a few security issues
play

A few security issues to takeover 34% of all websites Johannes - PowerPoint PPT Presentation

A few security issues to takeover 34% of all websites Johannes Dahse, PHP.RUHR 2019 Dortmund, Germany, 08.11.2019 1 Intro Johannes Dahse Former CTF addict Security Consultant RIPS open source, static analysis for PHP security Ph.D. Static


  1. A few security issues to takeover 34% of all websites Johannes Dahse, PHP.RUHR 2019 Dortmund, Germany, 08.11.2019 1

  2. Intro Johannes Dahse Former CTF addict Security Consultant RIPS open source, static analysis for PHP security Ph.D. Static Code Analysis @ Ruhr-University Bochum Co-Founder RIPS Technologies GmbH (since 2016) 2

  3. 3

  4. Usage of content management systems, W3Techs Why WordPress? 500 KLOC PHP (+55.000 plugins) RoR WordPress is used by 34.5% of the top 1M websites WordPress has a CMS market share of 61.2% ~240M unique domains = ~80M WordPress sites Python ~40M hosted on wordpress.com whitehouse.gov, Bloomberg, NBC, CNN, BBC, NYTimes 4

  5. Roadmap Pre-Auth Exploit authenticated functionality 5

  6. CVE-2019-9787 WordPress < 5.1.1 CSRF to Stored XSS 6

  7. Cross-Site Request Forgery (CSRF) Comment via CSRF is a feature for trackbacks and pingbacks, but most HTML tags and attributes are stripped 7

  8. Cross-Site Request Forgery (CSRF) attacker.com 8

  9. XSS filter bypass 9

  10. XSS filter bypass <a rel="rips" title='XSS " onmouseover=evilCode() id=" '> 10

  11. XSS filter bypass <a rel="rips" title='XSS " onmouseover=evilCode() id=" '> <a rel="rips" title= "XSS " onmouseover=evilCode() id=" ' "> 11

  12. Exploit Regular comment (filter_kses) 12

  13. Exploit Regular comment (filter_kses) mysuperblog.com 13

  14. Exploit Regular comment (filter_kses) mysuperblog.com Admin comment via CSRF <a rel="rips" title= "XSS " onmouseover=evilCode() id=" ' "> (filter_post_kses) 14

  15. Roadmap Pre-Auth Exploit authenticated functionality 15

  16. CVE-2018-12895 WordPress < 4.9.7 File Delete to RCE 16

  17. Second-Order File Delete 17

  18. Second-Order File Delete 18

  19. Video: https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/ 19

  20. Roadmap Pre-Auth Exploit authenticated functionality 20

  21. CVE-2019-8942 CVE-2019-8943 WordPress < 5.0.1 PT & LFI to RCE 21

  22. Modify Post Meta Data _wp_attached_file 22

  23. Modify Post Meta Data _wp_attached_file _wp_page_template : Loads template file from /template/ dir No way to upload malicious template file 23

  24. Image Crop Look for file in uploads/ directory Or try to fetch file via HTTP 24

  25. File Resolving 25

  26. File Resolving evil.jpg?/../../template/evil.jpg 26

  27. Modify Post Meta Data - File Inclusion 27

  28. evil.jpg include ( 'templates/evil.jpg' ); 28

  29. Video: https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/ 29

  30. Imagick does not crop image exif meta data, GD does strip exif meta data when cropping Bonus: CVE-2019-6977 PHP GD Extension Buffer Overflow 30

  31. Roadmap Pre-Auth Exploit authenticated functionality 31

  32. WP Plugins Advent Calendar 32

  33. WordPress Security Advent Calendar Critical bugs in 16 most-used plugins 21 million total active installations 8x WooCommerce (4M active installs) 33

  34. WordPress.org Stored XSS Worm 34

  35. Plugin Repository WP Plugin SVN 35

  36. Stored XSS <script>worm()</script> → XSS worm can add a new user as committer to this plugin, who then infects the version again, and adds a backdoor to the plugin 36

  37. Thank you! blog.ripstech.com Advent calendar 2019 announced soon! johannes@ripstech.com / @FluxReiners 37

Recommend


More recommend