Episode: 526
Title: HPR0526: Interview with a whitehat
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr0526/hpr0526.mp3
Transcribed: 2025-10-07 22:29:20

---

Let's have a look.
Hello and welcome podcast listeners, to Hacker Public Radio, I'm your host Fenix and I'm
joined tonight with fellow HPR host and new boy Tom McKenzie. Tom has been running
the recent series of interviews with Blackhats, which has had to make some reviews but
the latest episode has left everyone thirsty for more and on February the 13th, Tom released
an advisory with regards to a book. He also released a brief of concept for a bug that
he found in WordPress versions 2.9 and 2.91 and was later patched in version 2.92. So
without delay, welcome to today's guest, Tom McKenzie, hi Tom, how are you doing?
Yeah I'm doing good, Fenix, glad to be being interviewed by you, can follow us to the
bottom a little bit of up. If anyone, if any of the Hacker Public Radio
listeners are on aware, Tom and I podcast together on another podcast, we released the
shows on Hacker Public Radio as well but we're here, both podcasts and our podcast
called Trackset. So yeah, I know Tom a little bit and I heard about what was going on at
the time and Tom approached me, sorry I interesting getting the news about this this advisory
out. Tom, I think probably the easiest thing to do, I think to start off with should probably
get yourself to introduce yourself to the Hacker Public Radio listeners that might not have
time to cross you before. Yeah, that's fine, so I'm Thomas McKenzie, and my
screen name is Team at QK. I currently studying at Northumbria University at School Hacking
for Computer Security, so I'm in the first year. I have been involved within, well I've been
involved with computers since the age of 11, 12 and my dad's a big fan of, well he was a big
fan of binary coding, so I've been brought up around with that for a while and I built my
own computer when I was younger and then as I got into GCSEs I was interested in website building
and from there I went into web applications and that's where really like my love of security
came from, I'd say that I'm quite well, I'm quite well versed in web applications stuff and
currently just actually received a job for London Storm doing some web up testing, some network
penetration testing and yeah that's pretty much it, I mean I'm just regular 18 year old student
likes growing out to the pub and likes learning at uni. And Tom the, I suppose the next question
for me is, could you in layman's terms describe the bug that you found in there? At the time that
you released this I'm writing thinking that this was the the the the prescribed version of WordPress
that up to date version 2.9.1 I think it was at the time problem was in 2.9. Could you, because
I'm aware that many people on HPR probably run some versions of WordPress blog quite about
the current electronic community and might not come across this this report, but could you
kind of in layman's terms explain exactly what the bug was that you found?
Yeah well what I'll do is I'll just explain how I came about it because that's probably the
easiest way to do it. Yeah sure. And the first, your first of all after he was is that
I have a person on my blog at the moment called DAC Otter and he's currently doing a
guest series on cryptography and what I did is I created an account on my WordPress so that he
could upload them and what he does is he does draft copies and has them so that they're published
in the future so like at the end of the week so that I can check them before they go live.
Now I was sat in C Pro running at university when I got an alert saying that he posted one
and I checked it and as I checked it I looked at the it's called Permilinks in WordPress and it's
basically just like the URL and how the post is posted to the website and how it is shown in the URL
and it's like question mark P calls and then the number. I grabbed that and I put it into
I put it in the URL bar. Fairly in mind obviously this was a draft post at the time it actually
came within the title, the title of the post. So I played around with it and I did happy new year
2011 and anybody could see that as well. So from there I got a bit excited thinking you know
ebay, PlayStation, they all use it and imagine if you saw an announced PlayStation 4 or whatever
our famous you would be. So I went about researching a bit further into it. I got a bit further
and what Apple was is that the actual title book was part of the theme that I was running called
Pixel. I fixed that and got into it with the creator and the updated version of the theme. So
in actual fact I found two books one within the theme and one within the actual WordPress.
I went a bit further into it and I figured out that you can basically view trashed posts
by doing the exact same URL manipulation, URL traversing I think it's called. Basically in 2.9
WordPress incorporated a new feature called trash which is pretty much the same as Windows
and Microsoft's recycling bin. What it does is it doesn't delete the post it just puts it into
an allocated space and what that means basically you are able to still see the post when it's trashed.
