slavco
slavco
Apr 5 · 3 min read
Having king is the thing! Image taken from here

Disclosure of usernames doesn’t seem to be big deal for WP and isn’t. What is big deal this days and will be in future is disclosure of emails for
user accounts that are mission critical for one system like admin_email value. Why? With many data breaches exposing user emails and passwords / hashed passwords of millions of users then this is a deal, because humans suck in entropy => checking passwords only against databases HIBP like, makes things even worst (checks need to be done on different way, because instead protecting tit will cause harm). Those data breaches it seems hit the WP eco system in a bad way which is explained in details here, but there are some situations that can’t be explained:

We observed an interesting twist, though: sometimes email addresses on completely unrelated domains (like Gmail) were being used during login attempts. In this example, we observe bob@gmail.com and pony123456 being attempted on example.com. How did the hackers know to try it?

Also another interesting situation can be noticed here:

I recently changed an admin user email on a WordPress site that I manage. I used the same email address for the settings field within WP Admin. The new email address is completely unique and is not used anywhere else online.

Several hours after the changes were made, I received a series of spam emails.

Those situations can be explained via public accessible information like domains whois or with the following WP issue explained below, which seems to be exploited in the wild and being not identified because its nature.

Vulnerability

WordPress had done a lot to harden and protect handling with users credentials in order to do good authentication and to prevent permission escalation. Trying isn’t enough, because we already know about vulnerability that presents perfectly stealth backdoor (exploit for many) based on user_login glitch because WP is PHP/MySQL application. Now if we carefully look at register_new_user function and if compare it with wp_insert_user function ( it is called at the end ), we will notice that the same checks are performed except one. That check is about the length of the user_login variable and it is constrained to 60 characters (if there is no check then complete take over from subscriber user role is in game). That guides us to the fact that if user try to register with valid username longer than 60 characters, then this code will fire and firing this code means disclosure of the admin_email value towards “attacker”.

$user_id   = wp_create_user( $sanitized_user_login, $user_pass, $user_email );
if ( ! $user_id || is_wp_error( $user_id ) ) {
$errors->add( 'registerfail', sprintf( __( '... <a href="mailto:%s">webmaster</a> !' ), get_option( 'admin_email' ) ) );
return $errors;
}

Conclusion will be: Don’t use WordPress code like shown here and this is mandatory for all of this plugins.

PoC

This PoC code is self explanatory, just set up your WP with enabled registration in the $url variable.

Important to be mentioned here:

  • Registration need to be enabled
  • If registration goes trough (you will receive confirmation email) then that WP setup have bigger problems than admin_email leak.
  • If registration fails, same
  • Patched WP will redirect towards wp-login.php?checkemail=registered and will be shown “attacker” email.

Patch WordPress

In order to avoid your admin_email to leak towards visitors that try to register on your WP, then simple install/activate this plugin will do the job.

Attack surface

  • because enormous data leaks (even in case only password is checked against those) getting the right admin_email will do the job, because amplification attack (multi call) in WordPress XMLRPC e.g. 30k probes per request ;-)
  • Sending malware towards admin_email in order to compromise the device used for email reading
  • Phishing attack towards admin_email ( WP 5.2 introduces new admin_email “shock” in form of WSOD )
  • If somehow the >60 characters registration goes trough, then attacker will be “informed” on email and because this, it means that most probably complete take over of that WordPress installation!!!
  • Shady marketers collect emails for quite targeted marketing ( huge value here )

King Julien

We have him, we love him, we shake hand with him and he rulez!❤
Offtopic: Please, count your fingers if you shake hand with him.

Promo

If you are wp developer or wp host provider or wp security product provider with valuable list of clients, we offer subscription list and we are exceptional (B2B only).

websec

Attack sources + web application security

slavco

Written by

slavco

websec

websec

Attack sources + web application security

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade