Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Wordpress Pingback Port Scanner
From: "MustLive" <mustlive () websecurity com ua>
Date: Sat, 19 Jan 2013 20:53:24 +0200

Hi Chris!

It's good that you've drew attention on possibility of port scanning and 
made nice software for abusing this WP feature.

But I want to remind about another vulnerability in XML-RPC, which I've 
disclosed in 2012. The most important hole in WordPress XML-RPC is Brute 
Force (http://securityvulns.ru/docs27916.html, 
http://lists.grok.org.uk/pipermail/full-disclosure/2012-March/086271.html). 
I've wrote on example of WordPress, but it concerns every web application 
with in XML-RPC support. To BF are vulnerable all versions of WP, but since 
WordPress 2.6 XML-RPC was turned on by default.

And when WordPress developers turned in on in WordPress 3.5 they returned 
the hole back to the masses. Earlier for WP 2.6 - 3.4.2 only those web sites 
were vulnerable, which had turned it on, then since WP 3.5 all web sites 
would be vulnerable again.

The interesting part with Brute Force attacks via XML-RPC and the same with 
Atom Publishing Protocol (to which vulnerable are WP 2.3 - 3.4.2), this hole 
I've also disclosed in 2012 (http://securityvulns.ru/docs27917.html, 
http://lists.grok.org.uk/pipermail/full-disclosure/2012-March/086328.html), 
as I've wrote at my site - it's better reliability then brute forcing via 
login form. Because unlike login form (for which there are plugins to 
protect against BF), no plugins can protect against attacks via XML-RPC and 
AtomPub.

WP developers removed AtomPub from the core (made it as a plugin), so they 
"removed" this BF hole from the core, but at that they enabled BF hole via 
XML-RPC (plus added port scanning functionality). Such wise decision :-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

From: FireFart_(at)_gmail.com <FireFart_(at)_gmail.com>
Date: 18.12.2012
Subject: Wordpress Pingback Port Scanner

Hi folks,
Wordpress 3.5 has it's XML-RPC Interface enabled by default. See here for 
more information:
http://www.ethicalhack3r.co.uk/security/introduction-to-the-wordpress-xml-rpc-api
/
http://codex.wordpress.org/Version_3.5#Settings

I read through the article and took a look at the Pinback API since it is 
public available on many Wordpress installations.
The cool thing is: you can do a port scan using the Pingback API
You can even scan the server itself or discover some hosts on the internal 
Network this server is on.
So i wrote this little Ruby Script to utilize this "feature":

https://github.com/FireFart/WordpressPingbackPortScanner

You can even use multiple Wordpress XML-RPC Interfaces to scan a single 
host so this can be some kind of distributed port scanning.

Chris 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]