So what it does is it doesn't just bring it in the title it actually shows the full deleted post
and I had a few posts that I was drafting and I thought nah you know that's a bit dodgy I may not
post that or you know I haven't got permission from whoever so I deleted it without realizing that
you know some of the that you could do a draft you could view them. So along with Ryan Jewhurst
we wrote a proof of concept which searched through each URL and found these posts and you could
view them on any WordPress version no matter which type of perm link they were running. So any
blog with any trashed post was vulnerable to the attack really that's the layman's terms that's
quite long. Tom let me get this right we write a blog post about something we save it in the drafts
then we decide we're not going to post this for whatever reason and we delete it and yet you've
written a proof of concept code that will enable good guys and bad guys to to to enumerate the
the the possible URL variations and retrieve what's in the trash is that that's that's right yeah
I mean that that's right yeah I mean not you you mentioned draft post not just draft post if you
posted anything as well and then decided now delete that or someone got into a tree and said
this was wrong or whatever and you deleted it doesn't get deleted it gets put into the trash so
basically this no matter how how the post was published or if it wasn't published when you click
the trash button then anyone can view it as if it was a normal post. Okay and I'm writing saying that
this is not an unauthorized user error and this is not to say that that basically it's not a random
robot that can do it that you actually have to have an account to log on be a subscriber someone
able to account but you do have to be authenticated that's right yeah I mean most
most themes actually don't have a link to register on people's blogs but a lot of people don't
realize is that within the admin panel of WordPress there is a button or an option to turn registration
off but what a lot of people didn't do is they didn't actually you did do that a lot of people
because obviously it's quite easy to use a lot of people just you know change the theme or
got rid of that part and just start yeah I'm safe but as long as you put wp hyphen register
dot php after the url and and most sites you can register you can register on the site and run
the script that you can find on my website okay so okay I think what would be really good at
this point is maybe to talk through the steps that you did to actually prove the vulnerability
okay yeah that's cool and you've got a bit complicated because obviously I mentioned before
about the theme and that kind of like threw me off course a bit because I thought well I found
this book on though maybe I haven't it's the theme and then well maybe there is a book there
and I got in touch with you and you gave me some advice and Ryan gave me a bit of advice
as well and gave me a lot of help and my guy off the course called Matthew Hughes gave me some help
and also did you ninja he gave me a hand as well in proxy yeah Ryan got in touch with him he's
in the proof of concept but basically I went about download in the old versions so I got 2.8.6
and I got 2.9 and 2.9.1 and I put the new virtual machines and I also put them in
used xamp to basically put them on my local machine and I did the same test over and over on each
one and I think I've got about 50 screenshots on my computer just documenting what I did
I then got in touch with Ryan we wrote the advisory together
and I went to go basically WordPress has this book system called Track and I went on there
and I searched for the book how I would explain it I mean on my website if you through it's on
the website it's name it a failure to restrict URL access and we got that like name from from
old wasp, old wasp has a similar vulnerability for something else and we basically got the title
from that so when I was searching track I was searching for you know failure to restrict URL
access or URL manipulation or enumeration and I didn't find anything so I thought well you know
I must have found this book so I tried going on tracking you know putting it up but there's
too many rules and regulations and to be honest like I just wanted to get it fixed so I emailed
security at WordPress dog and within an hour I got a reply from Ryan then
I got a reply and he basically told me I said will this fix it gave me a bit of code
tried out and said yeah that fixes it and what it basically did is there's already some pre-defined
code that says if it's in spam or if it's in the deleted folder or if it's in this folder
or whatever you can't view it and all he did was just moved trash up into the same
into the same part of the code there was a simple fix but obviously for some big companies
that were used WordPress there may be something in the trash that they don't want other companies to
see yeah if they're not keeping up to date with their advisories or their update policies
then they could still be vulnerable to it yeah I mean from there basically what I did is
you all got fixed a release the advisory and yeah when I went about my day got I was trying to
hit some of my website a lot of Google hits and that was pretty much about it really and then
you're going to ask me now about the the bus that came from it yeah I mean having some inside
of knowledge on the podcast does help yeah there's no there's no easy way of saying I believe a
couple of days afterwards they got raised to your attention that this wasn't a freshly discovered
vulnerability all that you were probably the first one from what I understand by the looks of
