Authentication bypass / RCE on 300k live websites using mainwp-child < 3.4.5

Month ago I was performing a security audit on one web setup for a client and I have meet the mainwp-child plugin there. Looking at the code I have noticed a quite “interesting” issue there e.g. I have meet old good friend e.g. broken authentication mechanism that allows authentication bypass => RCE due the nature of the Wordpress itself.

Short description

According the patch that is applied on the plugin https://github.com/mainwp/mainwp-child/commit/1b03e47300d1ee30776a63f4d526e45e1baef4e3#diff-b7c78d39c028166665d187e06e5058a7 there you can notice that both ways of performing authentication were broken e.g. there is improper usage of openssl_verify and usage of not time safe comparison === . Both cases are described by me here .

Code flow

From the mainwp-child code we have the following:

In the mainwp-child.php we have

$mainWPChild = new MainWP_Child( WP_PLUGIN_DIR . DIRECTORY_SEPARATOR . plugin_basename( __FILE__ ) );

and in the constructor of the MainWp_Child there is the following:

add_action( 'init', array( &$this, 'check_login' ), 1 );

If we check the check_login method there is:

$auth = $this->auth( isset( $_POST['mainwpsignature'] ) ? rawurldecode( $_POST['mainwpsignature'] ) : '', isset( $_POST['function'] ) ? $_POST['function'] : rawurldecode( ( isset( $_REQUEST['where'] ) ? $_REQUEST['where'] : $file ) ), isset( $_POST['nonce'] ) ? $_POST['nonce'] : '', isset( $_POST['nossl'] ) ? $_POST['nossl'] : 0 );

and after that there is log-in functionality for the $_POST["user"] based on if ($auth) , but due the fact that in the auth method there is chance openssl_verify to return -1 or in case of not installed openssl on the server mainwpsignature to be disclosed by side channel attack, we got the conclusion that if we know the administrative user of the Wordpress instance that is using mainwp-child < 3.4.5 then we have authentication bypass and we can take full control of the application that is under attack.

Disclosure

I have reached the MainWP via their web site, they run their own HackerOne program, I have filled in report and in few days the patch was distributed to the end users. Usually, Wordpress plugin developers are not responsive or are hit hard by wp dot org plugins team with removal of their plugins, but this wasn’t a case with MainWP. Huge BRAVO for them, because their approach towards security could be a raw model how even bigger plugin vendors should take care for their customers.

Promo

If you are wp developer or wp host provider or wp security product provider with valuable list of clients, we offer subscription list and we are exceptional (B2B only).

Like what you read? Give slavco a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.