CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - Michał Sajdak

Unusual security problems in web applications.

Michał Sajdak, CISSP, CEH, F2B

securitum.pl

sekurak.pl

rozwal.to

http://www.securitum.pl/

http://www.sekurak.pl/

http://www.rozwal.to/

About me

Michał Sajdak <at> securitum.pl

Pentester

Instructor (security trainings)

sekurak.pl founder

rozwal.to founder

2 Copyright 2014 Securitum

www.securitum.pl

Agenda

Vulnerabilities in Nuxeo First public disclosure

(Maybe?) not so obvious path traversal(s)

OS code exec

XXE

JBoss Seam nice RCE

RCE through XSLT transformation (if we have time)

PHP shell upload – filter bypassing (if we have time)

Educational use only


www.securitum.pl

Nuxeo

Content Management Platform for the Software-Defined Enterprise


www.securitum.pl

Nuxeo

The RPM (Release and Preservation Management) Department at EA uses the Nuxeo Platform to manage video game builds at all stages of the development lifecycle

Using the Nuxeo Platform as a core server, Jeppesen, a Boeing company, syncs flight bag information to iPads for pilots across the world.


www.securitum.pl

Nuxeo

The Nuxeo Platform, offering strong support for SSO, along with a flexible content management platform, is the perfect addition to the US Navy’s application portfolio.

Orange manages communication with its mobile telecommunications and broadband internet provider clients through a secure extranet portal built on the Nuxeo Platform.


www.securitum.pl

Nuxeo

History

Bug patched this year (February)

Reported by Michal Bentkowski & Sebastian Gilon from securitum.pl

https://doc.nuxeo.com/display/ADMINDOC/Nuxeo+Security+Update+-+2015-02-27+-+Critical

No details disclosed

DEMO


www.securitum.pl

http://www.securitum.pl/















Nuxeo – reporting history

Securitum: Hey, you got some nasty bugs in your platform. Here are the details.

Nuxeo: Cool, these are definitely nice bugs! We’ll prepare a patch soon! BTW: do you want something for reporting the bug?

Securitum: no :-)

Nuxeo: Do you drink from time to time?

Securitum: Sometimes :P

Nuxeo: Cool, we are sending 2 crates of vine to Poland 8

Nice bug bounty

9

XXE (XML eXternal Entities)

XXE has been known for a while

But many many applications are vulnerable by default

BTW: XXE tests are available only in the latest versions of burp suite (very popular web pentesting tool)


www.securitum.pl


HTML entiries < lub <

<

" ' & µ … Or:

&entity_name; &#entity_number;


www.securitum.pl

HTML entities

Similar in XML…


www.securitum.pl


… but we can define our own entities

<!ENTITY name "value">


www.securitum.pl


www.securitum.pl


We can only read files?

No :p

Making http requests Transfering files to your server (blind XXE)

Making request to 127.0.0.1

Some of these are unauthenticated ?

Scanning backend infrastruture

Services with no auth check, etc.

http://10.0.0.75:8080/usrMgmt/add/admin2/admin2


www.securitum.pl


Actually we can often exploit XXE when no tag is displayed (!)

ie. only when the XML parser starts.

Parameter Entity

They can be used only in DOCTYPE

<!ENTITY % name "entity_value">


www.securitum.pl

sekurak.pl/data/ccc

More info: sekurak.pl/tag/xxe/


www.securitum.pl

http://sekurak.pl/tag/xxe/






Can we only read files?

No :P

Making http requests Transfering files to your server (blind XXE)

FW must allow outgoing http communication

Making request to 127.0.0.1

Some of there are unauthenticated ?

Scanning backend infrastructore

Services with no auth check, etc.


www.securitum.pl


DEMO

20

Copyright 2014 Securitum www.securitum.pl

XSLT

XSLT (Extensible Stylesheet Language Transformations) is a language for:

transforming XML documents into other XML documents or other formats such as HTML for web pages, plain text

© wikipedia


www.securitum.pl

XSLT

Commonly used for custom styling in web apps

XML (db generated) + XSLT (user provided styles)

= nice HTML

= nice PDF

etc.


www.securitum.pl


www.securitum.pl

XSLT

We can have a problem when a user (ie. attacker) can provide XSL file to be parsed at server side

Example: custom destkop in web app

Example: print templates

…


www.securitum.pl

XSLT

Java…


www.securitum.pl

XSLT

PHP

Doesn’t work by default…

But reading files does:

<xsl:template match="/"> <xsl:copy-of select="document('/etc/passwd')"/> </xsl:template>


www.securitum.pl

OS Command Exec – JBoss Seam

But an example of the following problem

We deploy an app which uses library X

After some time… vulnerabilities in the used lib

Info: Meder Kydyraliev, Seam Vulnerability, http://blog.o0o.nu/


www.securitum.pl

http://blog.o0o.nu/

OS Command Exec – JBoss Seam

There is (are) a vulnerability in JBoss Seam which allows you to exec OS code

No auth needed

No specific condition needed

The only requirement – an app is using the vulnerable version of the lib

DEMO


www.securitum.pl

Upload / Apache – filter bypassing

Commonly used methods:

File extension blacklisting

ie.: no .php / .jsp / etc. can be uploaded

Checking file structure

ie.: if the uploaded file is a real image / pdf / etc


www.securitum.pl

Upload / Apache – filter bypassing

Interesting fact

How many of apache servers will interpret the following file:

test.jpg.php.wnk2j3.tralalala.sekurak

txt ?

php ?

jpg ?


www.securitum.pl


www.securitum.pl

What’s next?

dotnetnuke – full unauth admin

TP-link devices

Two new methods for gaining OS root

One sort of universal – works in old/new devices

Disclosure on sekurak.pl ~soon


www.securitum.pl

Q&A ?

Questions?

Contact: [email protected]

http://securitum.pl/

http://sekurak.pl/

http://rozwal.to/


www.securitum.pl

mailto:[email protected]


http://sekurak.pl/

http://sekurak.pl/



CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - Michał Sajdak

Software

Transcript of CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - Michał Sajdak