DOS Vulnerability in WordPress (Versions 3.5 to 3.9)

DOS Vulnerability in WordPress (Versions 3.5 to 3.9)

On Saturday,10 March 2018.

Released on August 5th, a DOS vulnerability has been discovered in WordPress (versions 3.5 to 3.9), and Drupal (versions 6 to 7). The vulnerability has since been patched by both WordPress and Drupal.

The vulnerability is considered severe, owing to the small amount of resources required, and the effect it can have on the server.

Users running WordPress <3.7 should update to the latest version now, whereas those running >3.7 should have updated automatically.

The vulnerability, released on Breaksec exploits the xml parser within PHP, using a similar method to a Billion laughs attack whereby an xml document is uploaded to the server, in this instance via xmlrpc. This contains a large (10,000 characters) entity, which is then referenced multiple times. This means that a document of less than 250KB can take up to several GB of memory to process.

Whilst there is a max memory with most PHP installations, (the default is 128MB) this can be overcome by opening multiple connections to the server (default for apache is 151) hence an attack can consume up to 128×151=19328MB on a server with default settings.

There are caveats, an attacker must not overreach and use more memory that is available to the process, which would result in an internal server error. However, the limit can be easily deduced through error based fingerprinting.

A more detailed write up with a POC exploit can be seen here.

Not Quite Sure? We're Here to Help!