Authentication bypass / RCE on 300k live websites using mainwp-child < 3.4.5
Month ago I was performing a security audit on one web setup for a client and I have meet the mainwp-child plugin there. Looking at the code I have noticed a quite “interesting” issue there e.g. I have meet old good friend e.g. broken authentication mechanism that allows authentication bypass => RCE due the nature of the Wordpress itself.
According the patch that is applied on the plugin https://github.com/mainwp/mainwp-child/commit/1b03e47300d1ee30776a63f4d526e45e1baef4e3#diff-b7c78d39c028166665d187e06e5058a7 there you can notice that both ways of performing authentication were broken e.g. there is improper usage of
openssl_verify and usage of not time safe comparison
=== . Both cases are described by me here .
From the mainwp-child code we have the following:
mainwp-child.php we have
$mainWPChild = new MainWP_Child( WP_PLUGIN_DIR . DIRECTORY_SEPARATOR . plugin_basename( __FILE__ ) );
and in the constructor of the
MainWp_Child there is the following:
add_action( 'init', array( &$this, 'check_login' ), 1 );
If we check the
check_login method there is:
$auth = $this->auth( isset( $_POST['mainwpsignature'] ) ? rawurldecode( $_POST['mainwpsignature'] ) : '', isset( $_POST['function'] ) ? $_POST['function'] : rawurldecode( ( isset( $_REQUEST['where'] ) ? $_REQUEST['where'] : $file ) ), isset( $_POST['nonce'] ) ? $_POST['nonce'] : '', isset( $_POST['nossl'] ) ? $_POST['nossl'] : 0 );
and after that there is log-in functionality for the
$_POST["user"] based on
if ($auth) , but due the fact that in the
auth method there is chance
openssl_verify to return -1 or in case of not installed
openssl on the server
mainwpsignature to be disclosed by side channel attack, we got the conclusion that if we know the administrative user of the Wordpress instance that is using
mainwp-child < 3.4.5 then we have authentication bypass and we can take full control of the application that is under attack.
I have reached the MainWP via their web site, they run their own HackerOne program, I have filled in report and in few days the patch was distributed to the end users. Usually, Wordpress plugin developers are not responsive or are hit hard by wp dot org plugins team with removal of their plugins, but this wasn’t a case with MainWP. Huge BRAVO for them, because their approach towards security could be a raw model how even bigger plugin vendors should take care for their customers.
If you are wp developer or wp host provider or wp security product provider with valuable list of clients, we offer subscription list and we are exceptional (B2B only).