A Structured Code Audit Approach to Find Flaws in Highly Audited Webapps

Presented at Global AppSec - DC 2019, Sept. 12, 2019, 10:30 a.m. (45 minutes).

WordPress is a highly popular content management system used by over 33% of all websites on the internet. It’s ease of use, great compatibility with a variety of servers and its huge list of free and powerful plugins (over 50.000) make WordPress the first choice for quickly and easily setting up a website without any technical knowledge or excessive budget. WordPress can be customized and optimized to a point that even governments and billion-dollar corporations use this blogging CMS to manage their websites. From america.gov to the swedish government, and from Microsoft to Facebook: they all use WordPress. The popularity of this and other CMS makes it an attractive target for cybercriminals seeking to take over as many websites as possible, as well as for nation states and other sophisticated hacking groups interested in backdooring high value targets. We observed that the high interest in WordPress’ security by different groups lead to many vulnerabilities being discovered and patched in the past. Additionally, bug bounty programs and 0day acquisition platforms attract a vast amount of bounty hunters that slowly but surely squeezed easy to find vulnerabilities out of the WordPress core. Hence, the well-reviewed code of the most popular web application is a great challenge but also a good candidate to experiment with different approaches of code auditing. When we started our vulnerability research on the WordPress core code, we quickly realized that in order to find critical vulnerabilities one must move away from the traditional paradigm of how to find simple vulnerabilities in web applications and come up with more effective approaches and methodologies to source code auditing. This paper documents our approach of separating source code into components and combining several low-impact bugs into powerful Privilege Escalation and Remote Code Execution exploits. We believe that our documentation of vulnerability discovery does not only help other researchers to manifest their audit methodology but also helps developers to better understand the mindset of attackers. As a result, we found and combined five vulnerabilities into a powerful exploit chain that in the end allowed unauthenticated attackers to take over any high value target running WordPress.

Presenters:

Links:

Similar Presentations: