WordPress Unauthorized Password Reset Vulnerability (CVE-2017-8259)

This content is 2 years old. Technology changes with time. Keep that in mind as you read this article.

WordPress has a password reset feature that contains a vulnerability which might in some cases allow attackers to get hold of the password reset link without previous authentication.

Such attack could lead to an attacker gaining unauthorized access to a victim’s WordPress account.  This affects all versions of WordPress, including the current version, 4.7.4.


The vulnerability stems from WordPress using untrusted data by default when creating a password reset e-mail that is supposed to be delivered only to the e-mail associated with the owner’s account.

This can be observed in the following code snippet that creates a From email header before calling a PHP mail() function:


if ( !isset( $from_email ) ) {
        // Get the site domain and get rid of www.
        $sitename = strtolower( $_SERVER['SERVER_NAME'] );
        if ( substr( $sitename, 0, 4 ) == 'www.' ) {
                $sitename = substr( $sitename, 4 );

        $from_email = 'wordpress@' . $sitename;

3 separate example scenarios (both the ones that require victim interaction and those that do not) include:

  1. Attacker can perform a prior DoS attack on the victim’s email account/server (e.g by sending multiple large files to exceed user’s disk quota, attacking the DNS server etc) in order to prevent the password reset email from reaching the victim’s account and bounce back to the malicious sender address that is pointed at the attacker (no user interaction required)
  2. Some autoresponders might attach a copy of the email sent in the body of the auto-replied message (no user interaction required)
  3. Sending multiple password reset emails to force the user to reply to the message to inquiry explanation for endless password reset emails. The reply containing the password link would then be sent to attacker. (user interaction required)


  1. If you are using Apache, you can turn on UseCanonicalName (see: https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname)
  2. I created a simple plugin that you can install in your WordPress installation. It will disable the last password functionality.
    Disable Password Reset

CPU-miner Installed via Windows OS Vulnerability

This content is 2 years old. Technology changes with time. Keep that in mind as you read this article.

Update 5/6/2017:  Close port 445 and apply MS 17-010

I have triaged a handful of Windows servers this week that started out being ticketed as high CPU / performance issues.

Upon investigation, I have found XMR cryptocurrency miners being installed through a Windows OS Vulnerability.

Read More

Use LogParser to Audit Remote Desktop Access

This content is 6 years old. Technology changes with time. Keep that in mind as you read this article.

I’ve been working with LogParser for a few days and really find it useful.  There are some minor annoyances (lack of JOIN) with it but for the most part, I can get done what I need to get done pretty quickly using LogParser.

This post outlines reading the Security event log of a remote computer, in my case a 2008 Remote Desktop Session Host server.


  • LogParser
  • RemoteRegistry Enabled on target server
  • Administrative privileges

In order to run this script, you must be administrator to access the Security event log.

Special Note

This script is intended to run against Vista/7/2008 systems.  XP/2003 use a different event ID for logon/logoff.  This could be adapted to work with those if you wanted to — feel free.  =)


This is the batch script that does the magic. Make sure to set LOGPARSER variable in the script.

@echo off
REM Rich Kreider <rjkreider@gmail.com>

set LOGPARSER=logparser.exe
set TARGET=%1
set TEMPPATH=%SystemRoot%Temp

IF NOT EXIST "%SystemRoot%Temp" set TEMPPATH=%TEMP%

IF "%1"=="" (
@echo Note:	You can specify a remote target on the command:
@echo		rdp_audit.cmd ^<computername^>
@echo I am going to use this system to check for RDP activity.

@echo collecting logoffs
"%LOGPARSER%" -q:ON -i:EVT "select timegenerated, EXTRACT_TOKEN(Strings,1,'|') AS UserName, 'Logoff' as Action, EXTRACT_TOKEN(Strings,18,'|') AS IPAddress, EXTRACT_TOKEN(Strings,3,'|') AS LogonID into %TEMPPATH%rdp_audit_logoffs.csv from "%TARGET%security" where eventid='4634' and EXTRACT_TOKEN(Strings,4,'|')='10'" 2>NUL

@echo Problem collecting logoffs.  Check to see if RemoteRegistry is enabled.
goto err_collection

@echo collecting logons
"%LOGPARSER%" -q:ON -i:EVT "select timegenerated, EXTRACT_TOKEN(Strings,5,'|') AS UserName, 'Logon' as Action, EXTRACT_TOKEN(Strings,18,'|') AS IPAddress, EXTRACT_TOKEN(Strings,7,'|') AS LogonID into %TEMPPATH%rdp_audit_logins.csv from "%TARGET%security" where eventid='4624' and EXTRACT_TOKEN(Strings,8,'|')='10'"

@echo generating output
"%LOGPARSER%" -q:ON -i:CSV "select timegenerated, username, action, ipaddress, logonid into activity.html from %TEMPPATH%rdp_audit*.csv order by username, timegenerated, logonid desc" -o:TPL -tpl:output.tpl 2>NUL

@echo No activity found.
goto eof

@echo Collection complete.  Please view activity.html for details.
goto eof

@echo Try to enable RemoteRegistry on %TARGET%:  sc %TARGET% start RemoteRegistry
@echo To enable it to start the service at bootup:  sc %TARGET% config RemoteRegistry start= auto

@echo rjkreider@gmail.com


This is the file that is used to create the HTML output. Modify to your liking.



 <TH COLSPAN="5" ALIGN="CENTER">Remote Desktop Activity</TH>



Example Output

Here is an example screenshot of the generated HTML file…


Disable Java in Internet Explorer 9

This content is 6 years old. Technology changes with time. Keep that in mind as you read this article.

With recent security vulnerabilities, I’ve been talking many people through disabling Java in Internet Explorer 9.  This page serves as a quick visual reference point for disabling Java in Internet Explorer 9.

[stextbox id=alert]I recommend everyone uninstall Java completely…[/stextbox]

This is a quick publish.

If you want to disable Java from your webbrowser, there are two methods to quickly accomplish this.  The first and easiest is the the Java Control Panel. This method is only available if you have Java 7 Update 10 since this is when they introduced the option in the Java Control Panel. If you do not have Update 10, you can use Method 2 to disable Java from your browser.

[stextbox id=info]
You can also set the security to High in the Java Control Panel instead of disabling it. This will require self-signed/unsigned applets to request permission before running and may be a slightly better option for those who need to be able to use Java in the browser for work purposes.[/stextbox]

Method 1:  Java Control Panel


Click on Start then type: control java then click on the Java icon to launch Java’s control panel



Click on the Security tab, uncheck the Enable Java content in web browsers and click Apply.



You will get prompted for permissions to make changes to computer. If you choose no, it will only affect the currently logged on user. If you click Yes, all users will have Java disabled on your computer. Then you will be shown a finish screen. Just click OK. Then click OK again to close java control panel.


Method 2:  Internet Explorer Manage Add-ons


Click on the cog wheel at the far right of the Internet Explorer 9 main window.


Click on the Programs tab and then choose Manage Add-ons


In the left pane, click Toolbars and Extensions. In the right pane, under Oracle America, Inc., choose everything in that category and click Disable all at the bottom.

BIND DNS Security Hole Workaround

This content is 6 years old. Technology changes with time. Keep that in mind as you read this article.

There has been a recent discovery that affects BIND DNS servers.

A nameserver can be locked up if it can be induced to load a specially crafted combination of resource records.  CVE-2012-5166

To check your version, issue:

named -v

Affected BIND DNS server versions:

  • 9.2.x -> 9.6.x
  • 9.4-ESV->9.4-ESV-R5-P1
  • 9.6-ESV->9.6-ESV-R7-P3
  • 9.7.0->9.7.6-P3
  • 9.8.0->9.8.3-P3
  • 9.9.0->9.9.1-P3

Upgrading to one of the following corrects the problem

  • 9.7.7
  • 9.7.6-P4
  • 9.6-ESV-R8
  • 9.6-ESV-R7-P4
  • 9.8.4
  • 9.8.3-P4
  • 9.9.2
  • 9.9.1-P4
  • You can also work around the issue by setting a view or global option and setting minimal-responses to yes.

    Here’s an example screenshot of BIND9 configuration:

    BIND workaround for exploit