WordPress Unauthorized Password Reset Vulnerability (CVE-2017-8259)

WordPress has a password reset feature that contains a vulnerability which might in some cases allow attackers to get hold of the password reset link without previous authentication.

Such attack could lead to an attacker gaining unauthorized access to a victim’s WordPress account.  This affects all versions of WordPress, including the current version, 4.7.4.

Description

The vulnerability stems from WordPress using untrusted data by default when creating a password reset e-mail that is supposed to be delivered only to the e-mail associated with the owner’s account.

This can be observed in the following code snippet that creates a From email header before calling a PHP mail() function:

wp-includes/pluggable.php

if ( !isset( $from_email ) ) {
        // Get the site domain and get rid of www.
        $sitename = strtolower( $_SERVER['SERVER_NAME'] );
        if ( substr( $sitename, 0, 4 ) == 'www.' ) {
                $sitename = substr( $sitename, 4 );
        }

        $from_email = 'wordpress@' . $sitename;
}

3 separate example scenarios (both the ones that require victim interaction and those that do not) include:

  1. Attacker can perform a prior DoS attack on the victim’s email account/server (e.g by sending multiple large files to exceed user’s disk quota, attacking the DNS server etc) in order to prevent the password reset email from reaching the victim’s account and bounce back to the malicious sender address that is pointed at the attacker (no user interaction required)
  2. Some autoresponders might attach a copy of the email sent in the body of the auto-replied message (no user interaction required)
  3. Sending multiple password reset emails to force the user to reply to the message to inquiry explanation for endless password reset emails. The reply containing the password link would then be sent to attacker. (user interaction required)

Workarounds

  1. If you are using Apache, you can turn on UseCanonicalName (see: https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname)
  2. I created a simple plugin that you can install in your WordPress installation. It will disable the last password functionality.
    Disable Password Reset

Use LogParser to Audit Remote Desktop Access

I’ve been working with LogParser for a few days and really find it useful.  There are some minor annoyances (lack of JOIN) with it but for the most part, I can get done what I need to get done pretty quickly using LogParser.

This post outlines reading the Security event log of a remote computer, in my case a 2008 Remote Desktop Session Host server.

Requirements

  • LogParser
  • RemoteRegistry Enabled on target server
  • Administrative privileges

In order to run this script, you must be administrator to access the Security event log.

Special Note

This script is intended to run against Vista/7/2008 systems.  XP/2003 use a different event ID for logon/logoff.  This could be adapted to work with those if you wanted to — feel free.  =)

rdp_audit.bat

This is the batch script that does the magic. Make sure to set LOGPARSER variable in the script.

@echo off
REM Rich Kreider <rjkreider@gmail.com>

set LOGPARSER=logparser.exe
set TARGET=%1
set TEMPPATH=%SystemRoot%Temp
@cls

IF NOT EXIST "%SystemRoot%Temp" set TEMPPATH=%TEMP%

IF "%1"=="" (
set TARGET=%COMPUTERNAME%
@echo Note:	You can specify a remote target on the command:
@echo.
@echo		rdp_audit.cmd ^<computername^>
@echo.
@echo I am going to use this system to check for RDP activity.
@echo.
@echo.
)

@echo collecting logoffs
"%LOGPARSER%" -q:ON -i:EVT "select timegenerated, EXTRACT_TOKEN(Strings,1,'|') AS UserName, 'Logoff' as Action, EXTRACT_TOKEN(Strings,18,'|') AS IPAddress, EXTRACT_TOKEN(Strings,3,'|') AS LogonID into %TEMPPATH%rdp_audit_logoffs.csv from "%TARGET%security" where eventid='4634' and EXTRACT_TOKEN(Strings,4,'|')='10'" 2>NUL

IF NOT %ERRORLEVEL%==0 (
@echo Problem collecting logoffs.  Check to see if RemoteRegistry is enabled.
goto err_collection
)

@echo collecting logons
"%LOGPARSER%" -q:ON -i:EVT "select timegenerated, EXTRACT_TOKEN(Strings,5,'|') AS UserName, 'Logon' as Action, EXTRACT_TOKEN(Strings,18,'|') AS IPAddress, EXTRACT_TOKEN(Strings,7,'|') AS LogonID into %TEMPPATH%rdp_audit_logins.csv from "%TARGET%security" where eventid='4624' and EXTRACT_TOKEN(Strings,8,'|')='10'"

@echo generating output
"%LOGPARSER%" -q:ON -i:CSV "select timegenerated, username, action, ipaddress, logonid into activity.html from %TEMPPATH%rdp_audit*.csv order by username, timegenerated, logonid desc" -o:TPL -tpl:output.tpl 2>NUL

IF NOT %ERRORLEVEL%==0 (
@echo No activity found.
goto eof
)

@echo.
@echo Collection complete.  Please view activity.html for details.
@echo.
goto eof

:err_collection
@echo.
@echo Try to enable RemoteRegistry on %TARGET%:  sc %TARGET% start RemoteRegistry
@echo.
@echo To enable it to start the service at bootup:  sc %TARGET% config RemoteRegistry start= auto
@echo.

:eof
@echo.
@echo rjkreider@gmail.com

output.tpl

This is the file that is used to create the HTML output. Modify to your liking.

