Wordpress Automatic UpgradeAutomatic Wordpress Upgrade
Automatic Wordpress Upgrade
Hello everyone, I have some issues with the automatic Wordpress upgrade feature. When I try to update the Wordpress release or plug-ins, it asks for the FTP detail. If I give this information, she won't take it. I found a way on the net: Modify the authorizations of the Wik contents to 777, but this is very insecure.
27% of the web hacked via WordPress auto-update
Additionally to this research, we investigate WordPress Core and the related Wordpress.org system on a regular basis. We recently uncovered a big flaw that could have led to a massive tradeoff for the vast majority of WordPress pages. It is possible that the following exploit enabled an intruder to use the WordPress auto-update feature, which is enabled by default, to distribute Malware to up to 27% of the web simultaneously.
api. wordpress.org (or server) plays an important part in the WordPress ecosystem: it publishes automatic WordPress website update. Each WordPress install sends a query to this host about once an hour to search for plug-in, topic or WordPress kernel upgrades. Your server's answer contains information about newer release that may be available, along with whether the plug-in, design, or kernel needs to be upgraded or not.
However, a trade-off with this host could allow an attacker to specify his own automatic Web site address for downloading and installing WordPress Web sites. vulnerability to WordPress Web sites through api.wordpress.org's automatic updating engine. All this is possible because WordPress itself does not offer validation of the signatures of the software used.
About 27% of all web sites are served by WordPress. As per WordPress documentation: "Every website has automatic updating activated by defaults for smaller kernel release and translations." Threating api. wordpress.org could potentially cause an attack to threaten more than a fourth of the world's web sites in one fell swoop.
In the following, we describe the detailed technology of a serious flaw we discovered at the beginning of this year that could threaten api.wordpress.org. Through HackerOne, we have notified this issue to the WordPress group. You fix the issue within a few clicks of confirming the audit trail. That allows them to use GitHub as their sources repository.
If you then make a modification to qitHub, it will call a link on api.wordpress.org and click a link that will trigger a trigger on api.wordpress.org that displays the latest piece of HTML that has just been added to qitHub. On api. wordpress.org the address contacted by SitHub is referred to as'Webhook' and is in PHP.
PHP for this hok is open sourced and is located in this repo. Analyzing this arbitrary cipher, we found a flaw that could allow an intruder to run his own arbitrary api. wordpress.org arbitrary file and get into api. wordpress.org. It is referred to as a weakness for the running of either hot key or CCE.
If a query is received by api.wordpress.org, presumably from GitHub, the api.wordpress.org server checks to see if it is actually GitHub that is making the query using a common clandestine and hatching algorithms. It works in such a way that GitHub, since GitHub is about to transmit JSON files, will combine the files to be transmitted with a private value previously divided with api.wordpress.org.
In this case it hurries the match and transmits this hit together with the JSON-files to api. wordpress.org. If api. wordpress.org gets the query, it will take the JSON information, combine it with the common mystery and calculate its own dash. GitHub must know the common secrets if its hatch match the hatch GitHub just sent, and this will prove that GitHub is permitted to make the query.
GetHub uses ShA1 to create the hatch and returns the digital signatures in a header: Sessionhook will extract both the algorithms, in this case'sha1', and the hatch to check the signatures. In this case, the weakness is that the source uses the hatch provided by the clients, usually cithub.
This means that whether it is GitHub or an intruder attacking the Web hook, they can specify which hatch algorithms are used to check the integrity of the messages, as you can see in the following example. //input'), FEATURE_PLUGIN_GH_SYNC_SECRET ); 10return $hash ==== $hmac; If we can circumvent the GitHub log file authentication mechanisms, there is a POST argument for the GitHub projekt URL that is handed over to shell_exec in full, allowing us to run shell instructions on an API.
wordpress.org. The shell_exec call can be seen in the following example code: 13repo_name = $_POST['repository']['full_name']['full_name'] ; 2$repo_url = $_POST['repository']['git_url'] ; 5die('Sorry, This Github repo is not configured for WordPress.org plugins SVN Github Sync'. "8putenv ('PHP_SVN_USER'); 9putenv('PHP_SVN_PASSWORD'); The task here is to deceive the hok that we know the common mystery that GitHub knows.
This means that we have to transmit a hath with our embassy that is "check out". Or in other words, it seems to be a hazard of the news we sent and the hidden value that only api.wordpress.org and GitHub know - the common mystery. Like we mentioned before, with the help of the nethook we can select our own hatching algorithms.
Specifically, PHP provides a number of non-cryptographically safe hazard features such as arc32,nv32, and edler32 that produce a 32-bit hazard compared to the anticipated 160-bit hazard produced by SHA1. When we can find a faint, enough hatching algorithms, we can brutally assault the Web Hook. All we have to do is transmit a set of digests to estimate the value of the common secrets and the information we transmit until we do it correctly and api.wordpress.org allows the query.
However, it is still not possible to start this assault over the api. wordpress.org firewall without it being unbelievably loud, as we make a large number of assumptions. In addition to the overall number of inhashes, there are also significant inhomogeneities in the inhash area. Included in the Preview, the Report uses the irregularity by profiling the most frequent significant byte in each created 16-bit hash.
That is a very small number of assumptions that we would have to make to the api. wordpress.org website hook that could be made in a few short time. As soon as the hook allows the query, the attacker runs a shell on api. wordpress.org, which gives us permission to run the basic OS and api.wordpress.org. org is at risk.
A remote attack could potentially cause an attack to make its own fix to all WordPress Web sites and send background and other malicious codes to more than a fourth of the Web. You could also turn off automatic updating at a later date, so that the WordPress staff loses the option to apply a fix to affected Web sites.
CVSS exploit for this exploit is: On September 2, we privately notified Automattic of this issue and released a fix for the source tree on September 7. Api. wordpress.org is still seen as a bug in the distribution of WordPress cores, plug-ins and topic up-dates. We' ve tried to begin a discussion with members of the Automattic safety staff about the improvement of the safety status of the automatic updating system, but we have not yet heard back.
For three years, there have been discussions about the provision of an authentification method for the source codes that WordPress publishers are distributing. If api. wordpress.org or a similarly sensitive web site is compromised, it is possible that an intruder could quickly cause masses of WordPress pages across the web to be compromise and, at the same moment, override the WordPress/Automattic vulnerability of the Web Press Protection Force to release a vulnerability fix.
WordPress is responsible for more than a fourth of all web sites with a 27%hare. It would also offer a massively vulnerable target for the aggressor, who would be able to monitor tens of thousands of web hosters from whom to invade. 2016-09-02 21:08 (-0400) -Transmitted first alert to Automattic via Hackerone. 2016-09-06 19:48 (-0400) - Automattic confirms the review.
2016-09-07 02:02 (-0400) - A fix for the exploit is moved to the repository. 2016-10-29 05:21 (-0400) Error message - Automatic assigns bunty. In his free timeframe, Matt approached this projekt and made the disclosures via HackerOne to the Automation group.