Recently, a vulnerability inherent to WordPress has been found by Dawid Golunski (@dawid_golunski). It allows an attacker to trigger a password reset e-mail of a WordPress account with a return header modified to show the attacker controlled address instead.
A quick glance
Vulnerability name: WordPress Core <= 4.7.4 Potential Unauthorized Password Reset (0day)
Affected versions: all versions <= 4.7.4
Summary: An attacker could potentialy craft a malicious HTTP request to trigger an admin password reset with the attacker controlled machine as the sender of the password reset link.
Key factors for successful exploitation: WordPress site accessible via direct IP, Apache with UseCanonicalName set to Off, password reset e-mail link (sent to account owner) sent back to the attacker.
The vulnerability arises from WordPress using an untrusted data in crafting the sender address in password reset emails. If we take a close look at WordPress’ pluggable.php (/wp-includes/pluggable.php), we will see the following code below:
To understand this chunk of code, let us first understand some of the functions in the code:
- isset – is a function that checks if a given variable is NULL or not
- strtolower – is a function to convert a string to lower case
- substr – is also a function that manipulates a given string or set of characters
So here’s what it does:
- First, it checks if the value of $from_email variable is equal to NULL
- If the variable is NULL, it will modify the value of SERVER_NAME to lowercase and assign it to $sitename variable
- It will then remove the “www.” characters to the $sitename variable (if found)
- Finally, it will combine the resulting value of $sitename variable with “wordpress@” and assign it to $from_email variable
The $from_email variable is the variable used to craft the return e-mail address of the password reset link.
Why is this a problem?
On most Apache installation, the default value of the UseCanonicalName directive is set to off. This means that Apache will user the HOST header provided by the connecting client in order to generate the SERVER_NAME value.
This is a problem as a malicious attacker can create an HTTP request to the server to modify the SERVER_NAME variable. With the SERVER_NAME variable being used as a part of the return e-mail address of the password reset e-mail, modifying it will also modify the return address of the password reset e-email to the same value of the HOST header provided by the attacker.
Making a successful attack
Though it is very easy to modify the return address of the password reset e-mail, in order to make a successful attack, user interaction is sometimes required. Why? Because the attacker was only able to modify the return address and still has no access to the password reset link itself. The password reset link was still sent to the e-mail address of the WordPress account holder. Therefore, to successfully change the user’s password, the attacker must get hold of the password reset link and reset the user’s password.
Fixing the vulnerability
As of now, there is no official fix from WordPress regarding this vulnerability. However, you can set the UseCanonicalName directive to “ON” in Apache configuration to avoid the server from using the HOST header as a server name.
What it means to you
As an owner of a WordPress site (either a corporate or a personal site), you should be concerned about this vulnerability as an attacker could arbitrarily reset your password and gain full control of your website. This could subsequently make the attacker gain access to sensitive data and eventually pivot its attacks to other network hosts within the reach of the compromised WordPress site server.
To protect you from such attacks, you should always remember to
- Be cautious about password rest e-mails that you know you did not trigger
- Check the content of your reply e-mail if sensitive information such as the password reset link is included
- Check your e-mail provider about rules in auto-responding whenever your mailbox is full or unable to receive more e-mails and ensure that the e-mail is not automatically forwarded back in full to the sender.
This post is based from: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html