New Security Vulnerability?

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

New Security Vulnerability?

Joey B
Someone in IRC came in and asked about this link:

http://www.securityfocus.com/archive/1/427152/30/0/threaded

Figured I'd post it here since I haven't seen anyone else do so yet.

--
Joey Brooks
Milk Carton Designs || milkcartondesigns.com
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: New Security Vulnerability?

Douglas Stewart-3
Joey B wrote:

> Someone in IRC came in and asked about this link:
>
> http://www.securityfocus.com/archive/1/427152/30/0/threaded
>
> Figured I'd post it here since I haven't seen anyone else do so yet.
>
> --
> Joey Brooks
> Milk Carton Designs || milkcartondesigns.com
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers

They're basically trying to execute a DoS based upon repeated
registration attempts.  If we were to start implementing a wait time on
registrations coming from a single IP, it would likely ameliorate this
'exploit'.

--
----------
Doug Stewart
Systems Administrator/Web Applications Developer
Lockheed Martin Advanced Technology Labs
[hidden email]
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: New Security Vulnerability?

steve caturan
In reply to this post by Joey B
thanks for the heads up. now I have a mod_security ruleset for it.

SecFilterSelective
"THE_REQUEST" "wp-register.php"
"id:1004,deny,log,status:412"
#SecFilterRemove 1004



Joey B wrote:

> Someone in IRC came in and asked about this link:
>
> http://www.securityfocus.com/archive/1/427152/30/0/threaded
>
> Figured I'd post it here since I haven't seen anyone else do so yet.
>
> --
> Joey Brooks
> Milk Carton Designs || milkcartondesigns.com
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
>
>


_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: New Security Vulnerability?

David Chait
Steve, you mind posting that as a reply on the sf website?

Also, seriously, isn't pretty much every script on every website is
susceptible to some form, better or worse, of DoS attack?  Is there anything
unique to WP here?  Wouldn't ANY hacker script that quickly, repeatedly
opens up near-unlimited sockets to a website be a "DoS attack"?  Aside from
the particular 'mechanics' of registering a user, why is this any 'more' of
a DoS than anything else?

And I assume since mod_security can filter this, that any adaptive
hardware/anti-DoS firewall should pick up on a single IP trying to open
hundreds/thousands of connections to a particular box, right?

While we're at it, why is DoS being called a 'security vulnerability'?  It's
a service, uptime vulnerability -- totally different class of issues, and
not one the average joe should ever have to worry about (frankly, if someone
wants to launch a DoS attack on an average joe's site, there isn't a single
thing average joe can do about it -- it's up to the OS, drivers, hardware,
firewalls, sysadmins, NOCs, etc.  Or at least that's my view of the world.

-d

----- Original Message -----
From: "steve caturan" <[hidden email]>
To: <[hidden email]>
Sent: Thursday, March 09, 2006 1:35 PM
Subject: Re: [wp-hackers] New Security Vulnerability?


| thanks for the heads up. now I have a mod_security ruleset for it.
|
| SecFilterSelective
| "THE_REQUEST" "wp-register.php"
| "id:1004,deny,log,status:412"
| #SecFilterRemove 1004
|
|
|
| Joey B wrote:
| > Someone in IRC came in and asked about this link:
| >
| > http://www.securityfocus.com/archive/1/427152/30/0/threaded
| >
| > Figured I'd post it here since I haven't seen anyone else do so yet.
| >
| > --
| > Joey Brooks
| > Milk Carton Designs || milkcartondesigns.com
| > _______________________________________________
| > wp-hackers mailing list
| > [hidden email]
| > http://lists.automattic.com/mailman/listinfo/wp-hackers
| >
| >
| >
|
|
| _______________________________________________
| wp-hackers mailing list
| [hidden email]
| http://lists.automattic.com/mailman/listinfo/wp-hackers
|

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: New Security Vulnerability?