that you're the first one to recognize it as actually a security vulnerability it seems that
this bug was discovered previously and reported to WordPress you didn't do anything that's correct
isn't it but I think you were the first one to do to apply it in a hacking context and say
actually this is rather not a bug but rather a vulnerability that it could be exploited
yeah I mean then I'll mention the guy's name because at the end of the day you know this guy
this guy found it first so Caesar's grunt he's called he found a vulnerability and reported it
oh well he found a bug and reported it on track and from track you put it as like a medium like a
medium bug but as soon as it went on there it got moved straight down to low it wasn't considered
the only reason I can I can think why WordPress didn't do anything about it or it was it was
shunted to the back of a long queue is that if you look if you look on track it isn't explained
very well like all he says is he basically mentions trash he mentions about being able to see
some posts but he doesn't he don't go into detail he posts once and then that's it and then
somebody else tries to back him up so I think when I like I said when I searched track
I was looking for specific things I was looking for what I called what I called the air
what I called it so you know like I was looking for failure to restrict URL access
enumeration URL traversing then types of things and that's why I didn't find it and like you say it
came it came to my attention in quite a it was quite strong really the blog post that was on it
and I have received a few comments on my website which I haven't published that have been
quite offensive saying that you know I've stalled the idea or this isn't anything to do with me
you just got all the credit for it and well if that's what they want to think then that's fair enough
but I know you know and I know that Ryan Jewish knows and I know quite a lot of people on my course
know that I put hours into you know trying to prove this and actually liking any advisor do you know
I mean I mean in your in your defense I you know I spoke to you at the time about what I believe
to be an appropriate testing mechanism for doing this so just in my opinion I mean I read the
blog post just recently I thought it was a tight judgmental about lots of things it didn't really
take into account that yes okay this issue was reported it was reported in my opinion but bearing
in mind I'm a security guy so I tend to look at these things this way that it was reported in a
true developer's way of reporting problems that this is the problem with the code and this does this
and there was no for me there was no if you'd have looked at that you wouldn't have thought my
godness of vulnerability here your points absolutely right that a company could have could have had
data being released leaked for for quite a while now while this books are in in track for for
three what is it there three or four months or something three three months yeah that's right yeah
yeah I mean I thought yeah I thought it was particularly harsh and in your defense I was
definitely coming up and joining jump yeah I mean what are you supposed to do it I mean you draw
assembly to the Dan Kaminsky and and Moxie Marlon Spike found the null prefix SSL attack round
about the same time independently researchers do this all the time it's not it's not nothing new
I certainly wouldn't be questioning someone's honesty I mean this is
yeah that's what came across I mean yeah the thing the thing that I will say in the defense of the
blog post is that it was very well-argumented and the the guy I mean I've spoke to him since and
there's been no apologies or anything because there hasn't needed to be because the posters very much
argumented in the way that well maybe Thomas McKenzie did this and didn't you know didn't check
or didn't do this or do this or maybe the you know WordPress didn't do this or didn't do this or
maybe the original finder didn't do this didn't do this it was very argumented but in in in every case
it was really strong so if any of the people so if I'd read it if WordPress had read it if you
know if Caesar's grunted reddit he might have any of us might have felt upset about what this guy
posted I mean the only problem the only the only reason obviously that I am I seem to have come
out of it well I think I've come out of it good you know I mean but in the same time the same
the same time you know like to say I've had a lot of comments a lot of negative comments as well
so I think the only reason is because I am getting I am getting the credit for it and to be fair
I know I understand I mean I'm now going to jump to the other side of the fence you
front what front page news on the WordPress developers blog with this where you're not yeah
no I'm not just not just on the developers blog I was on the front page of WordPress
my name if you type it into Google has gone up to number three and considering that there
was a prime minister called Thomas McKenzie it's a very you know it's that's quite good to really
Tommy I just I didn't come how you can draw draw similarly between yourself and a prime minister now
I mean in defense of the dude that he raised some interesting questions but for me I'm going to
do this as a security dude I think you did this appropriately and did it in a right way
how you came about it this is the lesson this is the lesson that is very very important and I'm
quite sure that you're back this up you need to document everything you do when you discover
a vulnerability or a bug you need to you need to take care I've been just been reading the book called
Cook who's asked by a guy called Clifford Stoll who does uh who who was involved in in computer
security but be a long long time ago he was uh he's an old physicist and basically what he says is
in physicist circles you know if you don't write if you don't document it never happened and for
you it was probably very very handy to have a ton of actual proof that you went through these
processes and independently discovered this book um then the screen shots your documentation
your actual honesty integrity even though it should never have been questioned even if it was
questioned that you actually said know up here's the evidence here's the proof that I actually
did my work and I found it and I certainly am not guilty of stealing anything um yeah which is
the the lesson that I think is is incredibly important to take out of this apart from as well
that if you don't publicize vulnerabilities they don't get patched because you know credit where
credits do your proof of concept was the one that word price quoted and got if I'm correct to fix
out pretty quickly was it not within like three or four days or something it was it was within
two days yeah me well I had the unofficial either unofficial patch that they actually incorporated
into the into the official 2.92 within the hour so and I posted that straight on my website
I as soon as um as soon as they sent me the the code that fixed the vulnerability because that's
all it was it was just just another former sanitization um I as soon as I got I put it on my website
and uh that that was that that was you know people people's wordpresses were getting fixed
which you know props yeah what would you you know the fluffy question next what would you do
differently definitely um I'd probably take a lot more time finding out if it had been if it had
spoke about before or found out about before um I'd also as well hurt of
worked a lot harder in distinguishing the differences between the bug that I found in the theme
and the bug that I found within wordpress itself because that that really did put me off guard um
and it really did knock me for six just basically because I thought at first I found a wordpress
and then figured out I hadn't and then kind of thought that I did and then I thought I hadn't and then
I did and it took a lot I mean I can't remember when I spoke to you about it but I probably did
sit on it with it for a good for a good two good two weeks just thinking about what I can do to
document it what I can do to test it and I do remember ringing you and saying look I've I've got
this and I am struggling a bit can you give us an hand and you did point me in the right direction
with that and like say Ryan did give me a hand and Matthew used off my course gave me a hand with
it as well so um it was the biggest thing that I would do is probably just try and try and um
differentiate between the two bugs yeah I mean if I'm correct and and and remember why I said to
us was basically what you need to do is set up a number of test cases with themes with randomly
selected themes as well and so on and so forth it was just trying to lay out a scientific
proof of that that we took a random selection of themes and you know we made it work on one and
that was it was able to just partition where the the error itself lies I understand that
this is very very different web applications or it'll maybe in some ways web applications are
sometimes a little bit harder to to actually diagnose exactly what's going on because
they're basically multi-tiered services when we boil down to it um yeah so
everyone you the advice now the countermeasures to this is to update to 2.92 or or or keep it to
2.8.9 then 2.8.6 yeah I mean it's funny really because I've got obviously I like to say I've
got a lot of publicity about it and I've had a few job offers um I've got a few job offers on
from from people and from companies and I've had an interestingly I've had that I've had
nothing from somebody who wants me to test um to test their WordPress blog and I've been doing it
have come across a few things that they've inputted themselves on their own theme that you know
were a problem but the biggest the biggest thing is is they allow registration on the blog
as well as running the old version so the first thing I did was use the proof concept that me and
Ryan wrote and I numerated all the trash posts at the app so I would definitely agree that you
need to update um needs to update WordPress. I thankfully did the link for me next
what happened to you last week it's probably the easiest way of putting it on but on top of it you
joined a friend of Hucka Public Radio in Tracksack, Ryan Duhurster at random storm
um due to the work that you you'd found here um so I believe first and foremost congratulations
um so what will you be doing for for random storm?
um I I will be undergoing some training on network penetration testing and the reason for that is
because I can drive and obviously my holidays are coming up soon so I've got the summer coming up
and they want me to get get me on site so I'll be undergoing training for that and first and
foremost I'll be working alongside Ryan and also on my own and doing web application testing
and yeah that's basically it has been offered a contract which um it gives me a
part-time work and then also as the holidays come and um as the holidays come I will get some more
hours and can work can work a bit more and I can also obviously hopefully if it all goes well
other I've also got a placement for my third year and hopefully you know a job.
