Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 21 Nov 2016 11:54:33 -0500
From: Scott Arciszewski <scott@...agonie.com>
To: oss-security@...ts.openwall.com
Subject: WordPress (all versions): SPOF, RCE, and Negligence

This is the function that fetches downloads from the WordPress update
servers: https://github.com/WordPress/WordPress/blob/f5b6731777bbd1dfe290867d2240a2a68e2f0cf1/wp-admin/includes/class-wp-upgrader.php#L252-L283

The only verification it offers is an MD5 checksum, which is sent by
the server that also serves the file:
https://github.com/WordPress/WordPress/blob/eeefec932f3d4f3b50369f6523c2cd8fad3d467f/wp-admin/includes/file.php#L482-L525

At no point lower in the automatic update process is a cryptographic
signature verified. The update server is trusted explicitly and
implicitly by every WordPress website online.

WordPress powers an estimated 26% of websites on the Internet.

Consequently, the WordPress update server is one of the largest single
points of failure (SPOF) on the Internet. If you manage to hack their
infrastructure, you can push a false update to millions of WordPress
blogs and get reliable remote code execution everywhere.

They are aware of this issue, and have been for years:
https://core.trac.wordpress.org/ticket/25052

Additionally, PHP before 5.6.0 had terrible SSL/TLS support. It may
also be possible to get targeted RCE out of a MitM condition due to
their stubborn insistence on supporting PHP 5.2.4. I need to do more
research here.

The WordPress culture, for those who are not aware, prioritizes higher
adoption rates over better security. They see backwards compatibility
as a usability problem more than a liability.

The WordPress team also promotes the use of the misnomer "responsible
disclosure" over the more accurate "coordinated disclosure", and
refuse to entertain suggestions to improve their vernacular.

In short, WordPress is semi-toxic towards improving their own
security-- mostly out of negligence and stubbornness rather than
outright hostility (see: OpenCart).

I don't believe there's much chance of fixing this, due to political
problems rather than technological problems. The first step towards a
reliable solution would look like this:

1. Up the minimum PHP version to at least 5.6.0.
2. Use openssl_sign() and openssl_verify() with an RSA keypair
maintained by their team.

A total solution would incorporate all of the elements listed here for
both core updates and theme/plugin updates:
https://paragonie.com/blog/2016/10/guide-automatic-security-updates-for-php-developers#elements-automatic-updates

Should anyone wish to endure the steep uphill battle to try to get
WordPress to fix this problem _before_ we see headlines titled
"WormPress: How your blog was hacked" in the news, godspeed.

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.