Issue present in pingback requests feature
In a blog post published this week (September 6), Sonar researchers detailed how they were able to exploit a vulnerability in the pingback requests feature within WordPress.
The vulnerability first surfaced in 2017, yet remains unpatched.
Pingback requests allow WordPress authors to be notified when another website links to their blog.
The pingback functionality is exposed on the XMLRPC API, which can be accessed through the xmlrpc.php file. Using this method, other blogs can announce pingbacks.
This feature could enable attackers to perform DDoS attacks by maliciously asking thousands of blogs to check for pingbacks on a single victim server, Sonar researchers explained.
Although pingbacks can be turned off via a checkbox, they are still enabled by default on WordPress instances.
It’s worth noting, the researchers pointed out, that they “couldn’t generically identify ways to leverage this behavior to take over vulnerable instances without relying on other vulnerable services”.
Rather, the bug could ease the exploitation of other vulnerabilities in the affected organization’s internal network.
Thomas Chauchefoin, vulnerability researcher at Sonar and author of the blog, told The Daily Swig: “In 2012, the risks around the pingback feature started to be known, and the WordPress maintainers introduced restrictions on the destination of such requests: they would be limited to a restricted set of ports, only public IP addresses, etc.
“In essence, our finding allows getting around some of these restrictions and targeting hosts from the local network. Attackers could use it to send requests to hosts that wouldn’t have been reachable otherwise, for instance, to exploit a vulnerability in internal services.”
He added: “This bug is in the lineage of most CVEs related to pingbacks, but the oldest indicator of a researcher documenting how to get around this specific restriction is from 2017.”
SonarSource researchers disclosed the issue to WordPress on January 21. It was acknowledged as a duplicate bug, according to Sonar, which was reported to the WordPress team in January 2017.
Chauchefoin added: “We reported the vulnerability on January 21 through the official channels, with a pretty standard 90-day disclosure policy. After agreeing to a 30-day extension period, we reviewed a first patch still waiting to be merged upstream. Our publication occurs 228 after our initial report.”
A WordPress Security Team spokesperson told The Daily Swig: “As identified in the Sonar blog post, this is a low-impact issue and exploiting it requires ‘[chaining] it to additional vulnerabilities in third-party software’.
“As such, the Security Team considers the issue a low priority.”
They added: “Because of its low severity, the team is discussing whether this issue could be fixed in public as a general hardening measure.”
WordPress told The Daily Swig that exploiting the bug requires “vulnerabilities in multiple systems outside of WordPress”, but that it recommends website owners always use the DNS servers provided by their hosting provider.
They added: “For the pingbacks, users can turn off pingbacks. The XMLRPC endpoint will only make the HTTP requests (detailed in the Sonar blog post) if pingbacks are open for the post being pinged.
“Website owners can (a) turn off pingbacks globally using the code snippet provided in the original post and/or (b) turn off pingbacks for their blog posts.”
Chauchefoin added: “Going public with unpatched bugs is exceptional for us and was a carefully considered decision. As we had proof that our finding collided with previous public work and that it would require significant work to weaponize against real-world environments, we believe that withholding details any longer would only disadvantage defenders.
“We would like to salute the efforts of the WordPress maintainers; even if we couldn't reach the best outcome possible, backporting fixes for the software behind 40% of all websites is not trivial!”
Previous pingback issue
Another vulnerability in the pingback requests feature that allowed DDoS attacks was fixed by WordPress core in 2012.
The issue, reported by Acunetix, could be abused in multiple ways, researchers reported, and was fixed “as a public hardening ticket” in WordPress Core version shortly after discovery.