Author Archives: user1330734

I recently came across a WordPress (v 4.7.2) site with an exposed wp-config.php file, within which plain text server authorisation key secrets were accessible.
Having read Mike Czumak’s article on generating WordPress cookie, I understand on a high level how the generation of WP auth session cookies may work:
http://www.securitysift.com/understanding-wordpress-auth-cookies/

The pertinent host dependent inputs required for the brute-force process are a valid WordPress user ID, server name and the server AUTH secrets from wp-config.php.

The article however applies to WordPress 3.9. I’m wondering if the brute force attack described in the article is possible in newer versions. I tried the POC and found that the version 3.9 auth cookies generated were in a shorter format than those required for 4.7.2.
Comparison of the WordPress source code reveals an additional $token parameter that is used to when generating $auth_cookie.

3.9

$auth_cookie = wp_generate_auth_cookie($user_id, $expiration, $scheme);
$logged_in_cookie = wp_generate_auth_cookie($user_id, $expiration, 'logged_in');

4.7.2

if ( '' === $token ) {
    $manager = WP_Session_Tokens::get_instance( $user_id );
    $token   = $manager->create( $expiration );
}

$auth_cookie = wp_generate_auth_cookie( $user_id, $expiration, $scheme, $token );
$logged_in_cookie = wp_generate_auth_cookie( $user_id, $expiration, 'logged_in', $token );

I am in the process of reporting the issue to the site owners. I have not been able to completely follow the newer (>3.9) PHP code and so would like some pointers as to whether the same type of cookie generation brute force attack is feasible on version 4.7.2?

Continue reading WordPress 4.7.2 Authentication Cookie Brute-force→