Full Disclosure mailing list archives

By Date By Thread Go Home WP-API, You're Drunk... From: Scott Arciszewski <scott () arciszewski me>

Date: Tue, 28 Oct 2014 20:00:27 -0400

... or more accurately, asleep at the wheel! _______________________________________________________ _________/ STORY TIME (feel free to skip this if you don't care) \__________ | | | Recently, I made a quick analysis of all of the public projects listed | | on HackerOne. https://gist.github.com/sarciszewski/04ee71ad2bcddc9c33b9 | | | | If you scroll to the bottom, I listed several projects in the "sweet | | spot": open source AND a minimum bounty. Outside of the Internet Bug | | Bounty project, there are only two projects listed: WP-API and Ian Dunn (a | | WordPress developer who has many projects). | | | | In the past three weeks, I have opened a handful of bug reports for other | | projects using the HackerOne platform, and they all responded immediately. | | Joola.io, for example, had a fix ready within a day of being notified. | | Concrete5 asked me to send a pull request to fix the issue I raised. Both | | projects, in my opinion, deserve further scrutiny and assistance. Srsly. | | | | WP-API, however, still has yet to even acknowledge the bug report sitting | | in the issue tracker for 17 days (and counting). Even when pressed for a | | simple "We got your report, here's an estimate on when we can get to it," | | I was met with complete radio silence. I sent one last update to my bug | | reports asking to respond before 8 PM or I will post on Full Disclosure | | everything I have found (which, while not exactly the most impressive bugs | | anyone will see on this list this month, are at least deserving of some | | sort of response). | | | | So here we are. | |____________________________________________________________________________| I. WP-API/Key-Auth https://github.com/WP-API/Key-Auth/blob/f9b74b3e4df667cfb44baba556eafde65fa3aec9/key-auth.php#L50 https://github.com/WP-API/Key-Auth/blob/f9b74b3e4df667cfb44baba556eafde65fa3aec9/key-auth.php#L65 This is pretty much a textbook example of "How Not to Implement Signature Verification." Let's count the things wrong with it! 1. json_encode() can return FALSE and there is no error checking employed (I am pretty sure an attacker can trigger this condition easily). 2. md5($arbitrary . $secret) is almost the ideal situation for length- extension attacks. hash_hmac('sha256', $arbitrary, $secret) would be considerably safer. 3. Signature not compared in constant time (while timing attacks are not the most trivial attack to perform, and are noisy as all hell, it's still problematic for authentication code to not provide this protection). 4. Signatures are compared with a non-strict != operator. PROTIP: https://eval.in/108854 II. WP-API/OAuth1 https://github.com/WP-API/OAuth1/blob/45197eca2925f5022192903d3639decd0ae1811c/lib/class-wp-json-authentication-oauth1.php#L290 https://github.com/WP-API/OAuth1/blob/45197eca2925f5022192903d3639decd0ae1811c/lib/class-wp-json-authentication-oauth1.php#L562 Same as point 3 from Key-Auth with regard to timing attacks. However, this is not an isolated incident. Many OAuth1 and OAuth2 libraries have the exact same problem. In fact, feel free to reuse a solution I submitted to one of these projects to patch it. * https://github.com/bshaffer/oauth2-server-php/pull/480 If I were a betting man, I would wager that most OAuth server implementations fail to take the necessary precautions when handling cryptographic signatures. Which is sort of funny when you think about the fact that that's their entire reason for existing. Point being: I don't blame WP-API for this one, considering how many OAuth1/2 server implementations I've seen with similar weaknesses, and also considering that there aren't many (any?) botnets spawned from timing attacks. Yet. #============================================================================# If the WP-API team would like to still honor their bounty, I encourage them to instead donate it to the PayPal 14, whom are being sentenced tomorrow. http://www.gofundme.com/Paypal14 That's all from me. Hopefully someone can kick the right person in the ass to prompt the maintainers into action to actually respond to reports on HackerOne for a change. Attachment: signature.asc

Description: _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Go Home WP-API, You're Drunk... Scott Arciszewski (Oct 28) Re: Go Home WP-API, You're Drunk... Nahuel Grisolía (Oct 30) Re: Go Home WP-API, You're Drunk... Scott Arciszewski (Oct 30)

Scott Arciszewski (Oct 28)