Protecting Plone from the Big, Bad Internet

Protecting Plone From The Big, Bad Internet Steve McMahon Reid-McMahon, LLC Erik Rose WebLion, Pennsylvania State University

CVE Vulnerability Records

CVE Vulnerability Records Common Vulnerabilities & Exposures

So, why worry?

Defense in Depth

Single Wall Defense

Maginot Line

Failure of single wall defense

Proposition: Zope is our Maginot Line

CVE-2007-5741 Original release date:11/07/2007 Last revised:09/05/2008 Source: US-CERT/NIST Overview Plone 2.5 through 2.5.4 and 3.0 through 3.0.2 allows remote attackers to execute arbitrary Python code via network data containing pickled objects for the (1) statusmessages or (2) linkintegrity module, which the module unpickles and executes.

Principle of Least Privileges

</Basics>

Daemon Security

No Rights

Bad Example: Sendmail (1990s) from network Sendmail* to network to |command** to /file/name** local submission /bin/mail* executed as recipient local delivery * uses root privileges ** in ~/.forward files owned by recipient mailbox file and in /etc/aliases

Good Example: Postﬁx Compartmentalization smtp smtp smtp client internet internet smtpd server smtpd client smtpd unprivileged unprivileged unprivileged other programs local mailbox local smtpd delivery |command pickup smtpd /file/name unprivileged privileged (local submission) queue to external uucp directories smtpd transports fax = root privilege smtpd pager = postfix privilege privileged

Typical Installation Process UID: Plone } ./var ./logs File Owner: Plone

Typical Installation Process UID: Plone } ./var ./logs File Owner: ./parts Plone *.pyc

Why is that so bad?

Why is that so bad? Daemon can write into its own code space.

A Better Way Process UID: Plone ./parts *.py* } File Owner: root ./var ./logs } File Owner: Plone

Making it happen

Making it happen Python-2.4/lib/python2.4/compileall.py Via buildout: [precompile] recipe = plone.recipe.precompiler

Even Better: ZEO Process UID: Process UID: zclient zeo ./client-log ./parts ./var File Owner: File Owner: File Owner: zclient root zeo

Windows

</File & Process>

</File & Process> </Implementation>

</File & Process> </Implementation> </SteveM>

Reverse Proxy Evil, Monstrous Zope Internet

Reverse Proxy Evil, Monstrous Apache Zope Internet

Reverse Proxy Evil, SSL Monstrous Apache Zope Internet

Listen Locally 8080 Evil, SSL Monstrous Apache Zope Internet

Listen Locally 8080 Evil, SSL Monstrous Apache Zope Internet zope.conf: ip-address 127.0.0.1

Listen Locally Evil, SSL Monstrous Apache Zope Internet zope.conf: ip-address 127.0.0.1

Listen Locally Evil, SSL Monstrous Apache Zope Internet ssh -L 3333:127.0.0.1:8080 fred@example.com -N

Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet

Listen Locally ZEO 8100 Evil, SSL Monstrous Apache Zope Internet

Listen Locally ZEO 8100 Evil, SSL Monstrous Apache Zope Internet zeo.conf: address 127.0.0.1:8100

Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet zeo.conf: address 127.0.0.1:8100

Listen Locally ZEO Evil, SSL Monstrous Apache Zope Internet

Untrusted Local Users Zope ZEO (81) (8100) Your Server

Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server

Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo \\ -m owner ! --uid-owner www-data -j REJECT

Untrusted Local Users Zope ZEO (81) (8100) Evil Dude Your Server iptables -A OUTPUT -p tcp --dport 81 -o lo \\ -m owner ! --uid-owner www-data -j REJECT iptables -A OUTPUT -p tcp --dport 8100 -o lo \\ -m owner ! --uid-owner zope -j REJECT

Privileged Ports Zope ZEO (8080) (8100) Your Server

Privileged Ports ZEO (8100) Your Server

Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server

Privileged Ports Evil Zope ZEO (also 8080) (8100) Evil Dude Your Server (2032) DO (1001) NE H .1 + . 4 + .5 (2536) PLEASE FORGET #1 PLEASE STAS (2036) PLEASE FORG (30 10) ) NEXT DO :5 <- \"'?\":1~' PLEA SE DO (1020 2~'#65535$#0'\"' #65535$#0'\"$\": DO .5 <- '?. DO .2 <- #0 DO .5 <- '?\" ~'#0$#65535'\"$\"'? DO . 3 <- #2 1~'#0$#65535'\"$\": \": 5'$#32768\"~\"#0$#6553 2~'#0$ \".5 DO .4 <- .1 #65535'\"'~'#0$#65 DO ( 3012) NEXT DO .5 <- '?\"'&\"': 535'\" DO (2034) NEXT EXT (30 11) DO (1001) N 5\"~\"#65535$ 2~:5'~'\"'?\"'?\":5~ : DO .5 <- .3 ET #1 (30 12) PLEASE FORG DO (1010) NEXT DO (3000) N EXT #2'~#3 #65535\"'~'#65535$#0'\"$#3 PLEASE DO .1 <- 1~#256\"$ DO .3 <- 'V DO .5 <- '?\"?. '\" 2768'~'#0$#65535 DO (3013) N EXT ?. DO (2035) NEXT 65535~\"' $\"'?\":5~: PLEASE DO ( DO .5 <- '?\"'# 5\"~\"#65535$#65535 (2034) \"$#1'~#3 \"'~'#0$#65535'\"' DO FORGET # 1$# 10'~ #21845\"'~#1 \"$\"':5~:5'~#1\"'~# (2035) DO (3013) NEXT DO (2534) NEXT 1\"$#2'~#3 DO .5 <- \"?'.4~ DO .5 <- .1 DO :5 <- :3 DO (2031) NEXT .2~#65

