong with cryptographic function and I
thought it will do a really good exercise.
4/17
PentesterLab.com » CVE-2008-1930
5. About this exercise
License
This exercise by PentesterLab is licensed under the Creative Commons Attribution-
NonCommercial-NoDerivs 3.0 Unported License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc-nd/3.0/.
Syntax of this course
5/17
PentesterLab.com » CVE-2008-1930
6. The red boxes provide information on mistakes/issues that are likely to happen while
testing:
An issue that you may encounter...An issue that you may encounter...
The green boxes provide tips and information if you want to go further.
You should probably check...You should probably check...
The web application
Once the system has booted, you can then retrieve the current IP address of the
system using the command ifconfig:
$ ifconfig eth0
eth0 Link encap:Ethernet HWaddr 52:54:00:12:34:56
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fe12:3456/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:88 errors:0 dropped:0 overruns:0 frame:0
TX packets:77 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10300 (10.0 KiB) TX bytes:10243 (10.0 KiB)
Interrupt:11 Base address:0x8000
In this example the IP address is 10.0.2.15.
6/17
PentesterLab.com » CVE-2008-1930
7. Throughout the training, the hostname vulnerable is used for the vulnerable machine,
you can either replace it by the IP address of the machine, or you can just add an
entry to your host file with this name and the corresponding IP address. It can be
easily done by modifying:
on Windows, your C:WindowsSystem32Driversetchosts file;
on Unix/Linux and Mac OS X, your /etc/hosts file.
The IP address can change if you restart the system, don'tThe IP address can change if you restart the system, don't
forget to update your hosts file.forget to update your hosts file.
7/17
PentesterLab.com » CVE-2008-1930
8. The issue
Introduction
This functionnality was used to remember users after they close their browser. A
cookie "AUTH_COOKIE" (named wordpress_...) is created by the application and
sent back to users. Only the application is able to generate this cookie since it's
generated using the WordPress "secret key".
The code
The vulnerable function is wp_validate_auth_cookie included in the file wp-
includes/pluggable.php (line 470 to 499). The full code of the function is below:
8/17
PentesterLab.com » CVE-2008-1930
9. function wp_validate_auth_cookie($cookie = '') {
if ( empty($cookie) ) {
if ( empty($_COOKIE[AUTH_COOKIE]) )
return false;
$cookie = $_COOKIE[AUTH_COOKIE];
}
list($username, $expiration, $hmac) = explode('|', $cookie);
$expired = $expiration;
// Allow a grace period for POST and AJAX requests
if ( defined('DOING_AJAX') || 'POST' == $_SERVER['REQUEST_METHOD'] )
$expired += 3600;
if ( $expired < time() )
return false;
$key = wp_hash($username . $expiration);
$hash = hash_hmac('md5', $username . $expiration, $key);
if ( $hmac != $hash )
return false;
$user = get_userdatabylogin($username);
if ( ! $user )
return false;
return $user->ID;
9/17
PentesterLab.com » CVE-2008-1930
10. }
First the code retrieves the cookie AUTH_COOKIE if no cookie was provided during the
function call. If no cookie was provided and the cookie AUTH_COOKIE is empty, the
function returns false and the authentication fails.
Once the cookie is retrieved, it gets split into 3 values:
$username: the user name;
$expiration: its expiration date;
$hmac: the signature of the previous values to make sure it's a
guenuine cookie.
The following code performs this action, | (%7C) is used as a separator:
list($username, $expiration, $hmac) = explode('|', $cookie);
Then the code makes sure the $expired value (based on the value $expiration) is
greater than the current time:
if ( $expired < time() )
return false;
The code ensures that the signature is correct:
10/17
PentesterLab.com » CVE-2008-1930
11. $key = wp_hash($username . $expiration);
$hash = hash_hmac('md5', $username . $expiration, $key);
if ( $hmac != $hash )
return false;
The function wp_hash provide the encryption, it's based on Worpress SECRET_KEY and
use $username and $expiration to generate an unique key. You can check this
function's behaviour in the file wp-includes/pluggable.php starting line 1071.