Craig-16
On 3/9/06, David Chait <[hidden email]> wrote:

>
> <snip>
>
> While we're at it, why is DoS being called a 'security
> vulnerability'?  It's
> a service, uptime vulnerability -- totally different class of issues, and
> not one the average joe should ever have to worry about (frankly, if
> someone
> wants to launch a DoS attack on an average joe's site, there isn't a
> single
> thing average joe can do about it -- <snip>


http://en.wikipedia.org/wiki/The_Sky_Is_Falling

Craig.
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

RE: New Security Vulnerability?

Denis de Bernardy
In reply to this post by David Chait
+1. an advisory with proof of concept code to mass-produce users. how
__evil__. at this rate, we'll soon see an advisory with proof of concept
code to mass-produce comments. ;)

D.


> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of
> David Chait
> Sent: Thursday, March 09, 2006 8:31 PM
> To: [hidden email]
> Subject: Re: [wp-hackers] New Security Vulnerability?
>
>
> Steve, you mind posting that as a reply on the sf website?
>
> Also, seriously, isn't pretty much every script on every website is
> susceptible to some form, better or worse, of DoS attack?  Is
> there anything
> unique to WP here?  Wouldn't ANY hacker script that quickly,
> repeatedly
> opens up near-unlimited sockets to a website be a "DoS
> attack"?  Aside from
> the particular 'mechanics' of registering a user, why is this
> any 'more' of
> a DoS than anything else?
>
> And I assume since mod_security can filter this, that any adaptive
> hardware/anti-DoS firewall should pick up on a single IP
> trying to open
> hundreds/thousands of connections to a particular box, right?
>
> While we're at it, why is DoS being called a 'security
> vulnerability'?  It's
> a service, uptime vulnerability -- totally different class of
> issues, and
> not one the average joe should ever have to worry about
> (frankly, if someone
> wants to launch a DoS attack on an average joe's site, there
> isn't a single
> thing average joe can do about it -- it's up to the OS,
> drivers, hardware,
> firewalls, sysadmins, NOCs, etc.  Or at least that's my view
> of the world.
>
> -d
>
> ----- Original Message -----
> From: "steve caturan" <[hidden email]>
> To: <[hidden email]>
> Sent: Thursday, March 09, 2006 1:35 PM
> Subject: Re: [wp-hackers] New Security Vulnerability?
>
>
> | thanks for the heads up. now I have a mod_security ruleset for it.
> |
> | SecFilterSelective
> | "THE_REQUEST" "wp-register.php"
> | "id:1004,deny,log,status:412"
> | #SecFilterRemove 1004
> |
> |
> |
> | Joey B wrote:
> | > Someone in IRC came in and asked about this link:
> | >
> | > http://www.securityfocus.com/archive/1/427152/30/0/threaded
> | >
> | > Figured I'd post it here since I haven't seen anyone else
> do so yet.
> | >
> | > --
> | > Joey Brooks
> | > Milk Carton Designs || milkcartondesigns.com
> | > _______________________________________________
> | > wp-hackers mailing list
> | > [hidden email]
> | > http://lists.automattic.com/mailman/listinfo/wp-hackers
> | >
> | >
> | >
> |
> |
> | _______________________________________________
> | wp-hackers mailing list
> | [hidden email]
> | http://lists.automattic.com/mailman/listinfo/wp-hackers
> |
>
> _______________________________________________
> wp-hackers mailing list
> [hidden email]
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: New Security Vulnerability?

Owen Winkler
Denis de Bernardy wrote:
> +1. an advisory with proof of concept code to mass-produce users. how
> __evil__. at this rate, we'll soon see an advisory with proof of concept
> code to mass-produce comments. ;)

Along those lines, here's a proof of concept to mass block user
registrations from the same IP within 5 minutes.  (It also blocks brute
force password cracks.)

