Dailydave mailing list archives
Re: Pwnpress: the blog guerrilla is cumming
From: "Lance M. Havok" <lmh () info-pull com>
Date: Wed, 12 Sep 2007 21:51:57 +0200
Amusing.
From the securosis.com post (argh, a blog!) by our very own Rich "Too
Concerned" Mogull neighbor... this comment is just plain hilarious: <quote> cutaway Sep 12 Moving the xmlrpc.php file should work for a temp fix until it can be upgraded. I believe that this will disable adding posts and possibly other features. But at least your content can stay up until time is available for updating. If I am wrong, please let me know. Thank you, Cutaway </quote> Alright ladies, my fellow Jesus H. Christ could explain it himself but I believe it's beneficial to say that the affirmation by the security professional "Cutaway", is just simply wrong. Without any animosity... (I remember, this was one of the passengers of the widely renowned Icer's Bang Bus, on it's way to "LMH Outtaland, where anonymous security posers get outed for the buck", although I could be wrong since it's fairly difficult to remember the names and marketing motto(s) of all these random professional bloggers). The problem is not in xmlrpc.php, you are just trying to solve the (public) exploit, not the flaw itself. While this is a daily musing for IDS vendors and fans of the signature based detection crowd (ALERT ALERT "\x41\x41\x41\x41..."), it's kinda whack coming from a recognized security pro. I mean, come on, this dude is freaking securing Fortune 500 and what not. Serious business there. CISSP, GIAC. Like Myers, just better.
From xmlrpc.php (2.2.2) pingback function:
$post_ID = url_to_postid($url); if (!$post_ID) { (...) } url_to_postid() comes from rewrite.php (wp-includes): // examine a url (supposedly from this blog) and try to // determine the post ID it represents. function url_to_postid($url) { global $wp_rewrite; $url = apply_filters('url_to_postid', $url); // First, check to see if there is a 'p=N' or 'page_id=N' to match against preg_match('#[?&](p|page_id)=(\d+)#', $url, $values); $id = intval($values[2]); if ( $id ) return $id; Problem there is that it fails to properly sanitize input (how surprising! OMG it's PHP!), and this can be abused when rewrite-style (ex. http://www.cutawaysecurity.com/blog/archives/167/trackback) permalinks are enabled. Buried in the function is a call to WP_Query(), which leads to magic, and magic leads to anger, and anger leads to user credentials outing. if ( preg_match("!^$match!", $request_match, $matches) ) { // Got a match. // Trim the query of everything up to the '?'. $query = preg_replace("!^.+\?!", '', $query); // Substitute the substring matches into the query. eval("\$query = \"$query\";"); $query = new WP_Query($query); if ( $query->is_single || $query->is_page ) return $query->post->ID; else return 0; } One (female) lap dance to the first CISSP who finds the cookie in the code above. Trim trim, dun dun... xmlrpc.php is just a code path to trigger this issue (check the pingback function). My recommendation is to execute the following commands in a shell with write privileges for the Wordpress installation directory: $ rm -rf wordpress If that doesn't work, in order to troubleshoot all your security woes and also prevent others from wasting their time reading your rants or click revenue powered Google Ads: # rm -rf / Revenge is definitely a dish to be served cold. Now the question, when did the US Marine Corps stop requiring its recruits to have less than 13% bodyfat? The answer, only the Bush administration knows. Sigh, another day serving. God loves America, and me too. Have a good one! PS: Myers, are you coming home tonight? _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Pwnpress: the blog guerrilla is cumming Michael Myers (Sep 12)
- Re: Pwnpress: the blog guerrilla is cumming Lance M. Havok (Sep 12)