WordPress comment exploit published

The Russian blog Habrahabr has published (translation) a proof of concept exploit for the WordPress bug reported by Klikki on November 20. The blog also reports that some level of exploitation was already seen in the wild.

Updating to one of the non-vulnerable versions is therefore urgent. Note that even if comments are disabled on your WordPress site, there may be other attack vectors exposed by e.g. plug-ins. Any way for an attacker to enter HTML that is fed through the texturization function is a pathway for the exploit.

Most technical details and a proof of concept exploit were omitted from our advisory to give WordPress users time to patch their systems before widespread exploitation.

Here is some technical analysis of the bug that was left out from our prior release.

Consider the following text typed as a comment:

    [<blockquote cite="]">[" onmouseover="alert('hello');" ]

In wptexturize(), the previously mentioned regular expression is used to split the text to segments that are texturized one by one (unless it’s a tag). In this case there would be three segments:

1.    [<blockquote cite="]
2.    ">
3.    [" onmouseover="alert('hello');" ]

The first and last segments are considered as shortcodes and won’t be texturized. This is determined by the first character which is a square bracket in this case.

The second segment will be treated as running text because it doesn’t begin with a square or angle bracket, and therefore is texturized. At this point, the quote symbol is translated to an unicode entity.

The segments are then put back together. The resulting comment will be:

   [<blockquote cite="]&#8220;>[" onmouseover="alert('hello');" ]

A web browser sees here a blockquote tag with valid cite and onmouseover attributes.

Here is another example that includes a style attribute to stretch the tag over the whole window:

   [<blockquote cite="]">[" onmouseover="this.style.display='none';alert('exploit javascript running');" style="position:fixed;left:0px;top:0px;width:100%;height:100%;z-index:10000;display:block" ]

More information:

Update December 08: Exploit code for server-side shell access released.

Update January 31, 2015: another 0-day with a similar impact to be released soon. Vendor notified on November 7.