New WordPress issue + Snort and ModSecurity rules

I just read about a new issue with WordPress here at SecurityFocus. It’s a potential credential stealing vulnerability, so I quickly created these ModSecurity 2 rules:

SecDefaultAction “log,deny,status:403,phase:2,t:lowercase,t:escapeSeqDecode”
SecRule REQUEST_FILENAME “/wp-login.php$” “chain,msg:’WORDPRESS wp-login.php redirect_to credentials stealing attempt’,severity:2,t:normalisePath”
SecRule ARGS_NAMES “^redirect_to$” “chain”
SecRule ARGS:redirect_to “(ht|f)tps?://”

I can still login to my WordPress install, so it seems that the rule does no harm. Use at your own risk!

Update: I’ve created a Snort rule as well:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:”WORDPRESS wp-login.php redirect_to credentials stealing attempt”; flow:to_server,established; uricontent:”/wp-login.php”; nocase; uricontent:”redirect_to”; pcre:”/redirect_to=(ht|f)tps?://iU”; classtype:web-application-attack; sid:4000003; rev:1;)

Update 2: fixed the Snort rule, thanks to Shirkdog for pointing out that it had some broken pcre in it. The rule is now included in the BleedingThreats ruleset (check here), however that (slightly modified) rule doesn’t detect the attack for me.

Update 3: the Bleeding rule is now fixed. I’ve updated the above rule as well.

Update 4: updated the ModSecurity rule to prevent a possible evasion by prepending tab chars to the redirect url. Thanks to Ryan Barnett for pointing this out.

3 thoughts on “New WordPress issue + Snort and ModSecurity rules

  1. Bing gets caugth:
    –e0640000-A–
    [20/Aug/2011:13:17:30 +0200] Tk@XysCoAQIAAD*********t 65.52.110.86 57108 ***.***.***.*** 80
    –e0640000-B–
    GET /blog/wp-login.php?redirect_to=https://****************/blog/?page_id=81 HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Accept: */*
    Accept-Encoding: gzip, deflate
    From: bingbot(at)microsoft.com
    Host: ****************
    User-Agent: Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)

    –e0640000-F–
    HTTP/1.1 403 Forbidden
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Content-Length: 189
    Keep-Alive: timeout=15, max=100
    Connection: Keep-Alive
    Content-Type: text/html; charset=iso-8859-1

    –e0640000-E–

    –e0640000-H–
    Message: Access denied with code 403 (phase 2). [file “conf/extra/sec2rules/activated_rules/modsecurity_crs_46_slr_et_wordpress_attacks.conf”] [line “65”] [id “2003508”] [rev “6”] [msg “SLR: ET WEB_SPECIFIC_APPS WordPress wp-login.php redirect_to credentials stealing attempt”] [data “”] [severity “CRITICAL”] [tag “web-application-attack”] [tag “url,www.inliniac.net/blog/?p=71”]
    Action: Intercepted (phase 2)
    Apache-Handler: application/x-httpd-php
    Stopwatch: 1313839050162641 15624 (- – -)
    Stopwatch2: 1313839050162641 15624; combined=15624, p1=0, p2=15624, p3=0, p4=0, p5=0, sr=0, sw=0, l=0, gc=0
    Response-Body-Transformed: Dechunked
    Producer: ModSecurity for Apache/2.6.1 (http://www.modsecurity.org/); core ruleset/2.2.2.
    Server: Apache

  2. I believe this rules generates many false positives with the newer versions on WordPress as the redirection is now a normal part of the admin login process.

    Should this rule be updated or removed in your opinion?

  3. It’s a very old issue, so I think it’s safe to disable the rule. If your WP install still isn’t patched, you have bigger problems 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s