Once the hash is validated, the current user $user is retrieved using the value
$username:
$user = get_userdatabylogin($username);
if ( ! $user ) return false;
return $user->ID;
If you look at the code quickly, everything seems perfect:
the cookie expired at a given time;
only the application can generate the key used to sign the cookie and
this key is unique and not predictable;
the cookie is signed based on a unique key and can't be tampered
(theorically);
11/17
PentesterLab.com » CVE-2008-1930
12. The vulnerability
The issue comes from this line:
$hash = hash_hmac('md5', $username . $expiration, $key);
It is possible to generate a collision between two chosen values. For example, the
following values will give the same hash:
`$username` `$expiration` `HASH($username.$expiration)`
admin1 1353464343 1ba7d82099dd6119781b54ecf8b79259
admin 11353464343 1ba7d82099dd6119781b54ecf8b79259
We see that it's possible to get a collision between two hashes even if the usernames
are different. The collision is interesting because it is possible to have a valid hash
generated by the application for a user (admin1) and use it to pretend to be another
user admin.
The $expiration value will become even bigger for the user admin since we added
the final 1 from admin1.
12/17
PentesterLab.com » CVE-2008-1930
13. Exploitation
As we saw above, an attacker is able to get the application to generate a valid hash
for a user admin1 and reuse this signature for the user admin.
To exploit this vulnerability, you need to be able to create a user named admin1 for
example (any users followed by an integer will actually work). This can be done using
the registration page: http://vulnerable/wp-login.php?action=register.
Here the source code of Wordpress has been modified toHere the source code of Wordpress has been modified to
create users with the hardcoded password `pentesterlab`. In acreate users with the hardcoded password `pentesterlab`. In a
traditional Wordpress, the attacker need to provide a validtraditional Wordpress, the attacker need to provide a valid
email address and will set his own password.email address and will set his own password.
If you create a user admin1 and log in with this user. You should receive a valid
cookie:
13/17
PentesterLab.com » CVE-2008-1930
14. HTTP/1.1 200 OK
[...]
Set-Cookie: wordpress_test_cookie=WP+Cookie+check;
wordpress_177e685d5ab0d655bdbe4896d7cdadf4=admin1%7C1353464343%7C1ba7
d82099dd6119781b54ecf8b79259
[...]
Once you log in, you should see the traditional Worpdress page:
Now that we have a valid cookie we can use this vulnerability to gain access to the
admin account:
Using the a valid cookie:
admin1%7C1210158445%7C49718d2581bd399916b90a088a11ec84
We can generate a new valid cookie for the user admin:
admin%7C11210158445%7C49718d2581bd399916b90a088a11ec84.
If you're using Firefox, you can use the following extension to modify your cookies:
Cookie manager +.
After reloading the page, you should be able to see the "Admin version" of the website:
14/17
PentesterLab.com » CVE-2008-1930
16. Patch
The patch for this vulnerabilty was pretty simple, to avoid the vulnerability, Worpdress'
developers just had to make sure that $username and $expiration were correctly
separated. To do so they introduced the following change:
$hash = hash_hmac('md5', $username . '|' . $expiration, $key);
With this simple |, it not possible for an attacker to tamper the cookie and still get a
valid signature since $expiration and/or $username are not simply concatenate to
generate the signature.
16/17
PentesterLab.com » CVE-2008-1930
17. Conclusion
This exercise explained how this vulnerability works and how it was possible to use it
to gain access to Wordpress administration pages.
To me this issue represents perfectly a common pattern in most interesting
vulnerabilities: "The devil is in the detail". And that even a ridiculous small change can
make a lot the difference between secure and vulnerable code. And since Code
review is mostly a matter of “déjà vu”, you will have another thing to check for if you
search for vulnerabilities.
17/17
PentesterLab.com » CVE-2008-1930