This post concerns the XML Denial of Service, which I detected in both WordPress and Drupalhttp://wordpress.org/news/2014/08/wordpress-3-9-2 . This phenomenon is predicated on a well-known cyber attack, known as the XML Quadratic Blowup Attack. This is starkly different from the customary XML bomb exploitation, in the sense that it distorts the Memory Limit and MySQL, and Apache Max Clients works. This bug can be utilized without the aid of any plugins, and it functions smoothly on the Default installation of WordPress and Drupal. Only one machine needed to exploit this vulnerability. Another bug I found in WordPress and Drupal is an Oversized XML attack, I’m not going to talk about it in this article, the patch from WordPress and Drupal should solve both issues.
How many users are using WordPress or Drupal?
According Wikipediahttp://en.wikipedia.org/wiki/WordPress, WordPress is used by more than 18.9% of the top 10 million websites as of August 2013, more than 60 million websites using WordPress, and over one million websites used by Drupal.
What is a denial-of-service (DoS) attack?
In computing, a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users.
Although the means to carry out, the motives for, and targets of a DoS attack vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.
As clarification, DDoS (Distributed Denial of Service) attacks are sent by two or more persons, or bots (see botnet). DoS (Denial of Service) attacks are sent by one person or system
WordPress 3.5 – 3.9 (latest version), works on default installation
Drupal 6.x – 7.x (latest version), works on default installation
Risks stemming from the current situation
- Service Unavailable (too many open connections, mysql_connect(): Too many connections)
- 100% CPU, RAM Usage
How attackers exploit XML Denial of Services attacks in most cases
In most cases, attackers exploit XML Denial of service by using malicious entity requests, both externally and internally. http://en.wikipedia.org/wiki/Document_type_definition.
Most websites are protected from attacks imposed by these external entities, but highly susceptible to internal entities.
About XML Quadratic Blowup Attack:
An XML quadratic blowup attack is similar to a Billion Laughs attack
(http://en.wikipedia.org/wiki/Billion_laughs). Essentially, it exploits the use of entity expansion. Instead of deferring to the use of nested entities, it replicates one large entity using a couple thousand characters repeatedly.
A medium-sized XML document of approximately two hundred kilobytes may require anywhere within the range of one hundred MB to several GB of memory. When the attack is combined with a particular level of nested expansion, an attacker is then able to achieve a higher ratio of success.
<!DOCTYPE DoS [
<!ENTITY a “xxxxxxxxxxxxxxxxx…”>
If an attacker defines the entity “&x;” as 55,000 characters long, and refers to that entity 55,000 times inside the “DoS” element, the parser ends up with an XML Quadratic Blowup attack payload slightly over 200 KB in size, which expands to 2.5 GB when parsed. This expansion is enough to disassemble the parsing process.
By Default, the memory allocation limit in PHP is set to 128MB per process (http://php.net/manual/en/ini.core.php#ini.memory-limit)
This implies that you cannot exceed the 128mb limit in the XML bomb request, however in MySQL and Apache, the “Max Clients, Max Connection” property is set to 256 and 151 clients by default (http://httpd.apache.org/docs/current/mod/mpm_common.html)
Hence, when calculating the outcome of maxMemory*maxConnections will result: 128×151=19328MB, which consume all available memory.
In order to perform a successful attack, an attacker must fingerprint the available memory limit on the victim server. If he/she overwrites the PHP limit in their attack, the server will reject any overwrite requests and render the attack unsuccessful. The fingerprint mechanism could easily be executed by error based response,
Here is a prime example: overwrite PHP limit lead to an internal server error response from the server
, and a successful request will return the injected payload as a response
PoC Exploit: (128MB Memory limit):
Update WordPress, Drupal (http://wordpress.org/download/, https://www.drupal.org/download)., or Delete xmlrpc.php.