5
CVSSv2

CVE-2014-9034

Published: 25/11/2014 Updated: 04/04/2016
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
VMScore: 551
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

wp-includes/class-phpass.php in WordPress prior to 3.7.5, 3.8.x prior to 3.8.5, 3.9.x prior to 3.9.3, and 4.x prior to 4.0.1 allows remote malicious users to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016.

Vulnerability Trend

Affected Products

Vendor Product Versions
WordpressWordpress3.7.4, 3.8, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.9, 3.9.1, 3.9.2, 4.0

Vendor Advisories

Debian Bug report logs - #770425 wordpress: CVE-2014-9031 CVE-2014-9032 CVE-2014-9033 CVE-2014-9034 CVE-2014-9035 CVE-2014-9036 CVE-2014-9037 CVE-2014-9038 CVE-2014-9039 (issues fixed in 401 security release) Package: src:wordpress; Maintainer for src:wordpress is Craig Small <csmall@debianorg>; Reported by: Salvatore Bona ...
Debian Bug report logs - #783347 wordpress: New critical security release available: 412 (CVE-2015-3438 CVE-2015-3439) Package: wordpress; Maintainer for wordpress is Craig Small <csmall@debianorg>; Source for wordpress is src:wordpress (PTS, buildd, popcon) Reported by: Christer Mjellem Strand <dilldall@bjorkorg> ...
Debian Bug report logs - #783554 wordpress: New critical security release available: 421 (CVE-2015-3440) Package: src:wordpress; Maintainer for src:wordpress is Craig Small <csmall@debianorg>; Reported by: Craig Small <csmall@debianorg> Date: Mon, 27 Apr 2015 22:24:02 UTC Severity: important Tags: security Found ...

Exploits

<?php echo "\nCVE-2014-9034 | WordPress <= v40 Denial of Service Vulnerability\n"; echo "Proof-of-Concept developed by john@securelicom (securelicom)\n\n"; echo "usage: php wordpressedphp domaincom username numberOfThreads\n"; echo " eg: php wordpressedphp wordpressorg admin 50\n\n"; echo "Sending POST data (username: " $a ...
==================================================================== DESCRIPTION: ==================================================================== A vulnerability present in Wordpress < 401 allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion This may lead to the site becoming unavailable or unrespo ...

Mailing Lists

WordPress versions 40 and below suffer from a denial of service vulnerability ...
A vulnerability present in Drupal versions prior to 734 and WordPress versions prior to 401 allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion This may lead to the site becoming unavailable or unresponsive (denial of service) ...

Metasploit Modules

WordPress Long Password DoS

WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing.

msf > use auxiliary/dos/http/wordpress_long_password_dos
      msf auxiliary(wordpress_long_password_dos) > show actions
            ...actions...
      msf auxiliary(wordpress_long_password_dos) > set ACTION <action-name>
      msf auxiliary(wordpress_long_password_dos) > show options
            ...show and set options...
      msf auxiliary(wordpress_long_password_dos) > run

Github Repositories

wp_drupal_timing_attack Python scripts to exploit CVE-2014-9016 and CVE-2014-9034 For legal purposes only

CSCI4349 Week 9: Honeypot MANUAL HONEYPOT SETUP git clone this repo git clone githubcom/harrystaley/CSCI4349_Week9_Honeypot open your terminal application and execute the following command vagrant up vagrant ssh wich should bring you to a new terminal prompt on your newly created linux box cd /vagrant initialize google cloud gcloud init login and instert the name o