Thursday, December 11, 2014

W3 Total Cache's W3TotalFail Vulnerability That Leads to Full Deface

W3 Total Cache's W3TotalFail Vulnerability That Leads to Full Deface  

CVE-2014-9414


     In this post, I will be talking about a critical vulnerability that affects W3 Total Cache, the most popular Wordpress plugin in the world. W3 Total Cache used by most of the major companies, as it provides a vital service that every Wordpress website needs.

Overview on W3 Total Cache:
"W3 Total Cache improves the user experience of your site by increasing server performance, reducing the download times and providing transparent content delivery network (CDN) integration."
-source: https://wordpress.org/plugins/w3-total-cache/

     After I have downloaded the plugin (v0.9.4) on my testing wordpress site, I have started testing it for less than 15 minutes. In that duration, I have noticed that there is a CSRF token called “_wp_nonce”, so I started checking for bugs on it. I have noticed that the CSRF token is not being validated, and there is no additional methods is used to prevent CSRF issues. So by deleting it's value from the request, a successful CSRF attack can be performed.

     Then I started verifying the issue, and I was able to reproduce the same issue in all the plugin's requests.
     After that, I started making  scenarios on how the CSRF issue can be used to make the biggest damage, and the highest impact on W3 Total Cache users.
     One of the features that W3 Total Cache is providing is the ability to redirect user-agents that contains a phrase that is mentioned in the plugin's settings to a specified link. The feature is made so administrators can redirect users to mobile version of the site, or similar uses for example. It's a nice feature, but it's a a great feature to be  used to in exploiting the bug and defacing websites.

     I have made a research to gather all the common phrases that is on most user-agents. The results of the research showed that the following phrases is used on more than %97 of all user-agents, and %100 of all checked user-agents.


     Then, I started writing an exploit for the issue. All authenticated wordpress users who loads the exploit, will setup a policy that all user-agents that contains the previous phrases will be redirected to a malicious page. Because of the phrases that I wrote exist on more than %97 of all user-agents, everyone will be redirected to the attacker's page using the exploit.

POC: http://packetstormsecurity.com/files/129512/W3-Total-Cache-0.9.4-Cross-Site-Request-Forgery.html

Demo Video:
 


The following screenshot shows the response before & after using the exploit:



Steps to Reproduce:
1- An attacker post a comment that contains a link of the exploit to the wordpress victim that uses W3 Total Cache
2- The victim opens the comments section and clicks on the link.
3- The exploit is loaded while the victim is authenticated with administration privileges.
4- Anyone opens the victim's website will be redirected to the attacker's deface page.


     I quickly contacted W3-Edge, the company who is responsible for W3 Total Cache, and the main developer of the project Fredrick Towns contacted me asking about the details  regarding vulnerability that exists on v0.9.4, and he replied that the fix will be released soon (the patch has been released now).

Recommendations:
*Update to the latest version of W3 Total Cache, ( v0.9.4 is vulnerable, and all versions that released before might be vulnerable as well ).

Summary:
* W3 Total Cache v0.9.4 is vulnerable to a critical CSRF vulnerability that may leads to full deface of users who are using the vulnerable plugin. Versions before 0.9.4 might be affected too.
* The exploit can be used by researching all phrases that is used on most user-agents.
* This issue is not difficult to exploit and can be used to cause different impacts on Wordpress users who are using a vulnerable version of W3 Total Cache.
* The W3TotalFail vulnerability are easy to exploit, any malicious user a little experience can use the vulnerability to cause major damages and defaces.

Final Thoughts:
     I din't expect that I will be finding a critical issue like that on a popular plugin such as W3 Total Cache that easily. If that's the condition of the most used Wordpress plugin, I guess there are many vulnerabilities on Wordpress plugins that might be publicly exploited on the black-hats community. Wordpress is secured by itself, but plugins are having the biggest impact on Wordpress  security. Users should be careful about what plugin they are using, and how much effort they put to secure it.

     Some companies don't care about their security, neither are professional in handling a security vulnerability. W3-Edge was one of them in my opinion. When I reported the issue on October 7th, I expected that W3-Edge team will be patching the issue quickly, but instead, their responses were unkind at all, and they were not cooperating with me.  I really have not appreciate that from them.

 If you need any help securing your web-application or service, you can contact me by E-Mail, or Twitter.

Best Regards,
Mazin Ahmed

Saturday, July 26, 2014

Session Hijacking in Instagram Mobile App via MITM Attack [ 0-DAY ]




In this post, I am going to share a new critical issue that I have identified on Instagram Mobile App. During my tests on their android app, I have set-up a lab to pentest the app. Then I started using the app on my phone, and monitoring the traffic in the network using WireShark, looking for evidence for unencrypted data that goes through the network or a technique to make this data unencrypted (if it was encrypted). As soon as I logged into my account on my phone, Wireshark has captured unencrypted data that goes through HTTP. This data includes: The pictures that the victims watching, The victim's session cookies, the victim's username and ID.



