A few security issues to takeover 34% of all websites Johannes Dahse, PHP.RUHR 2019 Dortmund, Germany, 08.11.2019 1
Intro Johannes Dahse Former CTF addict Security Consultant RIPS open source, static analysis for PHP security Ph.D. Static Code Analysis @ Ruhr-University Bochum Co-Founder RIPS Technologies GmbH (since 2016) 2
3
Usage of content management systems, W3Techs Why WordPress? 500 KLOC PHP (+55.000 plugins) RoR WordPress is used by 34.5% of the top 1M websites WordPress has a CMS market share of 61.2% ~240M unique domains = ~80M WordPress sites Python ~40M hosted on wordpress.com whitehouse.gov, Bloomberg, NBC, CNN, BBC, NYTimes 4
Roadmap Pre-Auth Exploit authenticated functionality 5
CVE-2019-9787 WordPress < 5.1.1 CSRF to Stored XSS 6
Cross-Site Request Forgery (CSRF) Comment via CSRF is a feature for trackbacks and pingbacks, but most HTML tags and attributes are stripped 7
Cross-Site Request Forgery (CSRF) attacker.com 8
XSS filter bypass 9
XSS filter bypass <a rel="rips" title='XSS " onmouseover=evilCode() id=" '> 10
XSS filter bypass <a rel="rips" title='XSS " onmouseover=evilCode() id=" '> <a rel="rips" title= "XSS " onmouseover=evilCode() id=" ' "> 11
Exploit Regular comment (filter_kses) 12
Exploit Regular comment (filter_kses) mysuperblog.com 13
Exploit Regular comment (filter_kses) mysuperblog.com Admin comment via CSRF <a rel="rips" title= "XSS " onmouseover=evilCode() id=" ' "> (filter_post_kses) 14
Roadmap Pre-Auth Exploit authenticated functionality 15
CVE-2018-12895 WordPress < 4.9.7 File Delete to RCE 16
Second-Order File Delete 17
Second-Order File Delete 18
Video: https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/ 19
Roadmap Pre-Auth Exploit authenticated functionality 20
CVE-2019-8942 CVE-2019-8943 WordPress < 5.0.1 PT & LFI to RCE 21
Modify Post Meta Data _wp_attached_file 22
Modify Post Meta Data _wp_attached_file _wp_page_template : Loads template file from /template/ dir No way to upload malicious template file 23
Image Crop Look for file in uploads/ directory Or try to fetch file via HTTP 24
File Resolving 25
File Resolving evil.jpg?/../../template/evil.jpg 26
Modify Post Meta Data - File Inclusion 27
evil.jpg include ( 'templates/evil.jpg' ); 28
Video: https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/ 29
Imagick does not crop image exif meta data, GD does strip exif meta data when cropping Bonus: CVE-2019-6977 PHP GD Extension Buffer Overflow 30
Roadmap Pre-Auth Exploit authenticated functionality 31
WP Plugins Advent Calendar 32
WordPress Security Advent Calendar Critical bugs in 16 most-used plugins 21 million total active installations 8x WooCommerce (4M active installs) 33
WordPress.org Stored XSS Worm 34
Plugin Repository WP Plugin SVN 35
Stored XSS <script>worm()</script> → XSS worm can add a new user as committer to this plugin, who then infects the version again, and adds a backdoor to the plugin 36
Thank you! blog.ripstech.com Advent calendar 2019 announced soon! johannes@ripstech.com / @FluxReiners 37
Recommend
More recommend