<LPHEADER>
<HTML>
<HEAD><TITLE></TITLE></HEAD>

<BODY BGCOLOR="#EFEFFF">

<TABLE BORDER="1" CELLPADDING="2" CELLSPACING="2">
<TR>
 <TH COLSPAN="5" ALIGN="CENTER">Remote Desktop Activity</TH>
</TR>
<TR>
 <TH>Date/Time</TH>
 <TH>Username</TH>
 <TH>Action</TH>
 <TH>IPAddress</TH>
 <TH>LogonID</TH>
</TR>
</LPHEADER>

<LPBODY>
<TR>
 <TD>%TimeGenerated%</TD>
 <TD>%UserName%</TD>
 <TD>%Action%</TD>
 <TD>%IPAddress%</TD>
 <TD>%LogonID%</TD>
</TR>
</LPBODY>

<LPFOOTER>
</TABLE>
</BODY>
</HTML>
</LPFOOTER>

Example Output

Here is an example screenshot of the generated HTML file…

2013-02-14_094739

Disable Java in Internet Explorer 9

With recent security vulnerabilities, I’ve been talking many people through disabling Java in Internet Explorer 9.  This page serves as a quick visual reference point for disabling Java in Internet Explorer 9.

[stextbox id=alert]I recommend everyone uninstall Java completely…[/stextbox]

This is a quick publish.

If you want to disable Java from your webbrowser, there are two methods to quickly accomplish this.  The first and easiest is the the Java Control Panel. This method is only available if you have Java 7 Update 10 since this is when they introduced the option in the Java Control Panel. If you do not have Update 10, you can use Method 2 to disable Java from your browser.

[stextbox id=info]
You can also set the security to High in the Java Control Panel instead of disabling it. This will require self-signed/unsigned applets to request permission before running and may be a slightly better option for those who need to be able to use Java in the browser for work purposes.[/stextbox]

Method 1:  Java Control Panel

Click

Click on Start then type: control java then click on the Java icon to launch Java’s control panel

 

Click

Click on the Security tab, uncheck the Enable Java content in web browsers and click Apply.

 

You

You will get prompted for permissions to make changes to computer. If you choose no, it will only affect the currently logged on user. If you click Yes, all users will have Java disabled on your computer. Then you will be shown a finish screen. Just click OK. Then click OK again to close java control panel.

 

Method 2:  Internet Explorer Manage Add-ons

2013-01-14_085012

Click on the cog wheel at the far right of the Internet Explorer 9 main window.

2013-01-14_085023

Click on the Programs tab and then choose Manage Add-ons

2013-01-14_085041

In the left pane, click Toolbars and Extensions. In the right pane, under Oracle America, Inc., choose everything in that category and click Disable all at the bottom.

BIND DNS Security Hole Workaround

There has been a recent discovery that affects BIND DNS servers.

A nameserver can be locked up if it can be induced to load a specially crafted combination of resource records.  CVE-2012-5166

To check your version, issue:

named -v

Affected BIND DNS server versions:

  • 9.2.x -> 9.6.x
  • 9.4-ESV->9.4-ESV-R5-P1
  • 9.6-ESV->9.6-ESV-R7-P3
  • 9.7.0->9.7.6-P3
  • 9.8.0->9.8.3-P3
  • 9.9.0->9.9.1-P3

Upgrading to one of the following corrects the problem

  • 9.7.7
  • 9.7.6-P4
  • 9.6-ESV-R8
  • 9.6-ESV-R7-P4
  • 9.8.4
  • 9.8.3-P4
  • 9.9.2
  • 9.9.1-P4
  • You can also work around the issue by setting a view or global option and setting minimal-responses to yes.

    Here’s an example screenshot of BIND9 configuration:

    BIND workaround for exploit

Windows 8: Windows Protected Your PC (SmartScreen Filter)

I just installed Release Preview of Windows 8 and have been using it as my primary workstation.  I noticed an improvement in the alerting of the SmartScreen filter.

width=1920

To actually run the file, click the More Info link and then choose Run Anyway.

width=1920

Click More Info to display additional options for the file you downloaded

width=1920

If you TRUST the executable file, click Run Anyway to run the downloaded executable file.

 

Disable Windows SmartScreen Filter by going to Control Panel and click on Change SmartScreen Filter on left.

Allow Inbound ICMP on Server 2008 R2

Here is how to enable ICMPv4 echo from the command line using netsh in Server 2008 R2

netsh advfirewall firewall add rule name=ICMP Allow incoming V4 echo request protocol=icmpv4:8,any dir=in action=allow

Windows Security Logon Types

Windows Security Logon Types

Event 528 and Event 540 are the Logon events. Event 528 is for all logons except “network” logons. “Network” logons are SMB/Microsoft-DS logons (i.e. connecting to a share). RDP, IIS, FTP logons, etc., are event 528 even though credentials may have come from over the network. All event 540’s are logon type 3.

Resource: http://msdn.microsoft.com/en-us/library/aa380129.aspx
Resource: http://msdn.microsoft.com/en-us/library/aa394189.aspx
Resource: http://blogs.msdn.com/b/ericfitz/archive/2004/12/09/279282.aspx

Logon typeLogon titleDescription
2InteractiveA user logged on to this computer at the console.
3NetworkA user or computer logged on to this computer from the network.
4BatchBatch logon type is used by batch servers, where processes might run on behalf of a user without the user’s direct intervention.
5ServiceA service was started by the Service Control Manager.
7UnlockThis workstation was unlocked.
8NetworkCleartextA user logged on to a network and the user password was passed to the authentication package in its unhashed (plain text) form. It is possible that the unhashed password was passed across the network, for example, when IIS performed basic authentication.
9NewCredentialsA caller (process, thread, or program) cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but it uses different credentials for other network connections.
10RemoteInteractiveA user logged on to this computer remotely using Terminal Services or a Remote Desktop connection.
11CachedInteractiveA user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.