pseudo-flaw.net

Steven J. Murdoch has a great post about an admin cookie authentication bypass in WordPress 2.5. It provides an instructive look at how simple it is to improperly implement cryptographic functions.

The basic premise is that in Wordpress 2.5, an HMAC was used to provide integrity protection for the authentication cookie, but a design flaw allows specially chosen user names to create forged authentication cookies.

The auth cookie allows a user to login without any complicated session management on the server side by storing the user login, expiration time and hash value. A valid auth cookie grants a user the ability to login without any form of password. So, if a forged auth cookie could be generated such that the user login field was "admin", then that given user would have administrative privileges.

The auth cookie value is of the format:

      $user_login . '|' . $expiration . '|' . $hash

where the hash was the HMAC derived from the SECRET_KEY defined in the configuration.

The design mistake was that the HMAC was calculated over the undelimited value:

      $user_login . $expiration

Consequently, an appropriately chosen user name could be registered that would allow access to the admin account by tampering with the cookie.

In order to chose an appropriate user name, the following criteria needs to be met:

1. User name must begin with the string "admin"
2. The expiration must be not be in the past
3. When the user name and password are concatenated, the original value used to calculate the HMAC must be unchanged.

Obviously, the simplest choice for a user name would be "admin0". For example, when the HMAC was initially calculated, the value:

      "admin0" . "1209590828"

would result in a cookie value of:

admin0|1209590828|7863a08bd04af260bd5df2a8bf7e8b33

Then, the cookie is modified by moving the 0 to the expiration field:

admin|01209590828|7863a08bd04af260bd5df2a8bf7e8b33

so that the HMAC is calculated over:

      "admin" . "01209590828"

Since the concatenated strings are identical, the HMAC hash is matched and the user is granted admin privileges.

A simple implementation mistake with serious consequences.

Just a couple of days ago, OSVDB added a new classification, Discovered In the Wild, based on some suggests by Pete Lindstrom (Spire Security Viewpoint).

Now, we get the 0-day Can Happen to Anyone post. The OSVDB WordPress blog was being hacked by SEO spammers that edited spam content directly into the posts. Apparently the blog was being exploited by a real-life, discovered in the wild, 0-day: 41136: WordPress XML-RPC xmlrpc.php Unauthenticated Post Modification.

For reference, the links I saw were:

<noscript>Courtney scott a <a href="http://groups.google.com/group/lynn5052/web/cricket-ringtones">cricket ringtones</a> is not.</noscript>

<noscript>Wiederum im Uhrzeigersinn <a href="http://www.kasino007.de">gratis casinospiele</a> jeder Boxinhaber dann sein Online Blackjack Blatt zu Ende.</noscript>

Interesting stuff.

A couple for my own reference.

• Magic include shell: Get hacked and banned from Google.
• Frisco Vista blog hacked (via Blogsecurity).

I posted last December that Joe Biden's WordPress blog had been hacked. Now he has withdrawn from the 2008 US Presidential race, but his hacked blog lives on:

<div id="goro"><a href="http://www.sloog.org/?page=27" title="Hydrocodone">Hydrocodone</a>
<a href="http://www.sloog.org/?page=26" title="Glucophage">Glucophage</a>
<a href="http://www.sloog.org/?page=20156" title="Glucophage">Glucophage</a>
<a href="http://www.sloog.org/?page=10" title="Carisoprodol">Carisoprodol</a>
[...snipped...]
<a href="http://www.sloog.org/?page=21854" title="Zithromax">Zithromax</a>
<a href="http://www.sloog.org/?page=56" title="Zocor">Zocor</a>
<a href="http://www.sloog.org/?page=21865" title="Zocor">Zocor</a>
</div><script type="text/javascript"><!--
function getme(str){ var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ''; var i = 1; for (++idx; idx < len; idx += 2,i++){ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256); } eval(new_str); }
getme('http://pagead2.googlesyndication.com/pagead/show_ads.js?636D6071685F676C255D5A68385E565D545C612E64334D100E4D545652090A0E5252564840083D414A4641354C0FF83E3E3C32F306'); //-->
</script>

It looks like sloog.org was hit by SEO spammers as well:

Generalizing that Google query yields plenty of results for other SEO spam hacked sites:

And possibly even more sites:

Simply stunning. These are definitely not targeted attacks.

