Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAKws9z3H+VFO6kO-bEPMtyomuyyumx69+hzB7UUAxpg2o6dT8A@mail.gmail.com>
Date: Mon, 21 Nov 2016 11:54:33 -0500
From: Scott Arciszewski <scott@...agonie.com>
To: oss-security@...ts.openwall.com
Subject: WordPress (all versions): SPOF, RCE, and Negligence

This is the function that fetches downloads from the WordPress update
servers: https://github.com/WordPress/WordPress/blob/f5b6731777bbd1dfe290867d2240a2a68e2f0cf1/wp-admin/includes/class-wp-upgrader.php#L252-L283

The only verification it offers is an MD5 checksum, which is sent by
the server that also serves the file:
https://github.com/WordPress/WordPress/blob/eeefec932f3d4f3b50369f6523c2cd8fad3d467f/wp-admin/includes/file.php#L482-L525

At no point lower in the automatic update process is a cryptographic
signature verified. The update server is trusted explicitly and
implicitly by every WordPress website online.

WordPress powers an estimated 26% of websites on the Internet.

Consequently, the WordPress update server is one of the largest single
points of failure (SPOF) on the Internet. If you manage to hack their
infrastructure, you can push a false update to millions of WordPress
blogs and get reliable remote code execution everywhere.

They are aware of this issue, and have been for years:
https://core.trac.wordpress.org/ticket/25052

Additionally, PHP before 5.6.0 had terrible SSL/TLS support. It may
also be possible to get targeted RCE out of a MitM condition due to
their stubborn insistence on supporting PHP 5.2.4. I need to do more
research here.

The WordPress culture, for those who are not aware, prioritizes higher
adoption rates over better security. They see backwards compatibility
as a usability problem more than a liability.

The WordPress team also promotes the use of the misnomer "responsible
disclosure" over the more accurate "coordinated disclosure", and
refuse to entertain suggestions to improve their vernacular.

In short, WordPress is semi-toxic towards improving their own
security-- mostly out of negligence and stubbornness rather than
outright hostility (see: OpenCart).

I don't believe there's much chance of fixing this, due to political
problems rather than technological problems. The first step towards a
reliable solution would look like this:

1. Up the minimum PHP version to at least 5.6.0.
2. Use openssl_sign() and openssl_verify() with an RSA keypair
maintained by their team.

A total solution would incorporate all of the elements listed here for
both core updates and theme/plugin updates:
https://paragonie.com/blog/2016/10/guide-automatic-security-updates-for-php-developers#elements-automatic-updates

Should anyone wish to endure the steep uphill battle to try to get
WordPress to fix this problem _before_ we see headlines titled
"WormPress: How your blog was hacked" in the news, godspeed.

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.