Categories: hackingwebsites

CVE-2018-6389 WordPress exploit. Bring the server down.

Barak Tawily is known for presenting the vulnerability of wordpress websites that someone can take advantage to start a very easy DOS attack and bring down the website.  CVE-2018-6389 flaw is an application-level DoS that could be exploited simply and without a massive amount of malicious traffic.

Let’s get into more depth and have a look on how this vulnerability works.
The vulnerability affects the load-scripts.php file which is used in wordpress in order to load multiple javascript modules in once. In other words instead of loading many js files one by one, this (file)code is used to load all of the requested javascript modules in once by reading them in the url parameters.

In action:
If you put in your browser:  https://your-wordpress-site.com/wp-admin/load-scripts.php?c=1&load%5B%5D=quicktag,colorpicker,editor,wp-fullscreen-stu,scriptaculous
This will force load-scripts.php to load quicktag, colorpicker, editor, wp-fullscreen-stu and scriptaculous javascripts.

There is a defined list ($wp_scripts), that can be requested by users as part of the load[] parameter(in url). If the requested value exists, the server will perform an I/O read action for the defined path associated with the supplied value from the user. The list can be found here:  https://github.com/WordPress/WordPress/blob/master/wp-includes/script-loader.php
You can see that for example colorpicker is in line 129 (of the link) path /wp-includes/js/colorpicker$suffix.js

There are 181 values in this list:
eutil,common,wp-a11y,sack,quicktag,colorpicker,editor,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,prototype,scriptaculous-root,scriptaculous-builder,scriptaculous-dragdrop,scriptaculous-effects,scriptaculous-slider,scriptaculous-sound,scriptaculous-controls,scriptaculous,cropper,jquery,jquery-core,jquery-migrate,jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate,jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,jquery-effects-transfer,jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,jquery-ui-datepicker,jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu,jquery-ui-mouse,jquery-ui-position,jquery-ui-progressbar,jquery-ui-resizable,jquery-ui-selectable,jquery-ui-selectmenu,jquery-ui-slider,jquery-ui-sortable,jquery-ui-spinner,jquery-ui-tabs,jquery-ui-tooltip,jquery-ui-widget,jquery-form,jquery-color,schedule,jquery-query,jquery-serialize-object,jquery-hotkeys,jquery-table-hotkeys,jquery-touch-punch,suggest,imagesloaded,masonry,jquery-masonry,thickbox,jcrop,swfobject,moxiejs,plupload,plupload-handlers,wp-plupload,swfupload,swfupload-all,swfupload-handlers,comment-repl,json2,underscore,backbone,wp-util,wp-sanitize,wp-backbone,revisions,imgareaselect,mediaelement,mediaelement-core,mediaelement-migrat,mediaelement-vimeo,wp-mediaelement,wp-codemirror,csslint,jshint,esprima,jsonlint,htmlhint,htmlhint-kses,code-editor,wp-theme-plugin-editor,wp-playlist,zxcvbn-async,password-strength-meter,user-profile,language-chooser,user-suggest,admin-ba,wplink,wpdialogs,word-coun,media-upload,hoverIntent,customize-base,customize-loader,customize-preview,customize-models,customize-views,customize-controls,customize-selective-refresh,customize-widgets,customize-preview-widgets,customize-nav-menus,customize-preview-nav-menus,wp-custom-header,accordion,shortcode,media-models,wp-embe,media-views,media-editor,media-audiovideo,mce-view,wp-api,admin-tags,admin-comments,xfn,postbox,tags-box,tags-suggest,post,editor-expand,link,comment,admin-gallery,admin-widgets,media-widgets,media-audio-widget,media-image-widget,media-gallery-widget,media-video-widget,text-widgets,custom-html-widgets,theme,inline-edit-post,inline-edit-tax,plugin-install,updates,farbtastic,iris,wp-color-picker,dashboard,list-revision,media-grid,media,image-edit,set-post-thumbnail,nav-menu,custom-header,custom-background,media-gallery,svg-painter

The problem with this file is that any visitor can execute it without any permissions or any need to login. Any website visitor can run it. If someone will execute this script using every possible JavaScript module available with multiple requests can crush the server as this will produce a lot of I/O read actions and will utilize more cpu and ram.

 
here is a python script that you can use to test this vulnerability:
https://github.com/WazeHell/CVE-2018-6389/blob/master/CVE-2018-6389.py

After approximately 450 requests I was able to bring down my medium size VPS server.

panosnet

Recent Posts

Linux Maintainers Infected by SSH-Dwelling Backdoor: A Two-Year Compromise

Introduction In a shocking revelation, it has been disclosed that the infrastructure used to maintain…

8 months ago

Cryptic Bitcoin Transaction Unfolds: Revisiting Satoshi Nakamoto’s Genesis Wallet in a $1.17 Million Transaction

Introduction: In the early hours of January 5, the cryptocurrency community was abuzz with speculation…

12 months ago

Emerging Threat: SMTP Smuggling Exploits Flaws in Major Email Servers – how to spoof like a pro!

Summary: A newly identified technique called SMTP smuggling poses a significant threat to email security…

12 months ago

Unraveling the Operation Triangulation Spyware: A Deep Dive into iPhone Exploits

Since 2019, the Operation Triangulation spyware has targeted iPhone devices, exploiting undocumented features within Apple…

12 months ago

curl – SOCKS5 heap buffer overflow – CVE-2023-38545

The Challenge: CVE-2023-38545 In the world of digital security, a formidable adversary has emerged -…

1 year ago

Safeguard Your Confluence for an Urgent Upgrade!

Alert: Safeguard Your Confluence for an Urgent Upgrade! Advisory Release Date: Wednesday, Oct 4th, 2023,…

1 year ago

This website uses cookies.