Yet another reason to update your WordPress install

Update: Oct 28, 2017, I released Leo B into the wild. See https://justin-greer.com/2016/10/wordpress-pen-testing-password-recovery-tool/ to download “Leo B”.

Today, I wanted to talk a bit about some false positives that I have been getting when testing the notorious XMRPC brute force hack. Part of my security consulting is to attack a clients website and software for penetration testing. It has taken me almost 9 months to figure out why the level of successful XMLRPC brute force attempts have fallen to zero using my traditional means of testing. This is due to the multiCall method patch that was applied in WordPress version 4.4. You can find the patch by visiting https://core.trac.wordpress.org/attachment/ticket/34336/34336.diff.

The patch effectually prevent the multiCall method from being brute force attempt attacked by using a boolean variable “auth_failed“. This patch works by setting “auth_failed” to true on the first failed login attempt that fails. The way the multiCall method in the XMLRPC works is that you send multi calls in one push to the XMLRPC server and then WordPress loops through these methods one by one. Even with multiCall the session for the call is the same and thus the local variable is still set to true while running though the methods.

There is no way to use the XMLRPC multiCall method anymore which is great for the WP world but hurts my workflow. So if you provide penetration testing and running tests against the XMLRPC multiCall method, you are wasting your time. The patch was applied in version 4.4. This means that older versions my be exposed if auto updates were not turned on. I am not sure how far back the core team has patched this but I would imagine that the patch goes way back.

If you want to be protected against the exploit, you MUST keep updated. Although there is other ways to get around the patch, they are not made public and I will soon be presenting a patch myself to prevent my new method.

Keep and eye out.

 

 

2 Responses

  1. Ripul says:

    Thanks for this. This is the reason why I recommend users to turn off XMLRPC when they’re not using it. I guess with the REST API inplace the use of XML RPC would be redundant in the future.

    Off topic : I wanted to connect with you on wp-oauth because I could not find a contact form and the twitter/facebook links are not working. I wanted to know how is wp-oauth more secure than WP REST API authentication.

    • justin says:

      Thanks for the comment! Currently there is no built-in authentication method for REST API other then Basic Auth. If you are using basic auth over HTTPS then it may be secure enough for your application. The authentication method used whether it is OAuth, OAuth2 or Basic Auth is all up to how authentication needs to be setup. For example, if you need a mobile application to connect using the REST API, basic auth just will not work.

      To sum it up, WP OAuth Server uses OAuth2 authentication flows. If you are using HTTPS (as required), the authentication is secure while not needing to provide user credentials (for most flows). It all comes done to what a project needs.

Leave a Reply

Your email address will not be published. Required fields are marked *