I used to do web Security research, especially focused on @WordPress, now I am interested in RE and Kernel exploitation

~
Joined October 2018
I LOVE CSRF vulns. They are ofc not as critical as interaction-less vulns, but hey. This is a demo of a WP core, default settings CSRF to RCE (CVE-2019-9788) I showed at @WarConPL . Also, comments have to be approved in the admin cp, so admins are garuanteed to be authenticated.
3
72
207
8,675
In my experience, look out for ajax callbacks registered with 'wp_ajax_*' and 'wp_ajax_nopriv_'. They're more often than not vulnerable. 1\n
Found a Wordpress site? The easiest place to find bugs is in the plugins. 1. Find the installed plugins with WPScan 2. Set up your own WP instance and install the same plugins 3. Hack your own instance 4. Report your bugs! The most common bug you'll find with this method is XSS
1
0
6
I attached an example of how they are created. The only difference between the two is that 'wp_ajax_nopriv' are registered for users without any authentication, whereas the 'priv' versions are registered for users with any kind of session. Even shop or forum accounts 2\n
1
0
1
This kind of naming convention is dangerous as plugin authors might confuse the "priv" or "privileged" for "authentication". The difference is that just because you are authenticated (e.g. a forum user) does not mean that you are privileged. 3\n
1
0
1
Another thing to easily get wrong is the fact that it is up to the plugin author to perform CSRF and permission checks within the ajax callbacks. Especially when auditing smaller plugins, these checks are often missing altogether or incorrect 4\n
1
0
1
Another one of my favorite WordPress functions where intuition says it does one thing but it actually does a completely different thing is 'is_admin()' 5/n
1
0
4
This is because is_admin() returns true if the current request was made to a script within the wp-admin/ directory. Since the code that triggers ajax callbacks is located within that directory, it is always true in ajax callbacks regardless of permissions
0
0
5
I published my exploit for this here: github.com/scannells/exploit… Happy new year everyone!
Last week, Ubuntu 20.10 was released. Feel free to read my post on how I fuzzed eBPF, as well as a vulnerability breakdown of CVE-2020-27194 which is exploitable on the new Ubuntu release. (You can just skip to the vuln write up). scannell.me/fuzzing-for-ebpf…
1
89
310
Simon Scannell retweeted
The Linux (e)BPF bytecode verifier, the gift that keeps on giving! Wrote an exploit for CVE-2020-27194. :-) Shout out to @scannell_simon for the bug and @_manfp for exploitation strategy inspiration!
1
54
150
GIF
Show this thread