Wednesday, April 8, 2015

OWASP Broken Web Apps - Broken Wordpress - Reset Password Flaw

I started to observe the password reset function of the wordpress blog and found a flaw in the generation of the md5 hash.

Starting on line 141, you can observe the function that is executed to generate a new password for a user as shown below:


The utilization of the microtime, uniqid, and the md5 functions in conjunction with each other was a clever way of generating the $new_pass or the new password.  However observe that the value created is then truncated to 7 characters.

The truncated password of 7 characters leads to a password with 16^7 possible password combinations that are then md5 hashed.  This equates to less than 300,000 possibilities that the password could be.  Why are there only 16 character possibilities? An MD5 hash is composed of 16 characters consisting of the numbers 0-9 and the letters a-f.

A typical alpha-numeric password using upper-case, lower-case, and numbers that is 7 characters long consists of 62^7 possibilities that the password could be.  This is much stronger than using the sub-string of an MD5 hash.

If they would have left off the substr function this would have been stronger than placing it and then hashing again the $new_pass.

Again, this is a flaw in the strength of the random password that is created when a reset password function in the web application is triggered.

If the admins email address is known for the site then a password can be reset for the administrator.  Then this brute-force attack can be conducted and you can login to the account in less than a day depending on how observant the admin is that the password was reset and the speed of the connection to the site.

No comments:

Post a Comment

Docker with Juiceshop - Focus on SQL Injection

In preparation for an ethical hacking class that I will be teaching, I wanted to work through a few of the Vulnhub or docker images to refr...