A few security issues to takeover 34% of all websites Johannes - - PowerPoint PPT Presentation

▶

Aug 14, 2023 259 likes •643 views

A few security issues to takeover 34% of all websites Johannes Dahse, PHP.RUHR 2019 Dortmund, Germany, 08.11.2019 1 Intro Johannes Dahse Former CTF addict Security Consultant RIPS open source, static analysis for PHP security Ph.D. Static

SLIDE 1

A few security issues

to takeover 34% of all websites

Johannes Dahse, PHP.RUHR 2019 Dortmund, Germany, 08.11.2019

SLIDE 2

Intro

Johannes Dahse Former CTF addict Security Consultant RIPS open source, static analysis for PHP security Ph.D. Static Code Analysis @ Ruhr-University Bochum Co-Founder RIPS Technologies GmbH (since 2016)

SLIDE 3

SLIDE 4

Why WordPress?

500 KLOC PHP (+55.000 plugins) WordPress is used by 34.5% of the top 1M websites WordPress has a CMS market share of 61.2% ~240M unique domains = ~80M WordPress sites ~40M hosted on wordpress.com whitehouse.gov, Bloomberg, NBC, CNN, BBC, NYTimes

RoR Python

Usage of content management systems, W3Techs

SLIDE 5

Roadmap

Pre-Auth Exploit authenticated functionality

SLIDE 6

CVE-2019-9787 WordPress < 5.1.1 CSRF to Stored XSS

SLIDE 7

Cross-Site Request Forgery (CSRF)

Comment via CSRF is a feature for trackbacks and pingbacks, but most HTML tags and attributes are stripped

SLIDE 8

Cross-Site Request Forgery (CSRF)

attacker.com

SLIDE 9

XSS filter bypass

SLIDE 10

XSS filter bypass

SLIDE 11

XSS filter bypass

SLIDE 12

Regular comment (filter_kses)

Exploit

SLIDE 13

Regular comment (filter_kses)

Exploit

mysuperblog.com

SLIDE 14

Regular comment (filter_kses) Admin comment via CSRF (filter_post_kses)

Exploit

mysuperblog.com

SLIDE 15

Roadmap

Pre-Auth Exploit authenticated functionality

SLIDE 16

CVE-2018-12895 WordPress < 4.9.7 File Delete to RCE

SLIDE 17

Second-Order File Delete

SLIDE 18

Second-Order File Delete

SLIDE 19

Video: https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/

SLIDE 20

Roadmap

Pre-Auth Exploit authenticated functionality

SLIDE 21

CVE-2019-8942 CVE-2019-8943 WordPress < 5.0.1 PT & LFI to RCE

SLIDE 22

Modify Post Meta Data

_wp_attached_file

SLIDE 23

Modify Post Meta Data

_wp_attached_file

_wp_page_template: Loads template file from /template/ dir No way to upload malicious template file

SLIDE 24

Image Crop

Look for file in uploads/ directory Or try to fetch file via HTTP

SLIDE 25

File Resolving

SLIDE 26

File Resolving

evil.jpg?/../../template/evil.jpg

SLIDE 27

Modify Post Meta Data

File Inclusion

SLIDE 28

evil.jpg

include('templates/evil.jpg');

SLIDE 29

Video: https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/

SLIDE 30

Bonus: CVE-2019-6977 PHP GD Extension Buffer Overflow

Imagick does not crop image exif meta data, GD does strip exif meta data when cropping

SLIDE 31

Roadmap

Pre-Auth Exploit authenticated functionality

SLIDE 32

WP Plugins Advent Calendar

SLIDE 33

WordPress Security Advent Calendar

Critical bugs in 16 most-used plugins 21 million total active installations 8x WooCommerce (4M active installs)

SLIDE 34

WordPress.org Stored XSS Worm

SLIDE 35

Plugin Repository

SVN WP Plugin

SLIDE 36

Stored XSS

→ XSS worm can add a new user as committer to this plugin, who then infects the version again, and adds a backdoor to the plugin <script>worm()</script>

SLIDE 37

Thank you!

blog.ripstech.com Advent calendar 2019 announced soon!

johannes@ripstech.com / @FluxReiners