The comment blocking thing is already done, I think.  ;)

Owen



<?php
/*
Plugin Name: Armor
Plugin URI: http://redalt.com/wiki/Armor Plugin
Description: Add some security-related features to WP.
Author: Owen Winkler
Version: 0.1
Author URI: http://asymptomatic.net
*/

class Armor
{
        function Armor()
        {
                load_plugin_textdomain('armor');
               
                add_action('wp_authenticate', array(&$this, 'wp_authenticate'), 99999);
                add_filter('validate_username', array(&$this, 'validate_username'), 99999, 2);
        }

        function login_delay($content)
        {
                $error = __('ERROR: Too many retries.  Login disabled for 10 minutes.', 'armor');
                $content = preg_replace('/<div id=\'login_error\'>(.*?)<\/div>/i', "<div id='login_error'>$error</div>", $content);
                return $content;
        }

        function wp_authenticate(&$auth_user, &$auth_pass)
        {
                global $using_cookie, $error;
               
                wp_cache_flush();

                $index = $_SERVER['REMOTE_ADDR'];
               
                $timeouts = get_settings('login_failure_timeouts');
                if(isset($timeouts[$index])) {
                        if(time() < $timeouts[$index]) {
                                $auth_pass = '';
                                ob_start(array(&$this, 'login_delay'));
                        }
                }
               
                if (!wp_login($auth_user, $auth_pass, $using_cookie) ) {
                        // Login failed
                        $retries = get_settings('login_failure_retries');
                        if(isset($retries[$index])) {
                                $retries[$index] ++;
                        }
                        else {
                                $retries[$index] = 1;
                        }
                        if($retries[$index] > 3) {
                                $auth_pass = '';
                                $retries[$index] = 0;
                                $timeouts[$index] = time() + 600;  // Ten minute timeout
                                ob_start(array(&$this, 'login_delay'));

                                $message = sprintf(__('3 failed login attempts from IP: %s', 'armor'), $_SERVER['REMOTE_ADDR']) . "\r\n\r\n";
                                $message .= sprintf(__('Last user attempted: %s.', 'armor'), $auth_user) . "\r\n\r\n";
                                $message .= __('IP was blocked for ten minutes.', 'armor') . "\r\n";
                               
                                wp_mail(get_settings('admin_email'), sprintf(__('[%s] Excessive failed login attempts', 'armor'), get_settings('blogname')), $message);
                               
                                //$this->debug(get_settings('admin_email'), sprintf(__('[%s] Excessive failed login attempts', 'armor'), get_settings('blogname')), $message);
                        }
                        update_option('login_failure_retries', $retries);
                        update_option('login_failure_timeouts', $timeouts);
                }
        }
       
        function validate_username($valid, $username)
        {
                global $errors;
                $minsbetweenregs = 5;
                if($valid) {
                        $index = $_SERVER['REMOTE_ADDR'];
                        $regs = get_settings('registration_retries');
                        if(isset($regs[$index]) && ((time() - $regs[$index]) < $minsbetweenregs * 60 )) {
                                $errors['armor'] = sprintf(__('Only one registration is allowed per IP address per %s minutes.'), $minsbetweenregs);
                        }
                        $regs[$index] = time();
                }
                update_option('registration_retries', $regs);
                return $valid;
        }
       
        function debug($foo)
        {
                $args = func_get_args();
                echo "<pre style=\"background-color:#ffeeee;border:1px solid red;\">";
                foreach($args as $arg1)
                {
                        echo htmlentities(print_r($arg1, 1)) . "<br/>";
                }
                echo "</pre>";
        }
}

$armor = new Armor();

?>
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: New Security Vulnerability?

Ron Guerin
In reply to this post by David Chait
David Chait wrote:
> Steve, you mind posting that as a reply on the sf website?
>
> Also, seriously, isn't pretty much every script on every website is
> susceptible to some form, better or worse, of DoS attack?  Is there anything
> unique to WP here?  Wouldn't ANY hacker script that quickly, repeatedly
> opens up near-unlimited sockets to a website be a "DoS attack"?  Aside from
> the particular 'mechanics' of registering a user, why is this any 'more' of
> a DoS than anything else?

SecurityFocus needs a moderator to keep this kind of crap off the list.
This is no better than the "power vulnerability", whereby if you cut the
power cord to a server, it will stop running.

- Ron
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: New Security Vulnerability?

David Chait
In reply to this post by Owen Winkler
Nicely whipped-up.

