------------------------------------------------------------------------
Multiple vulnerabilities in All In One WP Security & Firewall plugin
login CAPTCHA
------------------------------------------------------------------------
Sipke Mellema, July 2016
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
The login CAPTCHA provided by the All In One WP Security & Firewall
plugin can be circumvented in multiple ways, allowing an attacker to
automate login attempts when the CAPTCHA is enabled.
------------------------------------------------------------------------
OVE ID
------------------------------------------------------------------------
OVE-20160719-0001
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
These issues were successfully tested on the All In One WP Security &
Firewall [2] WordPress Plugin version 4.1.2.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
The first two findings are resolved in the All In One WP Security &
Firewall plugin version 4.1.3 [3].
------------------------------------------------------------------------
Introduction
------------------------------------------------------------------------
All In One WP Security & Firewall [2] is a comprehensive, user-friendly,
all in one security and firewall plugin for WordPress. One of its
options is a login CAPTCHA to prevent automated login attempts. Multiple
vulnerabilities exist, allowing an attacker to circumvent the CAPTCHA
mechanism.
------------------------------------------------------------------------
Details finding 1: Complete bypass of CAPTCHA answer validation
------------------------------------------------------------------------
When the login CAPTCHA is enabled, the plugin will check if the user
provided a CAPTCHA answer. If so, the answer will be checked for
validity. However, the code does not account for the case where no
CAPTCHA answer is provided. If no answer is sent, the login will
continue as normal, even though the CAPTCHA setting is enabled.
The vulnerable code is located in wp-security-user-login.php:
//Check if captcha enabled
if ($aio_wp_security->configs->get_value('aiowps_enable_login_captcha')
== '1')
{
if (array_key_exists('aiowps-captcha-answer', $_POST)) //If the
login form with captcha was submitted then do some processing
{
[.. captcha logic ..]
}
[.. missing else statement ..]
}
------------------------------------------------------------------------
Details finding 2: CAPTCHA answer forgery
------------------------------------------------------------------------
The CAPTCHA answers leak the secret key used to create valid answers. By
extracting the secret keys it's possible to forge valid CAPTCHA answers.
The vulnerable code is located at /classes/wp-security-captcha.php:
//Let's encode correct answer
$captcha_secret_string =
$aio_wp_security->configs->get_value('aiowps_captcha_secret_key');
$current_time = time();
$enc_result =
base64_encode($current_time.$captcha_secret_string.$result);
$equation_string .= '';
$equation_string .= '';
$equation_string .= '';
return $equation_string;
The CAPTCHA form adds three fields to the login form:
aiowps-captcha-string-info - A timestamp, a secret CAPTCHA key and the
valid answer, base64 encoded
aiowps-captcha-temp-string - The timestamp
aiowps-captcha-answer - Answer to be filled in by the user
For validating the correct answer, aiowps-captcha-string-info is checked
against the timestamp provided by the user, combined with the answer
provided by the user and the secret CAPTCHA key (base64 encoded).
By decoding the value for aiowps-captcha-string-info, a user can extract
the secret key and create valid answers.
------------------------------------------------------------------------
Details finding 3: CAPTCHA answer replay attack
------------------------------------------------------------------------
The CAPTCHA mechanism (which is described above) is created in such a
way that the CAPTCHA answer never expires. A valid answer can be
re-used, allowing automated login attempts.
------------------------------------------------------------------------
Details finding 4: Easy automatable CAPTCHA solving
------------------------------------------------------------------------
Math questions created by the login CAPTCHA are not obfuscated in any
way. The math questions (such as "five + 2") can easily be parsed by a
program to generate valid answers.
------------------------------------------------------------------------
Proofs of concepts
------------------------------------------------------------------------
1. Enable the login CAPTCHA and remove the aiowps-captcha-answer
parameter from the POST request. The login will succeed as normal.
2. Base64 decode the hidden field aiowps-captcha-string-info to obtain
the CAPTCHA secret and a valid answer.
3. Send two login attempt with the same (valid)
aiowps-captcha-string-info, aiowps-captcha-temp-string and
aiowps-captcha-answer parameters. The login attempt will be accepted.
4. A programmer can use the array from the number_word_mapping method to
evaluate the questions created by the CAPTCHA.
------------------------------------------------------------------------
References
------------------------------------------------------------------------
[1]
https://sumofpwn.nl/advisory/2016/multiple_vulnerabilities_in_all_in_one_wp_security___firewall_plugin_login_captcha.html
[2] https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
[3]
https://downloads.wordpress.org/plugin/all-in-one-wp-security-and-firewall.zip