Pingback Bug in Wordpress Can Be Leveraged in DDoS Attack, Router Reconfiguration

A bug known since 2007 in the popular publishing platform WordPress is now back and ready to be abused, according to a blog post by vulnerability specialist Accunetix.

Image courtesy to WordPress

Like most major publishing platforms, WordPress has a pingback feature that notifies the blog owner when another website links to a page of the WordPress blog, with details of where and what. This feature is used by millions of blogs around the world but can be easily turned into a tool for discovering computers on a network or for orchestrating a distributed denial of service attack against a specific target.

The WordPress XML RPC API is in the xmlrpc.php file that comes by default with WordPress. According to Accunetix`s Bogdan Calin, a malicious user can spoof a pingback to a specific blog in order to send a malicious command to scan the internal network where the host (the computer that runs the blog software) resides, to reconfigure a router on the network of the host or to simply hammer the computer until it crashes.

Long story short: if the victim-blog receives a malformed pingback that looks like a blog located at http://subversion/ or http://bugzilla/or http://dev/ linked a page of the victim-blog, it will try to resolve the Source URL. If the response fails, the host does not exist. If it succeeds, it displays the URL sent by the attacker below the comments section along with the port number specified in the URL, as pingback or trackback, revealing that the probed resource is valid and available.

According to Calin, žthis can also be used for distributed DOS (Denial of Service) attacks. An attacker can contact a large number of blogs and ask them to pingback a target URL. All of these blogs will attack the target URL“.

Last, but not least, the attacker can spoof the pingback link to look like hxxp://admin:[email protected]/changeDNS.asp?newDNS=x.x.x.x to force an improperly configured router to use a different domain name server that maliciously resolves hostnames (which is perfect for phishing attacks or for planting malware). Since the victim-blog is on the same network as the router, the command is executed behind the firewall, so there is nothing to filter it.

WordPress is currently used by 17.5% of all websites on the Internet in a multitude of setups and configurations. Until this issue gets fixed (if ever), we recommend you disable pingback and trackback functionality for your blog if you are not running it on a professional, commercial-grade hosting account. Especially as a proof-of-concept script is already in the wild.