Of course, it sends an email and updates two options in the database every
attempt (which I assume is only one write, but still...) -- that's about the
same as a new registration, though minus the 'cost' of the explosion in the
user table size. ;)

Of course, if done as distributed DoS, it would populate the options table
with a ton of extra/dead data, probably then an equal or worse case... ;)

Again, my assumption is if you took the sample script, and changed it to hit
pretty much any PHP page, certainly anything with a database read, or write,
it'd probably take down 50% of the machines on resources alone.  The email
definitely just adds to the fire. :)

-d

----- Original Message -----
From: "Owen Winkler" <[hidden email]>
To: <[hidden email]>
Sent: Thursday, March 09, 2006 3:26 PM
Subject: Re: [wp-hackers] New Security Vulnerability?


| Denis de Bernardy wrote:
| > +1. an advisory with proof of concept code to mass-produce users. how
| > __evil__. at this rate, we'll soon see an advisory with proof of concept
| > code to mass-produce comments. ;)
|
| Along those lines, here's a proof of concept to mass block user
| registrations from the same IP within 5 minutes.  (It also blocks brute
| force password cracks.)
|
| The comment blocking thing is already done, I think.  ;)
|
| Owen
|
|

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: New Security Vulnerability?

Roy Schestowitz-2
In reply to this post by Douglas Stewart-3
___/ On Thu 09 Mar 2006 18:35:33 GMT, [ Doug Stewart ] wrote : \___

> Joey B wrote:
>> Someone in IRC came in and asked about this link:
>>
>> http://www.securityfocus.com/archive/1/427152/30/0/threaded
>>
>> Figured I'd post it here since I haven't seen anyone else do so yet.
>>
>
> They're basically trying to execute a DoS based upon repeated
> registration attempts.  If we were to start implementing a wait time
> on registrations coming from a single IP, it would likely ameliorate
> this 'exploit'.


In that case, a different entry URL could be targetted. Such things are
endless.

,----[ Snippet ]
| 2) "Compromise by an extended Brute Force attack is not a CVE
| vulnerability."  (Brute Force Exception)
|
| [...]
|
| 3) "A denial of service in a client that is easy to recover from, is
| not a CVE vulnerability." (Client-Side Denial of Service Exception)
`----

Source: http://www.cve.mitre.org/board/archives/1999-07/msg00146.html

While on the subject, 'fresh' from the press:

,----[ Snippet ]
| Or the bot-infected computers are used to launch DoS attacks - now running
| at 1,402 a day - as part of extortion attempts. Phishing attempts are
| approaching eight million a day.
`----

Source: http://news.bbc.co.uk/1/hi/technology/4787474.stm

The only way to end this is to stop use of an operating system which is so
easy to hijack due to its flawed RPC model. My site's WordPress
installation has been attacked ~1500 times a day (on a daily basis) since
September 2005. Windows boxes from all over the world.

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: New Security Vulnerability?

Owen Winkler
In reply to this post by David Chait
David Chait wrote:
> Nicely whipped-up.
>
> Of course, it sends an email and updates two options in the database every
> attempt (which I assume is only one write, but still...) -- that's about the
> same as a new registration, though minus the 'cost' of the explosion in the
> user table size. ;)

Perhaps, except those are two different code paths.  Emails should only
be sent in the case of detected login hacking, not in the case of
multiple registrations.

If the update_options() was stuffed into an additional else{} it could
eliminate database writes on failed registration attempts inside the
delay period.

Something more effective would report the IP to some firewall
configuration automation system.

> Of course, if done as distributed DoS, it would populate the options table
> with a ton of extra/dead data, probably then an equal or worse case... ;)
>
> Again, my assumption is if you took the sample script, and changed it to hit
> pretty much any PHP page, certainly anything with a database read, or write,
> it'd probably take down 50% of the machines on resources alone.  The email
> definitely just adds to the fire. :)

Well, like I said, the email only happens on login hacking attempts,
certainly not at any generically-aimed request.  This isn't a serious
attempt at "fixing" security issues, just a casual one for the lazy blog
admin.  ;)

Like you said, though, if a distributed DoS targetted any common
unprotected blog, it would take it down pretty easily.  Blog software is
simply not geared for handing such a scenario, which is better done at
the router/firewall level.

Owen



_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers