Recently somebody posted on Reddit about a WordPress scanner that is taking advantage of a new WordPress vulnerability. The vulnerability is abusing the Pingback system, which is a well-known feature that's used by a lot of bloggers.
What is a Pingback?
Quoting Wikipedia: A pingback is one of three types of linkbacks, methods for Web authors to request notification when somebody links to one of their documents. This enables authors to keep track of who is linking to, or referring to their articles. Some weblog software, such as Movable Type, Serendipity, WordPress, and Telligent Community, support automatic pingbacks where all the links in a published article can be pinged when the article is published.
WordPress has an XMLRPC API that can be accessed through the xmlrpc.php file. One of the methods exposed through this API is the pingback.ping method. With this method, other blogs can announce pingbacks. When WordPress is processing pingbacks, it's trying to resolve the source URL, and if successful, will make a request to that URL and inspect the response for a link to a certain WordPress blog post. If it finds such a link, it will post a comment on this blog post announcing that somebody mentioned this blog post in their blog.
This can be abused in at least fours ways:
- WordPress is trying to resolve the Source URL and will return different error messages if the Source URL exists (host exists) or not. This can be abused by attackers to try to guess hosts inside the internal network. The attackers can use URLs like http://subversion/ or http://bugzilla/or http://dev/to see if these hosts exist in the internal network.
- If the Source URL is resolved, WordPress will try to connect to the port specified in the URL. Therefore, if an attacker will use a URL like http://subversion:22/, WordPress will try to connect to the host subversion on port 22. The responses are different if the port is open or closed. Therefore, this functionality can be used to port scan hosts inside the internal network.
- This can also be used for distributed DOS (Denial of Service) attacks. An attacker can contact a large number of blogs and ask them to pingback a target URL. All of these blogs will attack the target URL.
- From the tests I've carried out, I've seen that WordPress is also supporting URLs with credentials. So, an attacker can use a URL like http://admin:admin@192.168.0.1/changeDNS.asp?newDNS=aaaa to reconfigure the internal router like in the email hack attack.
I've made some screenshots to demonstrate how WordPress is returning different error messages for valid and invalid hosts/ports.
Invalid Host
Valid Host
I've implemented an Acunetix WVS script to test this vulnerability. This script will try to resolve various common internal hosts and try to connect to common ports. In the end, it will report the successful attempts. The script is available in the latest build (20121213) of Acunetix WVS. A sample alert looks like this:
How do you protect against this vulnerability? Currently there is no fix. Disabling pingbacks and trackbacks from the Discussion Settings page doesn't fix the problem either. The issue was reported to the WordPress Team and will probably be fixed soon. Until then, you can rename/delete the xmlrpc.php file. Please let me know if you have a better workaround.
** Note: The issue described in this article has been addressed in WordPress 3.5.1.
Ahan!! Great work. Thumbs up.
Thanks Adwiteeya.
actually in my overnight tests i found that a blog post where trackbacks are disabled isn’t vulnerable. disabling it worked as a fix for my test installation, of course YMMV.
That’s not my experience. In my case it worked even if trackbacks were disabled. I’ve tested on WordPress 3.5.
Pingback: WordPress Pingback Vulnerability Could Lead to to DDoS Attacks « Wordpress « Wordpress Skills
Pingback: WordPress Pingback Vulnerability Could Lead to to DDoS Attacks | Wordpress news and updates
Pingback: Pingback Bug in Wordpress Can Be Leveraged in DDoS Attack, Router Reconfiguration | HOTforSecurity
Pingback: Wordpress pingback: falla permette attacchi DDoS! - Capn3m0 WebSecurity
Interesting. This is a classic case of XSPA/SSRF (Cross Site Port Attack/Server Side Request Forgery). A lot of research has now been conducted into specific instances of this vulnerability with PoC from several popular web applications.
http://www.riyazwalikar.com/2012/11/cross-site-port-attacks-xspa-part-1.html
https://media.blackhat.com/ad-12/Walikar/bh-ad-12-pokingserverswithFacebook-Walikar-WP.pdf
http://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-Businness-critical-applications-whitepaper.pdf
https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit
Thanks Riyaz. I was aware of some of those papers but not all of them.
In this case only the http:// scheme is supported, it’s not possible to use dict/gopher/…
Pingback: Bezpečnostní chyba ve WordPressu 3.5 - WP-blog
Pingback: Pingback in Wordpress ermöglicht Portscan und DDoS | WebDataSec
Pingback: {EN} – WordPress Pingback Vulnerability Serves DDoS attack feature | Hack-Actus
Pingback: WordPress Pingback Vulnerability Serves DDoS attack feature | THEROS INFOSEC FORUM
Pingback: WordPress Pingback Vulnerability Serves DDoS attack feature « Engineering Evil
Great work!
Thank you for sharing.
Pingback: Philippines news: WordPress vulnerability opens the door to DDOS attacks | Pinas news library
Pingback: WordPress Security Warning: Pingback Vulnerability & Temporary Fix
what if you disable xmlrpc?
add_filter( ‘xmlrpc_enabled’, ‘__return_false’ );
Yes, that would work but has the same effect as renaming the file xmlrpc.php to something else.
nice job
Wrote about this back in spring http://codeseekah.com/2012/04/18/wordpress-dosnet
Very cool. I wasn’t aware about your blog post.
Pingback: WordPress Security Warning: Pingback Vulnerability & Temporary Fix | Wordpress news and updates
Pingback: WordPress LAN Recon | TechSNAP | Jupiter Broadcasting
Pingback: WordPress Security Warning: Pingback Vulnerability & Temporary Fix
Pingback: WordPress Security Warning: Pingback Vulnerability & Temporary Fix « Wordpress « Wordpress Skills
You can simplify this with a simple deny clause in your .htaccess file (Apache compatible only)
Example:
Deny from all
Save the file and the site should still function, but all requests to xmlrpc.php will get a 403 forbidden.
Deny from all will restrict access to all files.
Hi,
Yes I crafted a very specific config stanza, but apparently the comment filter filtered out my XML and only left the Deny from all.
/facepalm
It also didn’t allow me to edit my comment
/double facepalm
Basically look at the docs for an idea:
http://httpd.apache.org/docs/2.2/mod/core.html#files
You need to specify “files xmlrpc.php” with just the Deny from all
you have to be careful with .htaccess
The same (something similar) can be accomplished with web.config on IIS 7.5 web servers or .htaccess if something like ISAPI_Rewrite is installed on IIS. Just rewrite and/or the requests to xmlrpc.php:
IIS web.config (Request Filtering):
ISAPI_Rewrite .htaccess (you can’t use “deny sequences” with ISAPI_Rewrite):
RewriteCond %{REQUEST_URI} (xmlrpc\.php) [NC]
RewriteRule .? / [F,L]
As Bogdan said, be careful with .htaccess and read the article “htaccess files should not be used for security restrictions” on this blog.
Hmm, couldn’t use < %gt; for Request Filtering. Perhaps HTML encoded will work, if not I’m sorry
<system.webServer>
<security>
<requestFiltering>
<denyUrlSequences>
<add sequence=”xmlrpc.php” />
</denyUrlSequences>
</requestFiltering>
</security>
</system.webServer>
Pingback: technologyruck.us – WordPress Pingback Vulnerability Serves DDoS attack feature
Pingback: WordPress - Une vulnérabilité du PingBack permet des attaques DDoS massives | UnderNews
Pingback: The WordPress Weekend Roundup - WP Daily
Pingback: On Blogging: Are Pingbacks A Pesky Problem? | Mirth and Motivation
Pingback: Spätné upozornenia robia WordPress zraniteľným « WordPress Slovensko
Pingback: Cómo proteger WordPress de la “vulnerabilidad Pingback” descargar gratis | Zonadictz
Pingback: Building the site |
Pingback: Perishable Press : Perlindungan bagi Kerentanan Pingback WordPress | Pernando "cybrog" Ritonga
You misspelled ‘Reddit’
Pingback: Daca wordpressul merge greu pe unele siteuri hostate pe servere ubuntu/debian xmlrpc trebuie dezactivat | LUG Mureş
Pingback: 关于WordPress xmlrpc.php Pingback缺陷与SSRF攻击 | EVILCOS
Pingback: 关于WordPress xmlrpc.php Pingback缺陷与SSRF攻击 | 羊知道|YangKnow.com
Is wordpress 3.5 vulnerable?
yes, 3.5 is vulnerable.
Pingback: Protection for WordPress Pingback Vulnerability | Start a Web Design Company
Great! Thank you a lot
Is this Vulnerability fixed in 3.5.1 version of WordPress?
Yes, it’s fixed in 3.5.1
I have a WP 3.5.1 site that still gets pingbacks with chinese characters…have disabled pingbacks, but it does not help. So is this really fixed or do I have some other issues?
/Morten
hey, what’s the tool name you used to do the HTTP post ?
and thanks.
I’m using Acunetix’s HTTP Editor tool.