Wordpress 3.9.1 pluggable.php CSRF vulnerability

2014.08.18
Credit: nacin
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2014-5204
CWE: N/A


CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. Index: trunk/src/wp-includes/compat.php =================================================================== --- a/trunk/src/wp-includes/compat.php +++ b/trunk/src/wp-includes/compat.php @@ -95,2 +95,31 @@ } } + +if ( ! function_exists( 'hash_equals' ) ) : +/** + * Compare two strings in constant time. + * + * This function was added in PHP 5.6. + * It can leak the length of a string. + * + * @since 3.9.2 + * + * @param string $a Expected string. + * @param string $b Actual string. + * @return bool Whether strings are equal. + */ +function hash_equals( $a, $b ) { + $a_length = strlen( $a ); + if ( $a_length !== strlen( $b ) ) { + return false; + } + $result = 0; + + // Do not attempt to "optimize" this. + for ( $i = 0; $i < $a_length; $i++ ) { + $result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] ); + } + + return $result === 0; +} +endif; wp-includes/pluggable.php in WordPress before 3.9.2 rejects invalid CSRF nonces with a different timing depending on which characters in the nonce are incorrect, which makes it easier for remote attackers to bypass a CSRF protection mechanism via a brute-force attack. Index: trunk/src/wp-includes/pluggable.php =================================================================== --- a/trunk/src/wp-includes/pluggable.php +++ b/trunk/src/wp-includes/pluggable.php @@ -672,5 +672,5 @@ $hash = hash_hmac( 'sha256', $username . '|' . $expiration . '|' . $token, $key ); - if ( hash_hmac( 'sha256', $hmac, $key ) !== hash_hmac( 'sha256', $hash, $key ) ) { + if ( ! hash_equals( $hash, $hmac ) ) { /** * Fires if a bad authentication cookie hash is encountered. @@ -1712,10 +1712,12 @@ // Nonce generated 0-12 hours ago - if ( $nonce === substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 ) ) { + $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce'), -12, 10 ); + if ( hash_equals( $expected, $nonce ) ) { return 1; } // Nonce generated 12-24 hours ago - if ( $nonce === substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 ) ) { + $expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 ); + if ( hash_equals( $expected, $nonce ) ) { return 2; }

References:

https://wordpress.org/news/2014/08/wordpress-3-9-2/
https://core.trac.wordpress.org/changeset/29384
http://openwall.com/lists/oss-security/2014/08/13/3


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top