Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0434 -- [Win][UNIX/Linux] Wordpress 2.5 Cookie Integrity Protection Vulnerability 9 May 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Wordpress 2.5 and prior Publisher: Steven J. Murdoch Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact: Execute Arbitrary Code/Commands Increased Privileges Access: Remote/Unauthenticated CVE Names: CVE-2008-1930 CVE-2008-2068 Original Bulletin: http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-integrity.txt http://wordpress.org/development/2008/04/wordpress-251/ Revision History: May 9 2008: Added additional CVE numbers April 30 2008: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Wordpress 2.5 Cookie Integrity Protection Vulnerability Original release date: 2008-04-25 Last revised: 2008-04-25 Latest version: http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-integrity.txt CVE ID: CVE-2008-1930 Source: Steven J. Murdoch <http://www.cl.cam.ac.uk/users/sjm217/> Systems Affected: Wordpress 2.5 Overview: An attacker, who is able to register a specially crafted username on a Wordpress 2.5 installation, is able to generate authentication cookies for other chosen accounts. This vulnerability exists because it is possible to modify authentication cookies without invalidating the cryptographic integrity protection. If a Wordpress blog is configured to freely permit account creation, a remote attacker can gain Wordpress-administrator access and then elevate this to arbitrary code execution as the web server user. The vulnerability is fixed in Wordpress 2.5.1 I. Description Since version 2.5, Wordpress authenticates logged-in users through a cryptographically protected cookie, based on papers by Fu et al [1] and Liu et al [2]. This measure was introduced partly in response to vulnerability CVE-2007-6013 [3,4]. The new cookies are of the form: "wordpress_".COOKIEHASH = USERNAME . "|" . EXPIRY_TIME . "|" . MAC Where: COOKIEHASH: MD5 hash of the site URL (to maintain cookie uniqueness) USERNAME: The username for the authenticated user EXPIRY_TIME: When cookie should expire, in seconds since start of epoch MAC: HMAC-MD5(USERNAME . EXPIRY_TIME) under a key derived from a secret and USERNAME . EXPIRY_TIME. The flaw in this scheme is that USERNAME and EXPIRY_TIME are not delimited in the MAC calculation. Hence the cookie may be modified, without altering MAC, provided that the concatenation of USERNAME and EXPIRY_TIME remains unchanged. This class of vulnerability, the cryptographic splicing attack, was commented on by Fu et al [1], but Wordpress does not employ their recommended defence. An attacker wishing to exploit this vulnerability would therefore create an unprivileged account with its username starting with "admin". The cookie returned on logging into this account can then be manipulated so as to be valid for the administrator account. II. Impact A remote attacker, who can create an account with specially crafted username, is able to gain administrator level access to the Wordpress installation. Through standard techniques, this can be escalated to arbitrary PHP code execution as the web server system user. III. Solution Upgrade to Wordpress 2.5.1 Workarounds: - De-select "Anyone can register" in the Membership section of General Settings to disable account creation. References: [1] Dos and Don'ts of Client Authentication on the Web, Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster http://pdos.csail.mit.edu/papers/webauth:tr.pdf [2] A Secure Cookie Protocol, Alex X. Liu, Jason M. Kovacs, Chin-Tser Huang, Mohamed G. Gouda http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf [3] Wordpress Cookie Authentication Vulnerability: CVE-2007-6013 Steven J. Murdoch, http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-auth.txt [4] http://trac.wordpress.org/ticket/5367 Timeline: 2008-04-22: security@wordpress.com notified Confirmation of receipt received 2008-04-25: Wordpress 2.5.1 released incorporating patch Vulnerability notice published - -- w: http://www.cl.cam.ac.uk/users/sjm217/ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBSCPXiyh9+71yA2DNAQJeegQAgSAIdFNCoFjkX8FP7zxiZkHeeaXr4uL2 XNI06pGq2fizj1rSbsc80J14dJvQxOXRUVJhflYXxz43bKgAcT80V+VVW5al2ncT Jhm3PjxeHTLpk0P3ZGzO2oPdrIiG788aeG8SGj46N4fF7ptWgfHsgKtTHL/LxUyi bvX4tXLR8u8= =PXVD -----END PGP SIGNATURE-----