slavco
slavco
Sep 15, 2017 · 3 min read

This summer I decided to start a security project, endpoint security implementing new strategy in order to protect online services. Also decided to create the PoC for wordpress and this decision was made after I explored the security plugins wordpress repository. During the exploration I stumble upon the vaultpress as there it say:

With VaultPress you’re protected against hackers, malware, accidental damage, and host outages.

My reaction was: challenge accepted and I started to audit the code on incomplete installation on my localhost. Below I go step by step what happened and how I was guided towards this RCE following this plugin code :)

Follow the code

  1. If get variable vaultpress is set then after input preparation you are guided towards $vaultpress->parse_request( null );
  2. In the parse_request we have the following:
    - In order to continue vaultpress parameter must be set true as string.
    - If action GET parameter is set and its value is exec then POST variable code will be PHP eval-ed.
    - In order to do this you need go trough $this->validate_api_signature()
  3. In the validate_api_signature method you need:
    - to bypass firewall if it is enabled
    - to supply valid signature against server for your HTTP payload and to be verified by implemented methods in it. There are 2 methods via openssl PHP extension and hash_hmac signing. Yup, both implementations were vulnerable => we have working RCE towards vaultpress protected wp instance.

Openssl verification

the code for verification was the following:

if ( openssl_verify( serialize( array( 'uri' => $uri, 'post' => $post ) ), base64_decode( $sslsig ), $this->get_option( 'public_key' ) ) ) {return true;}

This means that $sslsig is user supplied and it is expected openssl_verify to return TRUE / !0 or FALSE / 0, but if we check the PHP documentation for openssl_verify function we can notice that:

Returns 1 if the signature is correct, 0 if it is incorrect, and -1 on error.

, but we all know that output from this code <?php if (-1) {echo "Hello";}
will be Hello. From the above we have the conclusion: If we are able to cause openssl error in openssl_verify via signed message then we can salute our RCE. Let us check the openssl_verify PHP function code. There we can notice that all you need is to provide valid signature towards public key from different type in order to cause error in openssl_verify . Now we have our RCE payload :)
In order to test the guide and to cause error e.g. openssl_verify to return -1 please check demo files on H1 report.

=== verification of the signatures

It seems that side channel timing attack vectors are known to wordpress security team and developers, we can get this conclusion from wp core code, but in our vaultpress case hash_equals was forgotten, same as in the woocommerce simplify commerce gateway . In this blog post I won’t show you real world exploitation of this issues, but this attacks are more than effective and are low cost compared to the value attackers would gain if they apply them towards not updated vaultpress and woocommerce wp instances.

Fixing the flaws and their public disclosure

The fixes were quite simple. In the openssl_verify case
if ( 1 === openssl_verify(… was the one (version 1.9) and in === verification case hash_equals was used with user input as second argument (version 1.9.1). All of this 3 fixes were pushed silently by the team and fixes were obvious. This behavior and “silent” fixes (only for plugin users, not for security analysts) follow us to the questions:

  1. Do you think that your customers check the code change of the plugin you silently patch?
  2. Will your users upgrade their plugins if update is bugfix or improvement or new feature right away on their production server?
  3. Do you think that security researchers learn about fixed security issues on open source projects only from security announces?

This 3 questions guide us towards final question: Will Open Source Project users update faster if you quietly push security issue fix or if you announce it?

Promo

If you are wp developer or wp host provider or wp security product provider with valuable list of clients, we offer subscription list and we are exceptional (B2B only).

websec

Attack sources + web application security

slavco

Written by

slavco

websec

websec

Attack sources + web application security

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade