The WordPress Megahack That Wasn't!

Discussion in 'BlackHat Lounge' started by The Scarlet Pimp, Nov 26, 2016.

  1. The Scarlet Pimp

    The Scarlet Pimp Senior Member

    Apr 2, 2008
    Likes Received:
    Chair moistener.
    Since 2013, WordPress has been updating itself, which is a good thing.

    Unless, that is, somebody hacks the update server.

    And that’s exactly where the WordPress security outfit WordFence found a vulnerability that could have led to the megahacking of 27% of the entire WWW.

    The remote code execution flaw, since fixed, was found in an open-source PHP webhook within the update server,

    The webhook lets WordPress developers sync their code to the code repository, enabling them to use GitHub as their main source code repository, WordFence explained:

    When they commit a change to GitHub it will reach out and hit a URL on which then triggers a process on that brings down the latest code that was just added to GitHub.

    The problem with this particular webhook was that it let developers supply their own hashing algorithm to verify that code updates are legitimate. It didn’t matter whether it was GitHub or an attacker hitting the webhook: either could feed in the hashing algorithm used to verify the message authenticity.

    Given a weak enough hashing algorithm, attackers could brute-force attack the webhook with a number of guesses that wouldn’t trigger WordPress’s security systems.

    WordFence managed to come up with an algorithm that reduced the amount of guesses from 400,000 to only 100,000 guesses, with randomly generated keys, at the hash value of the shared secret key. That guessing would only take a few hours.

    With the door successfully battered down, attackers could then send URLs to the WordPress update servers, which would then push them out to all WordPress sites.

    And that’s a hell of a lot of sites. WordPress is the most popular Content Management System (CMS) on the web, by far: according to Web-watching service, it’s running about 27% of all websites.

    Matt Barry, the lead WordFence developer who discovered the bug, disclosed it to the WordPress team via HackerOne, and was awarded a bounty for his report:

    By compromising, an attacker could conceivably compromise more than a quarter of the websites worldwide in one stroke.

    None of this is an argument against auto-updates, mind you. They’re vital, given that people aren’t good at updating their CMS. Even if they do update them, they likely don’t update them quickly enough when a problem occurs.

    Read More..
    • Thanks Thanks x 2