I was shocked after seeing the results, it is unbelievable that Facebook, the company that is responsible for Instagram, did not insure that the data is secured and goes through HTTPS.


Then, I took the session cookies and used it in my computer, and simply “The Victim's Session Has Been Hijacked”.




I have reported this issue to Facebook, and they emailed me saying:



       The security member said:” Facebook accepts the risk of parts of Instagram communicating over HTTP not over HTTPS”.
If this unencrypted data can lead to session hijacking and stalking Instagram users, this may raise an eye-brow of suspicious.


Timeline:
Jul 24, 2014 4:35am – Reported the issue.
Jul 24, 2014 4:38am – Received a confirmation email of receiving the submission.
Jul 24, 2014 9:45pm –  Received the first response from Facebook Security.
Jul 24, 2014 9:45pm – I Asked for a disclosure.
Jul 24, 2014 11:56pm – Received the second response from Facebook Security.

Recommendation:
       Until a patch is released ( which there is no specific date for releasing a patch that has been assigned by Facebook), do not use Instagram Mobile App. Instead, use the normal website, it is generally secured and encrypted.

Final Thoughts:
       It is unbelievable that a company such as Facebook does not take the maximum measure to insure the security of their users. Right now, I believe this issue might be getting exploited in the public by surveillance and agencies.

     Follow me on Twitter @mazen160 , and check my Blog for the latest news and findings.

Monday, June 9, 2014

My Story with Onavo ( a Facebook's Acquisition )

I usually don't write write-ups on XSS vulnerabilities, but I have made an exception on this one.

When I was checking Facebook WhiteHat Page, I realized that they added a new target on the scope, which is Onavo.




I downloaded their apps and started to intercept the links that I found.

One of the links raised an eye-brow. I said to myself that this looks vulnerable!

The link looks something like this:
http://cf.onavo.com/iphone/mc/deactivate.html?url=/somethingthatIforget/&seed=1394953248

So it looks like it is vulnerable to Open Redirect.

I executed the link this:
http://cf.onavo.com/iphone/mc/deactivate.html?url=http://bing.com&seed=1394953248
It redirected me http://Bing.com.

Right now I have an Open Redirect vulnerability, but that's not enough for me.

After digging up more on the nature of the page, I realized that it redirects me after about 2 seconds. So it looked something like this:

<meta http-equiv="refresh" content="0; url=http://bing.com/" />

So, I changed it to make a redirection to javascript:alert(document.domain) , which it worked!.

Reflected XSS




Timeline:
Mar 16, 2014 - Reported
Mar 17, 2014 - Email from Saul of Facebook Security acknowledging the issue.
Apr 30, 2014 -  The issue seems fixed to me. I emailed Facebook asking them about the current status
May 1, 2014 -  Email from Saul of Facebook Security saying informing that the issue has been patched
May 1, 2014 - Received a payment email from Facebook

Rewards:

Facebook WhiteHat of 2014



a Cash Reward of $500



Final Thoughts:
*Participating in bug bounties gives you an experience in different locations, and it helps you building new ideas for security-related issues. 
* If you have an open redirector vulnerability, you should test for XSS too.
* Never give up.


Regards,
Mazin Ahmed

Wednesday, February 19, 2014

Cross-Site Scripting on WikiLeaks

I have reported a Cross-Site Scripting issue on WikiLeaks new search engine. They have fixed the vulnerability, but they did not contact me back.




UPDATE: Read this article for more info :
http://news.softpedia.com/news/XSS-Vulnerability-Found-in-WikiLeaks-Internal-Search-Engine-428166.shtml
Thanks Softpedia!!

Thursday, February 13, 2014

PHP Code Execution on BugCrowd

I have identified a PHP Code Execution Vulnerability on BugCrowd. Bugcrowd is the premier marketplace for security testing on web, mobile, source code and client-side applications. They have over 6700 security researchers. Bugcrowd runs bug bounty programs for companies. Finding a vulnerability like that in their website is an important achievement.

Thursday, February 6, 2014

Open Redirector on Google.com

I have found an Open Redirector  Vulnerability on google.com . I have reported it immediately. Their security team says :







To demonstrate the impact of the vulnerability, I have made this video :



SQL Injection, Cross-site Scripting, Full Path Disclore on the website of the University of Calgary

I have reported multiple critical vulnerabilities ( such as SQL Injection, Cross-site Scripting, Full Path Disclore ) to the IT support Center of the University of Calgary. They have fixed the issue, but they did not contact me back. Although they have not contacting me back, I am glad that they have fully patched the issues that I have reported.


Acknowledged By Oracle


I have got acknowledged by Oracle for finding a Cross-Site Scripting Vulnerability.