Akamai Diversity

The Akamai Blog

Anatomy of Wordpress XML-RPC Pingback Attacks

Akamai researchers have released fresh details regarding the Wordpress XML-RPC pingback exploits used in a series of DDoS attacks earlier this month. The details are in an advisory written by CSIRT's Larry Cashdollar.

The attack exploits a seemingly innocuous feature of WordPress, a content management system that currently runs approximately 20 percent of all websites. 

Because Wordpress is widely used by Web masters and bloggers, any vulnerability in the WordPress suite that can be exploited could result in massive headaches across the Internet. In this case, the exploited feature is referred to as a "pingback."

All default installations of WordPress 3.5 come with the vulnerable feature enabled. A simple POST to a specific file on an affected WordPress server is all that is required to exploit this vulnerability. No special tools are required; a simple curl command is enough. The WordPress xml-rpc pingback feature has been abused to DDoS target sites using legitimate vulnerable WordPress sites as unwilling participants.

"The pingback feature in WordPress can be accessed through the xmlrpc.php file," Larry wrote. "One of the methods available in this API is the pingback.ping function. This function takes two parameters, the source URI and the target URI. With this function, other WordPress blogs can announce pingbacks."

He added:

When WordPress processes pingbacks, it's attempting to resolve the URL supplied to this function, if it succeeds it will make a request to the URL specified and check the response for a link to a certain WordPress blog post. If it finds a link, it will publish a comment on that blog post noting that this blog post was mentioned in their blog.

Essentially this is an open proxy allowing any malicious user to use a WordPress site to direct layer seven attacks at a target. This can also be abused to target internal systems if the webserver is hosted on an internal network. Adversaries can attempt to enumerate internal services and systems by specifying RFC1918 addresses and ports as target URLs. They can also change the configuration on certain web-enabled devices by placing login credentials in the target URL.

To see if you are affected, follow these steps:

  • Look for log entries similar to the following: 192.168.0.20 - - [13/Mar/2014:18:32:33 0400] "GET /?23823 HTTP/1.0" 200 2932 "" "WordPress/3.8.1; http://192.168.0.27/wordpress"
  • In the above log entry the method is GET and the request string is '/?23823' a random number that doesn't exist. This forces the request to bypass any caching that might be in place and direct this query at the origin server. The appearance of the user agent 'WordPress/3.8.1' tells us this request originated directly from a site running WordPress 3.8.1
  • You can check to see if your WordPress site is vulnerable by following this link.
  • You can find out if your site has been used in a DDoS attack by following this link.

To fix the problem, users must disable the pingback feature by following the instructions documented by the staff at WordPress.  

wordpress-under-attack-crop.jpg

1 Comment

Very useful artical, exactly what I was looking for; thank you!

Leave a comment