Skip to main content

Gain Access of WordPress by Exploiting XML-RPC

XML-RPC and Why It’s Time to Remove it for WordPress Security

WordPress is the most popular blogging and CMS platform on the planet because it was bit difficult to use. Rather, its user-friendly and rich feature. 

We're Bit attentive in the platform's use of XML-RPC, a remote Procedure call (RPC) allowing for encoded XML calls that are transported via the HTTP protocol. This makes it very, very easy for WordPress contributors to post content remotely, and makes it trivial to post a large volume of data in one-time push. 

But that ability to push a large amount of data means that we hackers can also push a large number of passwords at it. Sure, you're essentially brute-forcing your way into someone's WordPress account, but those 500 tries just look like you fat-fingered your password once. Two times? You just tried a thousand passwords. This sure beats trying one password per login attempt.

CMS frameworks like WordPress, Drupal generally use xmlrpc where they require making procedures calls between disparate environments.

XML-RPC ?

- XML-RPC is a remote procedure call (RPC) protocol which uses XML to encode its calls and HTTP as a transport mechanism. "XML-RPC" also refers generically to the use of XML for remote procedure call, independently of the specific protocol.
- XML-RPC is the simplest XML-based protocol for exchanging information between computers across a network.

Critical Vulnerability on WordPress Framework, Hacker can exploit or should take a access remotely very easily and by using this vulnerability hacker can take down the server by using DDOS and Brute-Force attack for gaining the passphrase,  also hacker can do buffer overflow exploit by using this vulnerability there are many ways to exploit on this vulnerability.

Vulnerability in XML-RPC allows an attacker to make system call which can be dangerous for the application and servers. Also attacker can use this methods to craft a successful DOS attack against the application. There are various exploits in the market are publically available, which can be used by an attacker to leverage the presence of XML-RPC on the application server.



Exploits :-
The main weaknesses associated with XML-RPC are:

 -  Brute force attacks : Attackers try to login to WordPress using xmlrpc.php with as many username/password combinations as they can enter. A method within xmlrpc.php allows the attacker to use a single command (system.multicall) to guess hundreds of passwords. “With only 3 or 4 HTTP requests, the attackers could try thousands of passwords, bypassing security tools that are designed to look and block brute force attempts.”
  -  Distributed Denial of Service Attacks via Pingback : Attackers sent Pingback requests through xmlrpc.php of approximately 2500 WordPress sites to “herd (these sites) into a voluntary botnet,” “This gives any attacker a virtually limitless set of IP addresses to Distribute a Denial of Service attack across a network of over 100 million WordPress sites, without having to compromise them.”
 - Remote Code Injection : XML-RPC for PHP is affected by a remote code-injection vulnerability. An attacker may exploit this issue to execute arbitrary commands or code in the context of the webserver. This may facilitate various attacks, including unauthorized remote access. XML-RPC for PHP and prior versions are affected by this issue. Other applications using this library are also affected.

Exploit Ref :-  
    



<Mr.Alien>

Comments

Post a Comment