Wednesday, 3 February 2016

Reverse engineering recently patched Wordpress

On the topic of the recent Wordpress update (see https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release) I was asked an interesting question which was ‘how to test/exploit’ the patched vulnerabilities? (namely the SSRF one)

Since this seems to be an scenario where Wordpress has not released the details, one way to do it is to diff the current release with the previous one

Depending on the technology, this can be really hard (C++ patches requiring IDA Pro foo) or doable (.NET, Java, PHP)

Assuming that Wordpress is not distributed in compiled PHP (http://stackoverflow.com/questions/1408417/can-you-compile-php-code) this could be as simple as doing a file diff (it will depend on how many changes where made in the current release)

And how to perform this diff?

Use Git :)

Just:

  1. install previous version
  2. commit all files
  3. install upgrade (which in Wordpress can be done via the web interface)
  4. review changed files (it might be useful to commit files that clearly are not related to the issue)
Post a Comment