An excellent postmortem write-up of a WordPress hack can be found here.

The "Magic Include Shell" makes another appearance. Mag (ICQ 884888) must be proud.

Here are a couple more:

• The Wrestling Blog
• The day my web site hacked

The second item is of interest because it makes mention of "Magic Include Shell". Is this a common PHP backdoor or just a private shell?

There is a WordPress support entry: Weird and Dangerous : ro8kfbsmag.txt. And a Google search results in a cached item from the noaa.gov domain.

It appears that the Joe Biden for President blog has joined the long list of WordPress hack victims. Once again, SEO spammers are apparently to blame.

The generator tag:

<meta name="generator" content="WordPress 2.1" /> <!-- leave this for stats -->

And from the page footer:

<div id="goro"><a href="http://www.de-bug.de/?order=6969" title="Buy Zyprexa">Buy Zyprexa</a>
<a href="http://www.de-bug.de/?order=6871" title="Buy Zyban">Buy Zyban</a>
<a href="http://www.de-bug.de/?order=6822" title="Buy Zovirax">Buy Zovirax</a>
<a href="http://www.de-bug.de/?order=6773" title="Buy Zocor">Buy Zocor</a>
<a href="http://www.de-bug.de/?order=6724" title="Buy Zithromax">Buy Zithromax</a>
[...snipped..]
<a href="http://www.de-bug.de/?order=4950" title="Buy Clonazepam">Buy Clonazepam</a>
<a href="http://www.de-bug.de/?order=4999" title="Buy Codeine">Buy Codeine</a>
<a href="http://www.de-bug.de/?order=16" title="Codeine">Codeine</a>
</div><script type="text/javascript"><!--
function getme(str){ var idx = str.indexOf('?'); if (idx == -1) return str; var len = str.length; var new_str = ''; var i = 1; 
for (++idx; idx < len; idx += 2,i++){ var ch = parseInt(str.substr(idx, 2), 16); new_str += String.fromCharCode((ch + i) % 256)
; } eval(new_str); }
getme('http://pagead2.googlesyndication.com/pagead/show_ads.js?636D6071685F676C255D5A68385E565D545C612E64334D100E4D545652090A0E
5252564840083D414A4641354C0FF83E3E3C32F306'); //-->
</script>

There is that "goro" id again. This all looks painfully familiar.

I originally came across a post about how Matt Heaton's WordPress blog had been hacked. I followed the link to this fabulous write-up.

So it seemed that there were some more random WordPress blogs that have been owned by SEO spammers and exhibit a similar relationship as Al Gore's An Inconvenient Truth Blog after it had been hacked.

In short, mattheaton.com had a div with the "goro" id with links to www.howardowens.com from its footer content:

<div id="goro"><a href="http://www.howardowens.com/?order=5984" title="Buy Norvasc">Buy Norvasc</a>
<a href="http://www.howardowens.com/?order=392" title="Buy Ambien">Buy Ambien</a>
<a href="http://www.howardowens.com/?order=5935" title="Buy Norco">Buy Norco</a>
<a href="http://www.howardowens.com/?order=5886" title="Buy Nexium">Buy Nexium</a>
<a href="http://www.howardowens.com/?order=5788" title="Buy Meridia">Buy Meridia</a>
<a href="http://www.howardowens.com/?order=18" title="Diazepam">Diazepam</a>
<a href="http://www.howardowens.com/?order=5739" title="Buy Lortab">Buy Lortab</a>

[...snipped...]

