SecurityReason - Wordpress user_login Column SQL Truncation Vulnerability

Advisory Text :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SektionEins GmbH
www.sektioneins.de

-= Security Advisory =-

Advisory: Wordpress user_login Column SQL Truncation Vulnerability
Release Date: 2008/09/12
Last Modified: 2008/09/12
Author: Stefan Esser [stefan.esser[at]sektioneins.de]

Application: Wordpress <= 2.6.1
Severity: MySQL column truncation allows resetting the passwords of
wordpress users to random strings. Combined with weaknesses
in PHP\'s PRNG this allows determining the admin password.
Risk: High
Vendor Status: Vendor has released Wordpress 2.6.2 which fixes this issue
Reference: http://www.sektioneins.de/advisories/SE-2008-05.txt

http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulner
abilities/

http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/

Overview:

Quote from http://www.wordpress.org
"WordPress is a state-of-the-art publishing platform with a focus
on aesthetics, web standards, and usability. WordPress is both
free and priceless at the same time."

During research on MySQL Column Truncation Vulnerabilities it was
discovered that the user registration system of Wordpress is not
protected against this kind of attack. Further research then
discovered that this vulnerability can be used to reset the passwords
of users to a random string when user registration is activated
in the blog.

In addition to this it was discovered that Wordpress uses mt_rand()
to create passwords and reset tokens, which is not secure enough
for cryptographic secrets. The use of mt_rand() allows predicting
the randomly generated passwords when the PRNG is freshly seeded
and output of the PRNG is leaked to the user.

Combined this means on servers reusing PHP processes for multiple
requests (mod_php, fastcgi) it is possible to determine the internal
generated random tokens and passwords, which might lead to a blog
(and maybe server) compromise.

Details:

The term SQL column truncation vulnerability and the problems that
might arise from this kind of vulnerability is explained in the
blog post "mysql and sql column truncation vulnerabilities" which is
available here:

http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulner
abilities/

The problems arising from using mt_(s)rand for cryptographic secrets
and possible attacks against PHP\'s PRNG and PHP applications using it
are explained by the blog post "mt_(s)rand and not so random numbers"
which is available here:

http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/

In Wordpress the situation is that when open registration is activated
an attacker can register the username \'admin\' + 55 times \' \' + \'x\'
to
register a new user that will end up as \'admin\' + 55 times \' \' in
the
database.

Because of the relaxation on string comparison that ignores trailing
whitespace characters this might disturb how Wordpress uses the user
table. An analysis revealed that a problem occurs in the password
reset. It is however possible that other areas of Wordpress can also
be exploited through the same vector.

When the password reset is triggered with the email address of the fake
admin Wordpress will generate a random password reset token, will write
it into the database as current password reset token for the fake admin
AND ALSO for the real admin. The password reset token is then sent to
the fake admin.

When the password reset token is used Wordpress will reset the password
of the first user that token is valid for, which is the real admin
user.
It will auto generate a random password and send it to the real admin.
At this point the real admin has his password changed to something
random that is only known to the email he gets until he reads it.

Using a fresh PHP process for the password reset in combination with the
Keep-Alive attack that is described in the previously mentioned blog
posting, it is however possible for an attacker to lookup the 32 bit
seed
used for seeding the random number generator and determine the randomly
generated password for it.

The seed lookup can be performed by a pre-generated table that is around
60 GB in size, which takes a day to generate (depending on your
hardware)
but allows resetting admin passwords in seconds.

Wordpress has fixed these vulnerabilities by consolidating space
characters
in the user name prior to registration and by changing from plain
mt_rand()
usage to some better random number generator that is not easily
predicted
from the outside.

Proof of Concept:

SektionEins GmbH is not going to release a proof of concept
exploit for this vulnerability.

Disclosure Timeline:

17. Aug 2008 - Sent notification to Wordpress about the vulnerability
21. Aug 2008 - Received confirmation that notification was received but
waited in the spam folder for manual review
22. Aug 2008 - Notification that the column truncation is now fixed in
SVN
and that discussion how to fix the mt_rand() problem is
running
22. Aug 2008 - Sent recommendation how to fix the mt_rand() issue as
PHP pseudo code
25. Aug 2008 - Received and commented about PHP code to fix the issue
27. Aug 2008 - Notification that the mt_rand() problem is now fixed in
SVN
30. Aug 2008 - Discussion about a possible release date that allows
fixing
some other problems contained in Wordpress 2.6.1
09. Sep 2008 - The Wordpress Development Team releases Wordpress 2.6.2
early in response to a description of a possible attack
that
appeared on milw0rm and was most probably reversed from
the SVN commits
12. Sep 2008 - Public Disclosure

Recommendation:

It is recommended to upgrade to the latest version of Wordpress
which might also fixes additional vulnerabilities or bugs reported
by third parties,

Grab your copy at:

http://www.wordpress.org

CVE Information:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
not assigned a name to this vulnerability yet.

GPG-Key:

pub 1024D/15ABDA78 2004-10-17 Stefan Esser <stefan.esser (at) sektioneins
(dot) de [email concealed]>
Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78

Copyright 2008 SektionEins GmbH. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkjJzEAACgkQSuF5XhWr2nhllwCfRBe4vOtgbb494BvUJcPh/IZV
vHMAn3FxK5bbd7I3v69Vc+t4LcgaVWvQ
=TCpu
-----END PGP SIGNATURE-----