Prajal Kulkarni@prajalkulkarni

The Tale of 100 CVE’s

@about me

• Security Engineer @Flipkart

• Likes to do Bug Hunting!

• Loves coding in Python

• Member of null security community

• Lead vocalist @Sathee

@prajalkulkarni

WordPress Security Ecosystem!

100 CVE’s in less than a month!

How we did it?

What Tale?

60 Million Websites Worldwide

Powers 1 in 5 of all the worlds websites in the world

-Matt

Current stable release 3.9.1

Version 3.8 downloads > 20 Million times-Stats from Wikipedia

Wordpress Ecosytem

Scary Enough?

Still not??

WordPress Core – Stable 3.9.1

31,154 Plugins

More than 2.5K Themes

Wordpress Security Ecosytem

Our attempt to Improve the Ecosystem

Once Upon a Time

Credits - Anant Shrivastava

Wait Something not right!

Vulnerabilities Found!

Full path disclosure

-pma/error.php-pma/libraries/PMA_List_Database.class.php

PHP info disclosure

-pma/phpinfo.php

Security Bypass Allows direct access.

-pma/server_databases.php - Full access to all features including SQL window

-pma/main.php – reveals all the details of the database

Timeliness

• Author Contacted: 24 July 2013

• No positive response from the author

• Wordpress Security Team contacted: 11 September 2013

• Plugin Disabled in the repository : 21 October 2013

End Result?Plugin Closed!

CVE-2013-4462http://seclists.org/oss-sec/2013/q4/144

Started Project CodeVigilant

• Spot new issues in Plugins/Themes

• Report to the relevant author

• Get the patch released

• Else close the Plugin/Theme

What is required?

Apache/MySQL/PHP

XAMPP/WAMP

Python 2.7

Our Approach

Download the latest WordPress and install locally

Download all Plugins (31k)

Download all Themes (2.5k)

From Where do I get plugins/themes??

http://themes.svn.wordpress.org/

Download Themes Locally

Now What?

Started with Manual Approach!

Analyze Plugin/Theme source code

Understand the logic

Find Issues

Report !

Slow Results!!

Two Weeks Stats ??

Vulnerability Chart

LFI

Xss

Auth Bypass

Using Components With Known Vulnerabilities

10

9

1

1

Took a Lot of Time!

Lets Automate Everything!

Started with Cross site Scripting!

Simple Logic!

Find all $_GET parameters

Replace their value with chk_string: '><script>alert(document.cookie)</script>

Send the request with the appropriate URL structure

Check if the response contains the chk_string

Guess What!

• More than 100 valid XSS!

• Testing for XSS we also stumbled upon:– SSRF– LFI– Unvalidated Redirects and

Forwards

Stats for the next 3 weeks!A3-Cross-Site Scripting 211

Unvalidated Redirects and Forwards

4

Local File Inclusion 6

Information Disclosure 1

Direct access & Auth Bypass

1

Using Components with Known Vulnerabilities

30

SSRF/XSPA 4

Injection 9

http://codevigilant.com/

Future for codevigilant

Automation frameworks for other vulnerabilities

Explore other platforms like Drupal & Jumla

Encourage External Researchers to contribute.

Prajal Kulkarni

@prajakulkarni http://www.prajalkulkarni.com

Anant Shrivastava @anantshri

http://www.anantshri.info

Project Leads

Questions?