WordPress Potential Unauthorized Password Reset

 

On 3 May, WordPress was exposed there is a security risk. A new vulnerability (CVE-2017-8295) was found to exist in all WordPress versions. The vulnerability from WordPress in the creation of password reset e-mail will use the client to send the contents of the SERVER_NAME variable to form the sender’s e-mail address. If you know the administrator or any target user’s email address, you can first send a large number of e-mail and other methods so that the target mailbox can not be properly received, and then forged a mailing mailbox to the target mailbox to initiate a reset password request, the message will Because the target mailbox can not be properly received and returned to the attacker control of the mailbox, the attacker can be in the bounce message to obtain a reset password link, thus resetting any user’s account password. The vulnerability WordPress official has not yet had any fix updates.

Affected version

WordPress Version <= 4.7.4

Note: All current WordPress versions (including the latest version 4.7.4) are affected.

Vulnerability

WordPress reset password function from the server to the user when the mailbox to send e-mail, if the attacker can get the contents of this message, you can reset the password link to modify the user password.

Use the same principle and the previous vulnerability, the attacker can request the header through the HOST “sender” mailbox is set to the attacker’s own address, under certain conditions can get the contents of this message and reset the user password.

The author gives three scenarios:

  1. If the attacker knows the mailbox registered by the admin user in advance, the mailbox address can be attacked by DoS means (sending large file/attack DNS server), causing the password reset mail to be rejected or unable to be delivered. At this time, “Bounce” will be sent to the address constructed by the attacker.
  2. The “autoresponder” feature of some mailboxes will return the contents of the message as an attachment to the sender.
  3. Repeatedly sent to reset the password to the destination mailbox, forcing the user to reply to the situation, the contents of the reply will generally refer to the previous message body.

So far feel very difficult to use, see social workers who can give a new posture.
PoC HTTP Request

POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1
Host: injected-attackers-mxserver.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 56
user_login=admin&redirect_to=&wp-submit=Get+New+Password

Temporary protection method

Currently WordPress official no related repair and update, the user can take the following temporary protection program:

The user can turn on UseCanonicalName to force the static SERVER_NAME value.

Reference

Loading