Advisory 05/2008: Wordpress user_login Column SQL Truncation Vulnerability

                          SektionEins GmbH
                         www.sektioneins.de

                      -= Security  Advisory =-

     Advisory: Wordpress user_login Column SQL Truncation Vulnerability
 Release Date: 2008/09/12
Last Modified: 2008/09/12
       Author: Stefan Esser [stefan.esser[at]sektioneins.de]

  Application: Wordpress <= 2.6.1
     Severity: MySQL column truncation allows resetting the passwords of
               wordpress users to random strings. Combined with weaknesses
               in PHP's PRNG this allows determining the admin password.
         Risk: High
Vendor Status: Vendor has released Wordpress 2.6.2 which fixes this issue
    Reference: http://www.sektioneins.de/advisories/advisory-052008-wordpress-user_login-column-sql-truncation-vulnerability.html
               http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/
               http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/

Overview:

   Quote from http://www.wordpress.org
   "WordPress is a state-of-the-art publishing platform with a focus
    on aesthetics, web standards, and usability. WordPress is both
    free and priceless at the same time."

   During research on MySQL Column Truncation Vulnerabilities it was
   discovered that the user registration system of Wordpress is not
   protected against this kind of attack. Further research then
   discovered that this vulnerability can be used to reset the passwords
   of users to a random string when user registration is activated
   in the blog.

   In addition to this it was discovered that Wordpress uses mt_rand()
   to create passwords and reset tokens, which is not secure enough
   for cryptographic secrets. The use of mt_rand() allows predicting
   the randomly generated passwords when the PRNG is freshly seeded
   and output of the PRNG is leaked to the user.

   Combined this means on servers reusing PHP processes for multiple
   requests (mod_php, fastcgi) it is possible to determine the internal
   generated random tokens and passwords, which might lead to a blog
   (and maybe server) compromise.

Details:

   The term SQL column truncation vulnerability and the problems that
   might arise from this kind of vulnerability is explained in the
   blog post "mysql and sql column truncation vulnerabilities" which is
   available here:

   http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/

   The problems arising from using mt_(s)rand for cryptographic secrets
   and possible attacks against PHP's PRNG and PHP applications using it
   are explained by the blog post "mt_(s)rand and not so random numbers"
   which is available here:

   http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/

   In Wordpress the situation is that when open registration is activated
   an attacker can register the username 'admin' + 55 times ' ' + 'x' to
   register a new user that will end up as 'admin' + 55 times ' ' in the
   database.

   Because of the relaxation on string comparison that ignores trailing
   whitespace characters this might disturb how Wordpress uses the user
   table. An analysis revealed that a problem occurs in the password
   reset. It is however possible that other areas of Wordpress can also
   be exploited through the same vector.

   When the password reset is triggered with the email address of the fake
   admin Wordpress will generate a random password reset token, will write
   it into the database as current password reset token for the fake admin
   AND ALSO for the real admin. The password reset token is then sent to
   the fake admin.

   When the password reset token is used Wordpress will reset the password
   of the first user that token is valid for, which is the real admin user.
   It will auto generate a random password and send it to the real admin.
   At this point the real admin has his password changed to something
   random that is only known to the email he gets until he reads it.

   Using a fresh PHP process for the password reset in combination with the
   Keep-Alive attack that is described in the previously mentioned blog
   posting, it is however possible for an attacker to lookup the 32 bit seed
   used for seeding the random number generator and determine the randomly
   generated password for it.

   The seed lookup can be performed by a pre-generated table that is around
   60 GB in size, which takes a day to generate (depending on your hardware)
   but allows resetting admin passwords in seconds.

   Wordpress has fixed these vulnerabilities by consolidating space characters
   in the user name prior to registration and by changing from plain mt_rand()
   usage to some better random number generator that is not easily predicted
   from the outside.

Proof of Concept:

   SektionEins GmbH is not going to release a proof of concept
   exploit for this vulnerability.

Disclosure Timeline:

   17. Aug 2008 - Sent notification to Wordpress about the vulnerability
   21. Aug 2008 - Received confirmation that notification was received but
                  waited in the spam folder for manual review
   22. Aug 2008 - Notification that the column truncation is now fixed in SVN
                  and that discussion how to fix the mt_rand() problem is running
   22. Aug 2008 - Sent recommendation how to fix the mt_rand() issue as
                  PHP pseudo code
   25. Aug 2008 - Received and commented about PHP code to fix the issue
   27. Aug 2008 - Notification that the mt_rand() problem is now fixed in SVN
   30. Aug 2008 - Discussion about a possible release date that allows fixing
                  some other problems contained in Wordpress 2.6.1
   09. Sep 2008 - The Wordpress Development Team releases Wordpress 2.6.2
                  early in response to a description of a possible attack that
                  appeared on milw0rm and was most probably reversed from
                  the SVN commits
   12. Sep 2008 - Public Disclosure

Recommendation:

   It is recommended to upgrade to the latest version of Wordpress
   which might also fixes additional vulnerabilities or bugs reported
   by third parties,

   Grab your copy at:

   http://www.wordpress.org

CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   not assigned a name to this vulnerability yet.

GPG-Key:

   pub  1024D/15ABDA78 2004-10-17 Stefan Esser <stefan.esser@sektioneins.de>
   Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C  57DD 4AE1 795E 15AB DA78

Copyright 2008 SektionEins GmbH. All rights reserved.</stefan.esser@sektioneins.de>