WordPress XML-RPC PingBack vulnerability analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201444478
Type myhack58
Reporter 佚名
Modified 2014-04-11T00:00:00


! Screen Shot 2014-03-12 at 9.47.56 AM

A recent article outlines how to use the WordPress XML-RPC pingback functionDDosattack. This article will be on the attack for analysis, while for the site administrator to provide information to protect their website.

This is not a new vulnerability

WordPress XML-RPC API is not new launch. The following is the seven years ago wordpress bug data.

! Screen Shot 2014-03-12 at 10.15.29 AM

Although the vulnerability is not the latest, but the attack code/tools is nearly two years to appear. Tools for script kiddies facilitated, thereby resulting in a moreDDoSattack.

WordPress XML-RPC Pingback DDoS attack process

XML-RPC pingback feature provides a legitimate way to from different authors there is connected content. This article is describes how to use some of the blog site's XML-RPC functionality to third-party websites to attack.

Patsy Proxy attack

SpiderLabs colleague Daniel Crowley in 2 0 1 2 The DerbyCon conference staged shows in an article”The Patsy Proxy: Getting others to do your dirty work,“the article, the text discussed by the third-party website to send attack traffic in a variety of ways. (See PPT). In addition, also released the use of the tool. One of the tools called “DDoS attacks via other sites execution tool (DAVOSET)”, it can be through many different sites to send attack traffic. The following DAVOSET used in the URL list

! Screen Shot 2014-03-12 at 11.41.59 AM

Through a”Patsy Proxy”site to send attack data is very simple. Below we take a closer look at WordPress XML-RPC Pingback problems.

WordPress XML-RPC Pingback DDoS attack

The following is a using curl for attack command

! Screen Shot 2014-03-12 at 12.03.50 PM

The yellow highlighted data is a WordPress “Patsy Proxy” site, the orange highlighted data is the attack site. Note that for testing purposes required in the header add “Content-Type: text/xml” otherwise the XML-RPC service that the request is not valid, then the response is as follows:

! Screen Shot 2014-03-12 at 12.07.26 PM

The attacker sends a complete request, Patsy Proxy WordPress site, going to be the attack site issue the following HTTP request:

! Screen Shot 2014-03-12 at 12.14.28 PM

Note that the HTTP request format is only two lines:

  • URI
  • Host request header

But is the attack on the site of the WAF-web application protection system will identify the attack to protect the site. Normally the browser sends a request that contains many header. Due to the pingback DDoS the attack is not like the other Protocol attacks such as NTP, will not use any type of amplification attacks that way, if the request URI will make the attack site for the background calculation it will cause more damage.

Protection measures

Disable the XML-RPC

If you don't want to use the XML-RPC disabling it is entirely possible. Can refer to the article: even plugins that will disable it.

Disable Pingback requests

Can be passed to the function. php add the following file to disable the pingback:

! Screen Shot 2014-03-12 at 12.26.38 PM

Identify the original the Pingback request

Through the WAF to be able to identify the original of the pingback XML attack request. Details in this view.

In the injured site recognition Pingback to the original Requests

As mentioned before, although the URI is dynamic, but all the agent XML-RPC pingback HTTP request is only two lines. You can use the WAF to identify and respond to such as request IP added to the blacklist this exception.

[via@spiderlabs / 91ri.org]