A story of the passive aggressive sysadmin of AEM

Slide 1

Slide 1 text

@fransrosen A story of the passive aggressive sysadmin of AEM or "How to make a talk in 3h 35min"

Slide 2

Slide 2 text

@fransrosen Frans Rosén Bug bounties! labs.detectify.com twitter.com/fransrosen I blogged about Subdomain Takeovers. Donald Trump got hacked. The hacker referred to my post as his inspiration. I broke Let’s Encrypt Live hacking! I won a boxing belt once

Slide 3

Slide 3 text

Slide 4

Slide 4 text

@fransrosen 2016 – Peter Adkins https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

Slide 5

Slide 5 text

@fransrosen 2016 – Peter Adkins https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html CVE-2016-0957

Slide 6

Slide 6 text

@fransrosen 2016 – Peter Adkins https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html CVE-2016-0957 "The world’s lamest RCE."

Slide 7

Slide 7 text

@fransrosen How AEM is structured https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

Slide 8

Slide 8 text

@fransrosen How AEM is structured Adobe "black magic glue"

Slide 9

Slide 9 text

@fransrosen How AEM is structured Stuﬀ you pay your consultants for Adobe "black magic glue"

Slide 10

Slide 10 text

@fransrosen Shit no one’s updating Stuﬀ you pay your consultants for Adobe "black magic glue" How AEM is structured

Slide 11

Slide 11 text

@fransrosen How AEM is structured https://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html

Slide 12

Slide 12 text

@fransrosen How AEM is structured Apache HTTP server module

Slide 13

Slide 13 text

@fransrosen How AEM is structured Reverse proxy+ﬁlter Apache HTTP server module

Slide 14

Slide 14 text

@fransrosen How AEM is structured Apache HTTP server module Pages + metadata + content Reverse proxy+ﬁlter

Slide 15

Slide 15 text

@fransrosen How AEM is structured Apache HTTP server module Pages + metadata + content Reverse proxy+ﬁlter A bunch of admin-tools

Slide 16

Slide 16 text

@fransrosen How AEM is structured You should not have access to this Apache HTTP server module Pages + metadata + content Reverse proxy+ﬁlter A bunch of admin-tools

Slide 17

Slide 17 text

@fransrosen How AEM is structured You should not have access to this Or this Apache HTTP server module Reverse proxy+ﬁlter A bunch of admin-tools Pages + metadata + content

Slide 18

Slide 18 text

@fransrosen Creating pages

Slide 19

Slide 19 text

@fransrosen Creating pages Author creates a new page in the repo

Slide 20

Slide 20 text

@fransrosen Creating pages Author creates a new page in the repo Goes through the publisher nodes

Slide 21

Slide 21 text

@fransrosen Creating pages Author creates a new page in the repo Goes through the publisher nodes Dispatcher serves the content

Slide 22

Slide 22 text

@fransrosen Accessing pages

Slide 23

Slide 23 text

@fransrosen Accessing pages Dispatcher gets the URL

Slide 24

Slide 24 text

@fransrosen Accessing pages Dispatcher gets the URL Goes through a ﬁlter (This ﬁlter is awesome, it’s impossible to break, don’t even dare to try)

Slide 25

Slide 25 text

@fransrosen Accessing pages Dispatcher gets the URL If all is OK, serve from publish node Goes through a ﬁlter (This ﬁlter is awesome, it’s impossible to break, don’t even dare to try)

Slide 26

Slide 26 text

@fransrosen CVE-2016-0957 aka "I am two years old but I’m inside an enterprise product that no one can or dares to upgrade"