</Port Security> <Within Zope>

PluggableAuthService (PAS)

WebServerAuth a PluggableAuthService plugin

WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge)

WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge) Makes Zope believe the username header (Extraction, Authentication)

WebServerAuth a PluggableAuthService plugin Redirects to HTTPS (Challenge) Makes Zope believe the username header (Extraction, Authentication) Makes PAS behave (User Enumerator)

WebServerAuth a PluggableAuthService plugin

WebServerAuth a PluggableAuthService plugin <VirtualHost *:443> ServerName www.example.com # Prompt for authentication: <Location /> SSLRequireSSL AuthType Basic AuthName \"My Funky Web Site\" AuthUserFile /etc/such-and-such # (etc.) Require valid-user

WebServerAuth a PluggableAuthService plugin # Put the username (stored below) into the HTTP_X_REMOTE_USER # request header. This has to be in the <Location> block for # some Apache auth modules, such as PubCookie, which don't set # REMOTE_USER until very late. RequestHeader set X_REMOTE_USER %{remoteUser}e </Location> # Do the typical VirtualHostMonster rewrite, adding an E= option # that puts the Apache-provided username into the remoteUser # variable. RewriteEngine On RewriteRule ^/(.*)$ http://127.0.0.1:81/VirtualHostBase/https/ %{SERVER_NAME}:443/VirtualHostRoot/ $1 [L,P,E=remoteUser:%{LA-U:REMOTE_USER}] </VirtualHost>

WebServerAuth a PluggableAuthService plugin <VirtualHost *:80> ... RequestHeader unset X_REMOTE_USER ... </VirtualHost>

LDAP

LDAP PloneLDAP + plone.app.ldap

LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP

LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP Create & delete through Plone

LDAP PloneLDAP + plone.app.ldap Users & groups in LDAP Create & delete through Plone Relax—written by Wiggy

Writing PAS Plugins

Writing PAS Plugins PAS Reference Manual http://plone.org/documentation/ manual/pas-reference-manual/ referencemanual-all-pages

Writing PAS Plugins PAS Reference Manual http://plone.org/documentation/ manual/pas-reference-manual/ referencemanual-all-pages NoGoChallenger https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk

Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages NoGoChallenger https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk

Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages Plugin interfaces PluggableAuthService/interfaces/ NoGoChallenger plugins.py https://svn.plone.org/svn/ collective/PASPlugins/ Products.NoGoChallenger/ trunk

Writing PAS Plugins PAS Reference PASPlugins folder Manual https://svn.plone.org/svn/ http://plone.org/documentation/ collective/PASPlugins manual/pas-reference-manual/ referencemanual-all-pages Plugin interfaces PluggableAuthService/interfaces/ NoGoChallenger plugins.py https://svn.plone.org/svn/ collective/PASPlugins/ Paster template Products.NoGoChallenger/ trunk paster create -t plone_pas

Questions? Steve McMahon Erik Rose Steve@dcn.org ErikRose@psu.edu Image Credits • Reactor defense in depth: • Sendmail and Postfix architecture diagrams: http://www.nea.fr/html/brief/images/br-8-1.gif The Postfix mail server as a secure programming example, Wietse Venema • Gate: Nuclear Power Plant Dungeness - Corey IBM T.J. Watson Research Center Holms 2008, CC Attribution • The Scream: Edvard Munk • Locks on door: Kansir, flikr, CC attribution license • Shrug: spamily, flikr, CC by A • What me worry? Rev. Voodoo, flikr, CC • Zope Pope photo: MrTopf Attribution, NC • PB&J photo: Northern Miniatures • BSD Daemon: Created by Poul-Henning • Other photos: Wikimedia Commons Kamp • INTERCAL Numerical I/O lib: Brian Raiter • No Right Turn: greefus groinks' photostream, CC Attribution • Crown jewels of Denmark: King Christian IV

References • Slides: svn checkout https:// weblion.psu.edu/svn/weblion/users/ewr119/ ploneSecurityPresentation/Big,%20Bad %20Internet.key • https://weblion.psu.edu/wiki/SecureZope

WebServerAuth Advantages over apachepas + AutoMemberMaker Redirects to HTTPS No user clutter Member and Authenticated roles are distinct Sets up Log In link for you Better test coverage; death to doctests One product, not two

Protecting Plone from the Big, Bad Internet

0 comments

Notes on slide 1

1 Favorite