How We Discovered a Vulnerability in MapPress Pro (CVE-2020-12675)

There are new vulnerabilities discovered every day, and new patches issued to fix them. Sometimes those patches don’t fully address the problem or introduce new issues at the same time. One of the key functions of our security research team is to threat hunt on behalf our entire customer base. They dig deeper and do extensive research to ensure the software and platforms that our customers rely upon are secure.

Digging Deeper

We maintain an internal database which essentially contains a shopping list for potential vulnerabilities likely to have an impact on our customers. This helps our security research team sift through the overwhelming volume of vulnerabilities out there and focus on the ones that have the highest potential to cause harm.

Many security organizations blindly accept that a vulnerability has been fixed with the latest patch, but we don’t take the developer’s word for it. We set up a patched target and attempt to exploit it to see if it is still vulnerable. We then capture all of the activity and data to understand what it looks like when the attack executes and gather information that we can use to develop detection signatures for the threat.

MapPress Pro Vulnerability

Recently, one of our security researchers was hunting for threats in popular WordPress plugins and pulled a threat research pack for MapPress Pro—a mapping plugin. WordPress is a widely used web publishing platform and is fairly stable and secure in and of itself, but thousands of unregulated plugins create a “Wild West” scenario.

There was a previous vulnerability in MapPress Pro identified by WordFence, which the developer fixed and issued a patch for. At face value, it would seem the issue was fixed and there was no need to dig deeper. Our security research team, however, went beyond the surface to double check. Our researcher downloaded multiple versions of the plugin to evaluate against a proof of concept exploit for the original flaw.

He dissected and pieced together notes from the code. The previous vulnerability was the result of the developer not including nonce or capability checks. A nonce check generates a random value to submit with a web form in order to validate that the form came from the correct source and was not intercepted or corrupted in any way.

Our researcher tracked down where the nonce code was generated and where it appeared within the code and found that it was possible to find the nonce code within the text just by viewing source code for the page. He discovered that it was still possible to bypass validation and upload arbitrary PHP code to the web page.

Alert Logic reached out to the developer of the plugin and worked with them to fully address the issue. We informed the development team that the original fix only resolved one facet of the underlying problem, and that users with low permissions on the site could still exploit the flaw to leverage access they should not have.

Working with Alert Logic, the developer was able to quickly develop and release a new patch that fully resolved the vulnerability.

Protecting Alert Logic Customers

This research effort benefits the world at large once the process is complete, but we don’t wait until that point to protect Alert Logic customers. As soon as a vulnerability is identified, we develop a telemetry signature. Even before we have determined exactly what a successful attack against the vulnerability looks like, we use the information we have to make an educated guess about how an attack might work and develop broad detection to catch anything resembling an attack while we continue our research efforts to develop a more surgical signature for the threat.

Just Part of Our Routine

This sort of activity is a big part of the value provided by Alert Logic security researchers. We don’t always identify new CVEs as a function of this due diligence. We have culture that does not just settle for the bare minimum. We owe it to our customers and partners to go above and beyond.  That’s why it is important is that we never accept proof of concept exploits at face value.

We have data and insights from our 4,000+ customers around the world. When we find an issue that affects one customer, we can apply the lessons learned and deploy detection to benefit all of our customers before they can get breached.