Re: #862816 and CVE-2017-9066

To: Craig Small <csmall@debian.org>
Cc: Debian LTS <debian-lts@lists.debian.org>, Ola Lundqvist <ola@inguza.com>
Subject: Re: #862816 and CVE-2017-9066
From: Ola Lundqvist <ola@inguza.com>
Date: Wed, 7 Jun 2017 21:38:13 +0200
Message-id: <[🔎] CABY6=0=WdSANQQAhtA70pSzz9BpAquABy-hmqdXoVquysc-5yg@mail.gmail.com>
In-reply-to: <[🔎] CABY6=0nfC2M2qD6amtMw1ktLKAGTyHSP5PJomVqYzHwxJLKGiQ@mail.gmail.com>
References: <[🔎] CABY6=0moO3RoF5YdGULJYH4wAFG=CKA67SkoVYsS94WK_BwRSQ@mail.gmail.com> <[🔎] CALy8Cw7SF6bceChjn4UDd1eAS4yj89+B-Q5gLTzUDpZONS5KvA@mail.gmail.com> <[🔎] CABY6=0nfC2M2qD6amtMw1ktLKAGTyHSP5PJomVqYzHwxJLKGiQ@mail.gmail.com>

Hi Craig and others

I have investigated this more and these are my conclusions:
1) Wordpress is vulnerable to this problem. It looks like all versions
are vulnerable.
2) Some module explicitly need to call WP_Http_Curl->request(...) for
the vulnerability to be triggered. I'm not sure how easy or common
that is. Someone can probably tell me this. Also the attacker must
control the resource being called for and make a malicious redirect to
some internal resource. The attacker may also need to control the
requesting side in order to get the data that he/she do not normally
have access to. I write may because this is not necessarily the case
if the purpose is just to trigger something by hitting an internal
URL.
3) The fixes in later wordpress versions are good but far from
complete. It is for example assumed that a firewall protection is only
done for local ip address ranges. This is a rather typical case, but
not always the case. This function exist also in earlier wordpress
(wheezy version for example) so it can be used. With that said the
checks are good and they cover a large portion of the problems so it
is better to be safe than sorry.

My overall conclusion is that while it may be a little hard to trigger
the vulnerability I think it is worth fixing.

My solution suggestion is that line 810, 1000 and 1268 in
class-http.php are changed so instead of:
wp_remote_request( WP_HTTP::make_absolute_url(
$processedHeaders['headers']['location'], $url ), $r );

the following code is triggered:
wp_safe_remote_request(WP_HTTP::make_absolute_url(
$processedHeaders['headers']['location'], $url ), $r );

Wouldn't this solve the problem?
>From what I understand from the code it would solve the problem.
However I'm not a wordpress core developer and I can definitely
foresee something.

What do you think?

Best regards

// Ola


On 6 June 2017 at 23:31, Ola Lundqvist <ola@inguza.com> wrote:
> Hi
>
> Thank you for quick response.
>
> The check I did for wheezy was simply to grep for ghe validation function
> and it was missing. Thins is whag I mean with clearly vulnerable. I should
> have said clearly not patched.
>
> I have not seen a patch that works for eheezy yet.
>
> I will investigate this more if noone beats me to it.
>
> / Ola
>
> Sent from a phone
>
> Den 6 jun 2017 23:26 skrev "Craig Small" <csmall@debian.org>:
>>
>> On Wed, 7 Jun. 2017, 06:33 Ola Lundqvist, <ola@inguza.com> wrote:
>>>
>>> I can see the following comments from you:
>>> +  * Backport patches from 4.7.5 Closes: #862816
>>> +   CVEs to be added once issued
>>> +   - CVE-2017-XXX
>>> +     Insufficient redirect validation in the HTTP class.
>>
>> The changelog now reads:
>>  * CVE-2017-9066 not fixed as the relevant code has changed dramatically
>>     and there is no upstream patch for it.
>>     Insufficient redirect validation in the HTTP class.
>>
>> There was no upstream patch for it in the wordpress 4.1 stream.  There
>> didn't seem to be a way of making a patch for it either.
>>
>>> The patch is available here:
>>>
>>> https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11
>>
>>
>>  Do this mean that the package is vulnerable?
>>>
>>>
>>> Wheezy is clearly vulnerable at least.
>>
>> It means I am unsure. I'd like to know what you did to say it was clearly
>> vulnerable. There is a request method, but it is radically different to
>> wordpress 4.5
>> The patch referenced is for 4.5 and would not come close to working; for
>> example the hooks construct seems to be missing or used very differently.
>>
>> However, if you have a patch that works on wordpress 4.1, I'd be glad to
>> see it!
>>
>>  - Craig
>>>
>>>
>> --
>> Craig Small             https://dropbear.xyz/     csmall at : enc.com.au
>> Debian GNU/Linux        https://www.debian.org/   csmall at : debian.org
>> Mastodon: @smallsees@social.dropbear.xyz             Twitter: @smallsees
>> GPG fingerprint:      5D2F B320 B825 D939 04D2  0519 3938 F96B DF50 FEA5



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Reply to:

References:
- #862816 and CVE-2017-9066
  - From: Ola Lundqvist <ola@inguza.com>
- Re: #862816 and CVE-2017-9066
  - From: Craig Small <csmall@debian.org>
- Re: #862816 and CVE-2017-9066
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: #862816 and CVE-2017-9066
Next by Date: About the security issues affecting libcrypto++ in Wheezy
Previous by thread: Re: #862816 and CVE-2017-9066
Next by thread: Wheezy update of wordpress?
Index(es):
- Date
- Thread