Steven J. Murdoch has a great post about an admin cookie authentication bypass in WordPress 2.5. It provides an instructive look at how simple it is to improperly implement cryptographic functions.
The basic premise is that in Wordpress 2.5, an HMAC was used to provide integrity protection for the authentication cookie, but a design flaw allows specially chosen user names to create forged authentication cookies.
The auth cookie allows a user to login without any complicated session management on the server side by storing the user login, expiration time and hash value. A valid auth cookie grants a user the ability to login without any form of password. So, if a forged auth cookie could be generated such that the user login field was "admin", then that given user would have administrative privileges.
The auth cookie value is of the format:
$user_login . '|' . $expiration . '|' . $hash
where the hash was the HMAC derived from the SECRET_KEY defined in the configuration.
The design mistake was that the HMAC was calculated over the undelimited value:
$user_login . $expiration
Consequently, an appropriately chosen user name could be registered that would allow access to the admin account by tampering with the cookie.
In order to chose an appropriate user name, the following criteria needs to be met:
- User name must begin with the string "admin"
- The expiration must be not be in the past
- When the user name and password are concatenated, the original value used to calculate the HMAC must be unchanged.
Obviously, the simplest choice for a user name would be "admin0". For example, when the HMAC was initially calculated, the value:
"admin0" . "1209590828"
would result in a cookie value of:
Then, the cookie is modified by moving the 0 to the expiration field:
so that the HMAC is calculated over:
"admin" . "01209590828"
Since the concatenated strings are identical, the HMAC hash is matched and the user is granted admin privileges.
A simple implementation mistake with serious consequences.