I had a customer who for reasons out of their control are stuck on WordPress 3.8. This version is vunerable to a long password denial of service. It mishandles hashing and long passwords can cause Apache to use up 100% of the CPU with very few requests and this was being exploited on my customers server.
As passwords are sent to wp-login.php with a POST request there is a easy mitigation for this.
In your apache config add a limitRequestBody and set this to 128 bytes directive on wp-login.php eg:
<Directory "/var/www/html/">
<Files "wp-login.php">
limitRequestBody 128
</Files>
</Directory>
This will limit requests content to 128 bytes which works out at just under a 80 char password will pass if using metsploits exploit attacking the username admin.
this is obviously more than enough for a regular password as I belive wordpress has a limit of around 50ish for its max password in the db.
The Tests:
I used:
- Target: virtualbox server CentOS 7 – 1GB RAM 2 Virtual processors
- Bad guy (me) Blackarch virtualbox 1GB RAM 2 Virtual processors
- metasploits
auxiliary/dos/http/wordpress_long_password_dos
Before adding limitRequestBody into config
USERNAME=admin
RLIMIT=200 (default)
PLENGTH=1000000(default)
After 50 Requests I gave up waiting as targe system was so unresponsive it could not process the remaining ( dos working)
As you can see load average is at 47 ( and was rising ) the server was completly unresponsive and needed a reboot before regaining control.
After adding limitRequestBody directive
USERNAME=admin
RLIMIT=200 (default)
PLENGTH=1000000(default)
So all 200 requests went through quite quick and load stayed low
any request with a content length over 128 will now recieve 413 (Request Entity Too Large) response code:
Worst Case Scenario
Lets try the max length of a password possible with limitRequestBody 128 to see what the server does.
USERNAME=admin
RLIMIT=200 (default)
PLENGTH=77 (max length with limitRequestBody 128)
So load goes up but still stays low.
Thanks for reading.
