WordPress 4.6 remote code execution vulnerability-vulnerability warning-the black bar safety net

On WordPress

WordPress is a focus on aesthetics, usability and web standards of personal publishing platform. WordPress although it is a free open source software, but its value can not use money to measure.

Using WordPress you can build powerful web information publishing platform, but more is applied to a music blog. For the blog application, WordPress will allow you to save the background technical concerns, to concentrate on doing a good website content.

According to w3techs. com to the WordPress site of the real-time market statistics, WordPress accounts for all use of the content management system of the website the 58. 9 per cent. About accounted for all of the site 27. 9 per cent.

! [](/Article/UploadPic/2017-5/201755121115990. png)

Vulnerability overview

Vulnerability ID: CVE-2016-10033

Vulnerability found by: dawid_golunski

Vulnerability hazard: severe

Affects versions: 4.6

Vulnerability Description: a remote attacker can exploit the vulnerability to execute code

Vulnerability details

This vulnerability is mainly PHPMailer Vulnerability, CVE-2016-10033 in the WordPress Core code, the vulnerability does not require any authentication and the plugin, in the default configuration case you can use. A remote attacker could exploit the vulnerability to execute code. Since the vulnerability is relatively large, by and official consultations, decided to postpone the update wordpress vulnerability details.

Vulnerability code

if ( ! isset( $from_email ) ) {
// Get the site domain and get rid of the www.
$sitename = via strtolower( $_SERVER[‘SERVER_NAME’] );
if ( substr( $sitename, 0, 4 ) == ‘www.’ ) {
$sitename = substr( $sitename, 4 );
}
$from_email = ‘wordpress@’ . $sitename;
}
/**

• Filters the name to associate with the “from” email address.
• @since 2.3.0
• @param string $from_name Name associated with the “from” email address.
  */
  $from_name = apply_filters( ‘wp_mail_from_name’, $from_name );
  $phpmailer->setFrom( $from_email, $from_name );

WordPress according to the SERVER_NAME Server headers set up an email domain, when the WordPress wp_mail（）function is called to send the email when, for example, user registration, Forgot Password etc. Can see from Is this

$from_email = ‘wordpress@’ . $sitename;

Then it is filtered and passed to PHPMailer vulnerable setFrom（）function, the relevant details, please review:

<https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html&gt;

https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code -exec-CVE-2016-10033-Vuln.html

Injection

In Apache’s default configuration on the operation of the SERVER_NAME Server head. Web server the most common WordPress deployment by the HTTP request HOST header.

In order to verify this point, consider the vars. php request and response presentation

GET /vars.php HTTP/1.1
Host: xenialINJECTION
HTTP/1.1 200 OK
Server: Apache
Array
(
[HTTP_HOST] => xenialINJECTION
[SERVER_SOFTWARE] => Apache/2.4.18 (Ubuntu)
[SERVER_NAME] => xenialinjection
…

We can see that in the HOST header file appended to the host name of the INJECTION string is copied to HTTP_HOST and SERVER_NAME PHP variables.

Use the HOST headers example, if an attacker to trigger a wp_mail（）function

By using WordPress’s lost password function, the HTTP request will be similar to

POST /wordpress/wp-login. php? action=lostpassword HTTP/1.1
Host: xenialINJECT
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 56
Cookie: wordpress_test_cookie=WP+Cookie+check
Connection: close
user_login=admin&redirect_to=℘-submit=Get+New+Password

And will lead to the following parameters passed to the/ usr / sbin / sendmail to:

The Arg no. 0 == [/usr/sbin/sendmail]
The Arg no. 1 == [-t]
The Arg no. 2 == [-i]
The Arg no. 3 == [-fwordpress@xenialinject]

It should be noted that the first three parameters. E-mail domain portion of the request matches the HOST header, the lower case“inject”except.

Bypass the filter

In order to use PHPMailer mail（）injection vulnerability, the attacker would have the additional parameter to the domain portions. However, the filter/verify the place in wordpress and PHPMailer library aspect will be

To prevent an attacker to inject a null character space or TAB, from injection parameters to the sendmail binary.

For example, if the attacker is the HOST header modified for the following content:

POST /wordpress/wp-login. php? action=lostpassword HTTP/1.1
Host: xenialINJECT SPACE

Validation will result in an invalid domain part of the error, and the WordPress application will exit the http response:

HTTP/1.0 500 Internal Server Error

In this case, the PHPMailer function will never be executed sendmail binary will not be executed

PHPMailer library validateAddress（）function and PHP’s filter_var / FILTER_VALIDATE_EMAIL conform to RFC 822 standards

For more details, please view:

<http://php.net/manual/en/filter.filters.validate.php&gt;

It prohibits domain portion of the space, thereby preventing the injection of additional parameters to the/ usr / sbin / sendmail.

[1] [2] [3] next