29% of websites are vulnerable to DOS attacks by even one machine (CVE-2018-6389)

Original author: Mohit Kumar
  • Transfer


It is important to note that exploiting this vulnerability is illegal unless you have the permission of the website owner.

A simple but very serious application-level denial of service (DoS) vulnerability was discovered in the WordPress CMS platform that could allow any user to disable most WordPress websites, even with a single machine. This happens without the need to use a huge number of computers to overflow the bandwidth, as DDoS attacks require, but with the same result.

Since the WordPress Foundation refused to fix the problem, the vulnerability ( CVE-2018-6389 ) remains without a patch and affects almost all versions of WordPress released over the past nine years, including the latest stable (WordPress version 4.9.2).

Barak tawily, an Israeli security researcher, discovered a vulnerability, the essence of which is that "load-scripts.php" , a built-in script in WordPress CMS, also processes user requests.

As conceived by the developers, the load-scripts.php file is intended only for administrators and was created to help the site increase productivity and load the page faster by combining (on the server) several JavaScript files into one request.

However, for “load-scripts.php” to work on the admin login page (wp-login.php) before logging in, WordPress developers do not provide an authentication mechanism, as a result of which the function is available to everyone.



Depending on the plugins and modules that you installed, the load-scripts.php file selectively invokes the necessary JavaScript files, passing their names to the “load” parameter, separated by a comma, for example, the following URL:

https://your-wordpress-site.com/wp-admin/load-scripts.php?c=1&load=editor,common,user-profile,media-widgets,media-gallery

When loading the website “load- scripts.php "is trying to find each name of the JavaScript file specified in the URL, add its contents to one file and then send it to the user's browser.

How WordPress DoS Attack Works




According to the researcher, you can force load-scripts.php to call all possible JavaScript files (a total of 181 scripts) in a single pass, passing their names in the above URL. This will make the target site work a little slower, requiring high costs from the processor and server memory.
“There is a well-defined list ($ wp_scripts) that can be requested by users as part of the load [] parameter. If the requested value exists, the server will perform the necessary I / O reads, ”says Tawily.
Although a single request would not be enough to “put” the entire site for all visitors, Tawily used python scripts to create proof-of-concept (PoC). The doser.py he created makes a large number of simultaneous requests to the same URL in an attempt to use as many CPU resources of the server as possible and minimize the resources available to other users.

Hacker News verified the authenticity of the DoS exploit by successfully putting one of the WordPress demo sites running on medium-sized VPS.
“Load-scripts.php does not require any authentication, any anonymous user can do this. After about 500 requests, the server no longer responded or returned the status of 502/503/504 errors in the code, says Tawily.
However, an attack from one machine with a connection of up to 40 Mbps was not enough to cause a denial of service at another demo website running on a dedicated server with high computing power and large memory capacity.



This does not mean that the flaw is not effective against WordPress websites running on a powerful server , since an application-level attack usually requires much fewer packets and bandwidth to reach the target of the attackers.

Thus, hackers with higher bandwidth or multiple bots can exploit this vulnerability to attack large and popular WordPress websites.

No Patch - Mitigation Guide



Along with full disclosure, Tawily also provided a video demonstration of the attack. You can watch the video to see the attack in action.

Knowing that DoS vulnerabilities went beyond the bug bounty program for WordPress, Tawily responsibly reported this DoS vulnerability to the WordPress team through the HackerOne platform.

However, the company refused to acknowledge this problem, saying that such an error is beyond the control of WordPress and "should be mitigated at the server level or at the network level, and not at the application level."

The vulnerability seems serious, because about 29% of sites on the Internet use WordPress. This makes millions of sites vulnerable to hackers and potentially inaccessible to their users.

For sites that cannot afford services offering protection against attacks at the application level, the researcher provided the WordPress forked version , which contains a patch for this vulnerability. However, you should consider the risks of installing a modified CMS, even if you consider the source reliable. In addition, the researcher also released a simple bash script that fixes the problem in the already installed WordPress.

Also popular now: