Plugging a Plugin


As a relative newcomer to the world of Penetration Testing, I never expected to discover an unknown vulnerability this early in my career.

In some respects, I have Melbourne’s COVID-19 lockdown to thank for this achievement.

Whilst conducting routine testing on a client’s web application, I could sense something wasn’t quite right. There seemed to be a problem that went beyond the vulnerabilities I tend to encounter when testing the access levels of an unauthenticated visitor to an application.

It wasn’t exactly obvious what the problem was. Uncovering it would require more digging.  Ironically, it’s thanks to the lockdowns that I had the time to delve deeper and discover the source of the problem.

 

A Passion for Penetration Testing

As a teenager, I was fascinated with computers. My dad was an IT professional for many years and instilled in me an interest in technology from a young age. He would often recount exciting stories about the hackers in the Penetration Testing team at his work.

When it came time for me to enrol in university, I knew I’d be studying IT, but had no idea what specialisation to select. I opted for a generalist Bachelor of Information Technology to get exposure to a range of different focus areas.

By final year, I’s discovered a passion for Penetration Testing. I researched ‘Heartbleed,’ the critical OpenSSL bug discovered in 2014, for my dissertation and conducted ethical hacking against the university’s Wi-Fi network for my final project.

Upon graduating in 2015, my prospects for working as a Penetration Tester were limited because I had minimal practical experience, no OSCP certifications and had never even participated in a hackathon or Capture-the-Flag. I knew I had to work on developing my skills, so began devoting every spare minute to ethical hacking.

Even after Shearwater gave me the opportunity to join their team as a junior Penetration Tester, I continued spending any spare time continually learning and honing my skills. My curiosity and drive always lead me to go a bit further and dig a bit deeper in the quest to discover hidden vulnerabilities.

 

On the Hunt

My sense that there was a deeper problem with the web application I was testing compelled me to interrogate it further. With little else to do during lockdown, I spent countless after-hours investigating, looking for any sign of a gap in the application’s security.

Like many web applications, this one made extensive use of a range of plugins. A plugin is a piece of ready-made software that performs a particular function. When building a website, many developers will make use of plugins as they can be quicker and easier solutions than building every piece of functionality from scratch.

But not all plugins are built to the same standard. Many are developed securely, but others are not. It’s vital to test the security of all plugins thoroughly before incorporating them into a web application.

In this case, the client had incorporated Umbraco Forms 7.4.1. This particular plugin formed part of their Contact Us page, allowing visitors to upload and send documents to the site’s admins. Normally such plugins should only allow visitors to upload and send certain types of files that are likely to be safe, such as PDFs or JPEGs.

Unknown to both the client and the folks who developed the plugin, was that Umbraco Forms 7.4.1 allowed unrestricted file uploads. There would be nothing preventing a malicious actor uploading and sending dangerous files, such as malware to the client.

When an admin user clicked and downloaded a file sent through the plugin, it would execute within their local desktop environment. Due to the lack of any restrictions on the types of files that could be sent, a file could include phishing attempts or malicious executable files, paving the way to steal administrator user credentials and potentially allowing a full system takeover.

Such a gaping vulnerability would represent an unacceptable level of risk for any web application owner.

With the web application leaving the client dangerously exposed, they were immediately notified and provided guidance on remediation efforts to keep them secure. Steps were also taken to notify Umbraco so a patch could be developed to fix the vulnerability.

With potentially many thousands of web applications around the world using the Umbraco Forms 7.4.1 plugin, this discovery allows admins to be aware of their exposure and increase their security.

Discovering my very first unknown vulnerability has been an exciting and rewarding experience. It motivates me to always go the extra mile in the hunt for other unknown vulnerabilities.

Click here for further details on the vulnerability.