Hacking TYPO3 v9 (T3DD19 edition)

Hacking
TYPO3
Oliver Hader
oliver@typo3.org
@ohader
TYPO3 Developer Days 2019
August 1st, 2019

TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org 2
▪Research & Development
▪Security Team Lead
▪50% TYPO3 GmbH
▪50% freelance software engineer
▪#hof #cycling #paramedic #in.die.musik
~# whoami
Oliver Hader
@ohader

▪ session probably recorded
▪ real attack vectors are shown
▪ hackers probably knew already
▪ official security fixes available
▪ report to security@typo3.org
Disclaimer

TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
Web Application
Security Basics
4

Web Application Security
5
▪ CIA/compliance triad
▪ confidentiality
▪ private, personal, sensitive information
▪ integrity
▪ manipulation of information (“fake news”)
▪ availability
▪ denial of service
▪ online bank account
▪ blocking information flow https://www.ibm.com/blogs/cloud-computing/2018/01/16/drive-compliance-cloud/

Hacking Playground
CONFIDENTIALITY - unauthorised access to information

Hacking Playground
INTEGRITY - e.g. manipulated information

Hacking Playground
AVAILABILITY - information/service not available

Open Web Application Security Project - TOP 10 vulnerabilities
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
TYPO3 core TYPO3 3rd party extensionsPHP world
TYPO3vulnerabilitiesinpast5years

attack chains - multiple components might be affected
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

Hacking
Playground 
https://github.com/
ohader/typo3v9-
hack/
11TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org

Hacking Playground
https://github.com/ohader/typo3v9-hack

Session 
Hi-Jacking
thanks to Cross-Site Scripting
13

Session Hi-Jacking - insecure cookie
14
▪ https://typo3.org/security/advisory/typo3-core-sa-2018-009/
▪ Install Tool Cookie did not have HttpOnly flag
▪ addressed on December 11th, 2018

Insecure Install Tool Cookie (HTTP-only flag missing)

… cookies can be read by (any) JavaScript …

Session Hi-Jacking - cross-site scripting
17
▪ file.youtube or file.vimeo vulnerable to cross-site scripting
▪ addressed on December 11th, 2018

Session Hi-Jacking - cross-site scripting & insecure cookie
Asset.youtube file & JavaScript to be executed

Insecure Deserialization - Basics
… social engineering - somebody must click the file …

strange result & XSS exploitation in background

Session Hi-Jacking - cross-site scripting & insecure cookie
view of attacker - retrieving session cookie

Remote Code 
Execution #1
thanks to Insecure Deserialization
22

__destruct() or __wakeup() methods are executed on deserialization

user submitted payload to be deserialized

Remote Code Execution #1
25
▪ https://blog.ripstech.com/2019/typo3-overriding-the-database/
▪ overrideVals[<table>][l10n_diffsource]=<serialized payload>
▪ addressed on June 25th, 2019

__destruct() saves content to filesystem

making use of FileCookieJar as attack container

prepare attack against TYPO3 backend

actual attack payload that shall be executed

XSRF token needs to be know (valid backend user required)

output of injected & executed /typo3/hack.php

… new admin user h4ck3r31 …

Remote Code 
Execution #2
thanks to 
Information Disclosure 
& Insecure Deserialization
33

typo3conf/
LocalConfiguration.php.old

typo3conf/LocalConfiguration.php.old backup file

… what else can we find here? (standard configuration)

encryptionKey

Extbase __trustedProperties deserialisation

HMAC signing of __trustedProperties - based on encryptionKey

similar attack using FileCookieJar

output of injected & executed /typo3/hack.php

Okay, but what’s the point?!
42
▪ When being hacked, update ALL sensitive information
▪ backend user passwords
▪ frontend user password
▪ database credentials
▪ TYPO3 encryption key
▪ private/public key files
▪ …

“Flexibility”
#1
thanks to insecure TypoScript 
(Cross-Site Scripting & SQL Injection)
43

GET/POST data in TypoScript - insertData injection

… retrieving arbitrary values from database …

Flexibility #1 - using TypoScript
46
▪ http://…/?name=Oliver
▪ http://…/?name=<script>alert(‘XSS’)</script>
▪ http://…/?name={db:be_users:1:password}
▪ http://…/?name={file:1:contents}
▪ http://…/?name={getenv:PATH}
▪ …
▪ https://docs.typo3.org/m/typo3/reference-typoscript/master/en-
us/DataTypes/Index.html
▪ TypoScript is powerful…

“Flexibility”
#2
thanks to TypoScript for non-admins 
(Remote Code Execution)
47

Flexibility #2 - using TypoScript/TSconfig
48
▪ Remote Code Execution using Page TSconfig
▪ access to pages.TSconfig needs to be granted explicitly
▪ addressed on June 25th, 2019

Page TSconfig assignments for pages

Page TSconfig supports conditions as well…

▪ TYPO3 Security Team needs YOU
▪ core, extension & infrastructure security
▪ GitHub, packagist.org - not only TER
▪ feedback, advise, educate
▪ analyse & hack (PoC)
▪ ask @ohader / oliver@typo3.org
▪ (security reports to security@typo3.org)
TYPO3 Security Team

more?
join T3DD Security Workshop
on Sunday Morning
52

Hacking TYPO3 v9 (T3DD19 edition)

Hacking TYPO3 v9 (T3DD19 edition)

Recommended

More Related Content

Similar to Hacking TYPO3 v9 (T3DD19 edition)

Similar to Hacking TYPO3 v9 (T3DD19 edition)(20)

More from Oliver Hader

More from Oliver Hader(12)

Recently uploaded

Recently uploaded(20)

Hacking TYPO3 v9 (T3DD19 edition)