um Tom in in rock and up what do you what what what what is your advice to people that
find a vulnerability how do you think they should go about you know disclosing that and so on
and so forth um I definitely think it's worth getting a second opinion um or maybe a third or
even a fourth and getting somebody to try and help you help you you know along with that um
obviously as well go about checking it hasn't been talked about before and if it has
how um you're speaking about it differently how you're making it how you're going to make a
difference to what other people have said um but like you said before the biggest thing you need
to do is documentation um screenshots and bias labs and obviously you know times and dates of
everything that you're doing because um in the sake of web applications um I could test something
tonight uh midnight which is you know something that could happen I could test it and it could be
vulnerable I could then go write my report handy off to a client expect however much money
um I'm selling this this web application test for and then later I'll say well actually we've
just tried that and it you know nothing's happened so definitely document when everything's
happening as well um otherwise you're going to get yourself into a hole which you aren't going to
be able to easily come out of without having you know the documentation that we talked about before
so documentation documentation documentation documentation
uh to be honest yeah I'm kind of old-school when it comes to documentation I have to be honest
to do I uh I have some great advice from a friend of mine that the the Apatailinic Society leaves
you who is a morphel in Dondi for saying these very words that software is documentation and
documentation is software and I I couldn't agree anymore and certainly when it comes to
vulnerability it's the proof has to be has to be there um in wrapping up people can find your
blog post your blog at www.teamack.co.uk is that correct no no sorry it's um there's a couple
of ways to get to it there's www.teamack.uk.com uh Teamack.uk spelt TMAC.uk um you can get it to
it.com.co.uk um you can also get to it. Thomas McKenzie.co.uk Thomas McKenzie.net and I think
you can get it at Teamack.uk.net now oh no sorry can't not yet hello that's something that's coming up
you know enterprise enterprise was it was it like like a seven for one deal going on at the
domain register or something we'll be well wish so obviously like like you all know I'm at
university and I'm registering all these domain names when I've got the money and then I'm spending
the money thinking they've already gone out and then I'm up from down the line I'm going over
drawing in an overdraft I don't even have because because I've bought all these domain names two
months before and I believe you can be found on Twitter uh I'll personally put you Twitter handle
yeah it's uh Teamack.uk spelt the same as way before TMAC.uk and to anybody who's listening
who wants to be involved in the industry or is you know a prospective student for any university
theoretical hacking or even forensics it's definitely somewhere that you need to go on to
add me and give us a shout and I'll send you a DM or an email with everybody that you should
follow because without without Twitter um I wouldn't I wouldn't have probably got gone to the
on the course and probably wouldn't be in the position that I'm in now just because of all the
networking that I've got yeah okay we all know that security guys are Twitter junkers
free software guys are all identical by the way just a lot of free-tard listeners out there
so in wrapping up if you want to get involved in HPR the best way that you can help HPR
is maybe look at producing shows yourself you know if you have a friend who's found a vulnerability
and why don't you get a microphone and record it and release it to HPR or maybe you'll use a
group's having a talk and speaker doesn't mind you recording it if it is something that you're
interested in doing then why don't you contact Klaatu or enigma at hackpubbleradio.org all that's
left for me to do is firstly thank our guests tonight Thomas McKenzie and do make sure to
catch isn't if you were the black cat and go and visit his website and you can also catch him
on tracksack.com Tom from me thank you very much for for joining us at hackpubbleradio is there
anything you want to say to the hackpubbleradio a lot before you go yeah definitely there is one
thing I'm currently trying to start my own open source content management system it's very very
in the beginning stages this evening I've actually just written the login page
currently struggling with getting this md5 encryption working I'm not amazing at my php code
and just starting out so if there's anybody involved with any php code and I don't even know
any more than I do and do get in touch with me at my email which is teemac at teemacuk.co.uk
I'll get in touch with me on my website more on twitter just because I definitely definitely
appreciate some help with that and it will be on source for soon I hope
awesome what's a figure the name just make sure no one else is chosen it before you hear
you know what the name is right differently or something
all that left for me to do as well is thank you guys at home for listening to hackpubbleradio
and we'll catch you again on the next episode thank you very much goodbye
thank you for listening to hackpubbleradio
hpr is sponsored by caro.net so head on over to caro.nq for all of us in