Fancybox for WordPress – Zero Day and Broken Patch

A malicious iframe has been making its rounds due to a broken non-existent security check in the admin section of the Fancybox for WordPress plugin. Samples of affected sites indicate the vulnerability is being used to initiate a drive-by download targeting MSIE browsers (potentially targeting a recently-announced unpatched IE exploit?). The plugin exploit vector results from poor handling of unauthenticated requests to the plugin’s admin options page (taken from fancybox.php):

Continue reading

Bypassing CloudFlare’s Layer 7 DDoS Protection

Volumetric layer 7 (HTTP) DDoS typically relies on overwhelming the target by inundating the target with a large number of (pseudo) legitimate HTTP requests, the end goal being resource starvation (typically, CPU cycles or available bandwidth, e.g. NIC saturation). Because layer 7 attacks require a full three-way handshake, spoofing source information is impossible (though using a proxy is a viable alternative- remember the XMLRPC issues earlier this year?); as such, the ability to control a large number of attacking machines becomes critical as the size of the target increases. Of course, other forms of HTTP DoS exist outside of volumetric resource starvation (such as Slowloris), but I wanted to take a look at common methods of defending (and circumventing said defenses) against resource starvation attacks via HTTP. This will also serve to demonstrate the weakness in deploying WAFs that rely exclusively on signature-based matching.

Continue reading

Spectacularly Bad

Another round of notable WordPress plugin vulnerabilities made the rounds today- nothing particular noteworthy, just a smattering of XSS, SQLi, and form uploads. The Rich Counter upload vulnerability caught my eye as the PoC notes the exploit vector is through the user agent header. Given that unsanitized user input is more often exploited in query string and POST argument vectors, I thought this was worth a quick once over.

Continue reading

Pulling Apart ‘Closed Source’

For a while my mom was using Living Cookbook, a .NET-based desktop solution for managing recipes. It’s decent software, fairly stable and feature-filled, but its commercial closed source nature means locked-in users- and no alternative for when you lose your license as a result of a hardware failure (or human error). So when mom called in a mild panic over losing Grandma’s lasagna recipe, I knew I had to take a gander.

Continue reading

Deobfuscating Multicraft’s WHMCS Module

Our good friends over at felt the need to obfuscate the source code for their WHMCS module. Properly-done obfuscation can make reverse engineering nontrivial (thought certainly not impossible); deobfuscating source code when the obfuscating function is provided is trivial. This obfuscation uses two parts- renaming functions and variables to nonsense characters, and encoding strings. Below is a snippet of the original encoded source:

Continue reading

WordPress Trivia, Part 1

I say ‘Part 1’ with no intention to write Parts 2, 3… n.

A quick Google search for ‘how many lines of code in WordPress’ came up with squat. I came up with over 350,000:

Granted, that includes the readme and license, but given the size of this codebase, there has to be some cruft, right? While I was absentmindedly perusing wp-includes/functions.php the other day I stumbled across this gem:

Continue reading