
Full Disclosure mailing list archives
Re: DoS via tables corruption in WordPress
From: Harry Metcalfe <harry () dxw com>
Date: Mon, 17 Feb 2014 09:58:42 +0000
Hi MustLive,I have read both of those carefully (the websecurity one, via Google Translate) and watched the video.
I agree that someone who came across a WordPress site with crashed tables might get an installer screen. That would be bad. But it is also very unlikely to occur often. The nearest I can see to an actual attack is that you could DoS a MySQL server, or WordPress itself, in the hope that you might cause table corruption that would let you re-install, thus siezing control. Again, though I suppose this is possible, it seems fanciful.
I still can see no explanation, replication steps or proof of concept code that would allow me to confirm that the attack shown in the video -- denial of service via database unavailability on an arbitrary WordPress site, irrespective of configuration -- is possible.
Obviously, the YouTube video by itself is not proof of anything. Harry On 12/02/2014 16:46, MustLive wrote:
Hi Harry!The links to my advisories and article about attack via tables corruption in MySQL and link to proof video were in my first letter. The links are also inthe description of the video, which I posted on Saturday on YouTube.Aris haven't mentioned those links in his letter (he didn't quoted originalletter). And I was trying not to repeat the same links all the time.So these links can be found in the list. But if you want, here they are - tomake things a bit easier.Link to my 2009's post, where I described my conception of attack on exampleof WordPress(http://perishablepress.com/important-security-fix-for-wordpress/comment-page-5/#comment-71666) and posted the same advisory at my site. Also read my answers on questions there in comments.Link to my 2012's article Attack via tables corruption in MySQL(http://websecurity.com.ua/articles/attack-via-tables-corruption-in-mysql/).Link to the video with my WordPress DoS exploit(http://www.youtube.com/watch?v=kwv5ni_qxXs). A proof of this vulnerabilityin WP and of the attack described in the article. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- From: "Harry Metcalfe" <harry () dxw com> To: "MustLive" <mustlive () websecurity com ua> Cc: <full-disclosure () lists grok org uk> Sent: Wednesday, February 12, 2014 4:51 PM Subject: Re: [Full-disclosure] DoS via tables corruption in WordPressHi MustLive, Just to make things a bit easier, would you mind replying with links for the perishablepress.com article, the 2009 advisory and the 2012 article? Many thanks! Harry On 12/02/2014 14:44, MustLive wrote:Hello Aris!First of all, I wrote all required information in my post in May 2009 at perishablepress.com. And I answered on all questions (including lame ones and scepsis) concerning attack on WordPress, which I proposed to owner ofthat site as explanation why his site was hacked that time (via engine reinstall). And since I developed conception of this attack yet in 2007 (for IPB, because I have forum on this engine) and made advisories for WordPress and IPB concerning possibility of attacks via table corruption, so in 2012 I made detailed article "Attack via tables corruption in MySQL"(http://websecurity.com.ua/articles/attack-via-tables-corruption-in-mysql/),which I published at my site and in WASC mailing list.So all aspects of attacks were described and all questions were answeredbyme many years ago. Those who didn't read that information should read it,those who have questions should read my 2009's advisory and 2012's article - AND THEY WILL HAVE NO QUESTIONS. And for those who have scepsis about database corruption attacks - that it's not possible to make reliable attack with 100% chance to conduct attack on real web site - for those I made exploit and video of its use on web site in Internet. So unbelievers should watch video and believe.I have yet to determine if that was an accident or an attack.I'm sure that your case is an accident, not an attack. Since everyone after I proposed this attack from 2009 and till now didn't believe in possibility of this attack and considered it as "conceptual". I.e. that was "luck" for attackers to hack perishablepress.com with using of tables corruption thatparticular day and it'll not happen again for nobody as skeptics thought.My video should change their mind. First of all it's hard attack and I didn't release my exploit (and will not release it in near future) and not aware about anyone's exploit in the public for 5 years after my 2009's advisory. So you have exact combination of hardware and software (MySQL and WordPress) that makes your sitevulnerable to this attack. Most of web sites on WordPress can sleep tightuntil some day an attacker will test their site on "crashability" and make them vulnerable to this attack. For all nuances of attacking on tables in MySQL read my article tounderstand your case and create scenario of possible attack on your sitetotrigger table crash, which leads to DoS. Concerning your case I'll writemore information to you privately. It's needed to you to find out the exactway of crashing tables at site to prevent "accident" turn into "attack".Note, that WP developers later in 2009, after reading that my publicationand thinking for 7 months, made a fix for this DoS in WP 2.9. But they made not automated tables repair, but manual, so it can't be considered as a fix, since tables can be crashed and site will be DoSed - until admin will find it and manually repair the tables. So WP developers made lame fix for this DoS attack, as I wrote in my 2012 advisory and WP is still vulnerable (and also I described DoS vulnerability in protection functionality against this DoS attack).If Mustlive has any real and concrete information (URL, exploit code), please share with us.All real and concrete information is in my 2009's advisory and 2012's article. With addition of my 2014's video (I was planning to make it in 2012, but found time only this month). So reading and watching of them willhelp. For now I'll not release any exploits (don't need to create a risknotfor that lame site in my video, nor for all other WordPress sites, sinceWP developers haven't fixed hole properly), but I'll do it in the future. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- From: "Aris Adamantiadis" <aris () 0xbadc0de be> To: "Andrew Nacin" <nacin () wordpress org>; "MustLive" <mustlive () websecurity com ua> Cc: <full-disclosure () lists grok org uk> Sent: Tuesday, February 11, 2014 3:46 PM Subject: Re: [Full-disclosure] DoS via tables corruption in WordPress Le 11/02/14 09:34, Andrew Nacin a ?crit :Aris mentions he experienced corruption in his own WordPress setup. It'smost likely the options table simply crashed, not as a result of any particular exploit. This is, after all, why MySQL has a REPAIR command (and why we have a script for users to use).This happened again last night. The mysql corruption was caused by an OOM random kill (thanks linux) that chose mysql daemon as a victim. The cause of the OOM was either wordpress or piwik, probably made possible through apache misconfiguration (too many children). I have yet to determine if that was an accident or an attack. If Mustlive has any real and concrete information (URL, exploit code), please share with us. Aris _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- DoS via tables corruption in WordPress MustLive (Feb 10)
- Re: DoS via tables corruption in WordPress Aris Adamantiadis (Feb 10)
- Re: DoS via tables corruption in WordPress Harry Metcalfe (Feb 10)
- Re: DoS via tables corruption in WordPress Andrew Nacin (Feb 11)
- Re: DoS via tables corruption in WordPress Aris Adamantiadis (Feb 11)
- Re: DoS via tables corruption in WordPress MustLive (Feb 12)
- Re: DoS via tables corruption in WordPress Harry Metcalfe (Feb 12)
- Re: DoS via tables corruption in WordPress Aris Adamantiadis (Feb 12)
- Re: DoS via tables corruption in WordPress MustLive (Feb 12)
- Re: DoS via tables corruption in WordPress Harry Metcalfe (Feb 17)
- Re: DoS via tables corruption in WordPress Aris Adamantiadis (Feb 11)
- Re: DoS via tables corruption in WordPress Aris Adamantiadis (Feb 10)
- <Possible follow-ups>
- Re: DoS via tables corruption in WordPress Timothy Goddard (Feb 12)
- Re: DoS via tables corruption in WordPress MustLive (Feb 21)
- Re: DoS via tables corruption in WordPress jen140 (Feb 12)