Captcha Bypassed!(false report)
Plugin url : https://wordpress.org/plugins/captcha/
Downloads: 2,402,502
——-
+What’s the story?
In the last weeks i see some brute force attacks over my user sites,
This attacks was wide almost, because many of my user sites were under that attack.
Attacker try to login with ‘admin’ user and passwords that are different (password list), here is some sample:
IP Address: 78.6.91.162 User authentication failed: admin User wrong password: marcin ------- IP Address: 93.61.84.210 User authentication failed: admin User wrong password: marcin ------- IP Address: 78.4.5.10 User authentication failed: admin User wrong password: leonardo ------- IP Address: 78.4.90.78 User authentication failed: admin User wrong password: looking ------- IP Address: 93.61.33.229 User authentication failed: admin User wrong password: looking
I’m using wordpress Captcha plugin (4.0.8), unfortunately this nice plugin provide a simple function to decode captcha result
+Let me break it down with example!
When you want to login in your site this plugin generate some hidden inputs:
<input type="hidden" value="Vd/o" name="cptch_result"> <input type="hidden" value="1420695173" name="cptch_time"> <input type="hidden" value="Version: 4.0.8">
We must enter correct result in the below input:
<input type="text" name="cptch_number" id="cptch_input">
on other hand , when we fill it and click on login button, the plugin try to match result with its own way:
if ( 0 == strcasecmp( trim( cptch_decode( $_REQUEST['cptch_result'], $str_key, $_REQUEST['cptch_time'] ) ), $_REQUEST['cptch_number'] ) ) { /* Captcha was matched */ $_SESSION['cptch_login'] = true; return $user; }
in the above code you can see the plugin use ‘cptch_decode’ to match result, and what is cptch_decode function code?
function cptch_decode( $String, $Key, $cptch_time ) { /* Check if key for encoding is empty */ if ( ! $Key ) die ( __( "Decryption password is not set", 'captcha' ) );</p> <p dir="ltr">$Salt = md5( $cptch_time, true ); $StrLen = strlen( $String ); $Seq = $Key; $Gamma = ''; while ( strlen( $Gamma ) < $StrLen ) { $Seq = pack( "H*", sha1( $Seq . $Gamma . $Salt ) ); $Gamma.= substr( $Seq, 0, 8 ); }</p> <p dir="ltr">$String = base64_decode( $String ); $String = $String^$Gamma;</p> <p dir="ltr">$DecodedString = substr( $String, 1 ); $Error = ord( substr( $String, 0, 1 ) ^ substr( pack( "H*", sha1( $DecodedString ) ), 0, 1 ));</p> <p dir="ltr">if ( $Error ) return false; else return $DecodedString; }
And what happen if we pass same $cptch_time value to the function?
Yes! we can bypass the captcha by reading cptch_number input value and generate the result and bypass it!
Thank you for your fast answer , So question now is : how the robots can bypass captcha and do brute act?
+So what can i do now?
You can use another captcha plugins, or wait to plugin author to solve this issue.
+How the code can be secure?
Plugin author can be use a specific random salt for any plugin installation, in other hand he can
generate the random string per installation instead of using current time