<a href="http://www.howardowens.com/?order=39" title="Percocet">Percocet</a>
<a href="http://www.howardowens.com/?order=226" title="Paxil">Paxil</a>
<a href="http://www.howardowens.com/?order=38" title="Oxycontin">Oxycontin</a>
<a href="http://www.howardowens.com/?order=4135" title="Online Xanax">Online Xanax</a>
<a href="http://www.howardowens.com/?order=4" title="Ambien">Ambien</a>
<a href="http://www.howardowens.com/?order=37" title="Norvasc">Norvasc</a>
</div>

Attempting to navigate to these directly failed with:

<h1>Not Found</h1>
<p>The requested URL /?order=1 was not found on this server</p>
<hr>
<address>Apache/1.3.39 (Unix) mod_fastcgi/2.4.2 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.30 OpenSSL/0.9.7a PHP-CGI/0.1b Server at www.howardowens.com Port 80</address>

    

After some experimentation, it became evident that a HTTP Referer header was expected. Using wget:

$ wget -q -O - -U '' -S --referer='whatever.example.com' 'http://www.howardowens.com/?order=1' | head

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Adderall from Certified Pharmacy</title>
<META content="Adderall" name=keywords> 
<META content="Adderall, Buy Flonase COD, Buy Tramadol 180" name=description> 
<META http-equiv=Content-Type content="text/html; charset=UTF-8">
<meta name="generator" content="WordPress 2.0.6" />
<link type="text/css" rel="StyleSheet" href="http://www.wordpress.net.in/images/style.css">
</head>

But since I also wanted a screenshot, I used the Firefox Tamper Data extension and added a Referer header. I got back a nice fat spam blog:

From here, all of the links led through '?order' ("You are in a maze of twisty little passages, all alike") with slight variations of content depending on the pharmaceutical being referenced.

So, I went to back to Al Gore's Blog to see what the links looked like there, and what did I find at the bottom of the page?

<div id="goro"><a href="http://www.howardowens.com/?order=21" title="Effexor">Effexor</a>
<a href="http://www.howardowens.com/?order=394" title="Buy Xanax">Buy Xanax</a>
<a href="http://www.howardowens.com/?order=790" title="Buy Xanax Online">Buy Xanax Online</a>
<a href="http://www.howardowens.com/?order=4564" title="Buy Bontril">Buy Bontril</a>

[...snipped...]

<a href="http://www.howardowens.com/?order=429" title="Buy Adipex">Buy Adipex</a>
<a href="http://www.howardowens.com/?order=397" title="Buy Diazepam">Buy Diazepam</a>
<a href="http://www.howardowens.com/?order=1449" title="Buy Didrex">Buy Didrex</a>
<a href="http://www.howardowens.com/?order=5173" title="Buy Diflucan">Buy Diflucan</a>
</div>

These WordPress blogs must be so totally owned. Do some WordPress users just like letting random code run on their servers? Is everybody asleep at the wheel or do they just not care?

The "wordpress.net.in" domain seems to play some unknown part in the overall scheme (Google: wordpress.net.in+failed) and this post offers a recommendation on how to clean up. I didn't care to investigate further since I don't use WordPress and never plan to.

Want a fake blog hack as part of your viral marketing campaign?

Cool. Just make sure to blame it on WordPress. Because that would be the most plausible explanation.

Al Gore 0wned ... WordPress to Blame? I guess getting owned through WordPress is becoming a rite of passage for bloggers the world over. And the general attitude of "it's just a blog" is simply not sustainable in the long run.

Was this the work of a mass exploiter or a targeted attack? As we've seen with past incidents, the mass exploiters don't care and sometimes don't even realize the value of the target. When scanning the entire net, the perceived value of the target is generally irrelevant. Maybe you care if it is a .edu or .gov, but typically it is just another box. If a site is vulnerable to a widely known exploit, then somebody, somewhere will own the site and use it -- whether that is to hawk pharmaceuticals or pwn crunchies.

Still, it is good to see that somebody gets why this is a big deal. From the article, Roger Thompson, CTO of Exploit Prevention Labs: I think we're a bit lucky it's not shooting exploits.