Do you remember Equifax? How did someone manage to steal the data of almost 200 million users? Well, Equifax simply fell victim to a vulnerability on a framework, Struts, which older developers like me remember well. But you folks, who now use cooler things like Guava or Jackson, do you feel safe? Unfortunately, you are not. After a clear introduction to the problem, with a couple of other illustrious examples, we will perform a couple of exploits together, live, and then take a look at possible prevention strategies. This talk will open your eyes to a problem you did not know you had.
3. `@bbossola
Agenda
● Three cases of exploits
● Why do we use opensource libraries?
● What is a vulnerability?
● Sample exploit of CVE-2017-7525
● Preventive measures
● Common delusions
● Conclusions
● QA
7. `@bbossola
Why open source libraries???
● you want to deliver code fast
● you do not rewrite code that's already available
– logging
– serialisation for JSON / XML
– communication via common protocols
– web frameworks
– client frameworks
● you need state-of-the-art algorithms
– encryption library like Bouncycastle
– recommendations library like librec
● Eighty percent of the code in today’s applications come
from libraries and frameworks
10. `@bbossola
CVE-2017-17485
A simplified view :)
Sample
project
1.0
spring-boot
1.4.7
spring-core
4.3.9
snakeyaml
1.17
logback
1.1.11
slf4j
1.7.25
jackson
2.8.8
CVE-2017-5929
CVE-2018-5968
CVE-2017-15095
CVE-2017-7525
Images courtesy of 1001freedownloads.com
11. `@bbossola
What is a vulnerability?
A weakness in a library that will allow an attacker to
compromise the underlying system.
You may incorporate a vulnerability even if you are using
an old version of a library, maybe because you did not
upgrade to a major release.
Examples:
● vert.x 3.5.1 (latest on 10/04/2018)
● struts 2.5.16 (latest on 10/04/2018)
● spring boot 1.5.9 (released on 09/2017)
16. `@bbossola
Common delusions - 1
Images courtesy of freepik.com
“My code is not using
that function, I am
perfectly safe"
17. `@bbossola
Common delusions - 2
Images courtesy of freepik.com
“I am shielded by my
input validation, I am
perfectly safe”
18. `@bbossola
Common delusions - 3
Images courtesy of freepik.com
“I am running a
periodic penetration
test, I am safe”
19. `@bbossola
Conclusions
● Every project uses open source libraries
● Exploits for common vulnerabilities in open
source libraries are out there
● They are easily exploitable
(c'mon, I did one in two hours!!!)
● The only solution that can work is putting in
place a prevention mechanism
● DO IT NOW!
Introduce meterian clearly“we help companies to ship software without vulnerabilities”
startup, I am a cofounder with Vivian (PM)
San Francisco Metropolitan Transit Agency
2,112 systems impacted
A weekend of free rides
Exploit on object serialisation issue in apache commons-collections, sending crafted binary traffic over the T3 protocol
Operation Rosebud: a team of 50 Google employees used GitHub to patch the “Apache Commons Collections Deserialization Vulnerability” in thousands of open source projects
Note that the attack was in 2016 while the vulnerability was from 2015!
Canada Revenue Agency
Undisclosed impact (or “nothing happened, trust us”)
Exploit a vulnerability in the multipart parser in Apache Struts2which allows remote attackers to execute arbitrary commands via a crafted header
Zero day vulnerability
Equifax, one of the three biggest credit rating agencies in the USA
143 millions US citizens impacted
44 millions UK citizens impacted
Exploit (again) a vulnerability in the multipart parser in Apache Struts2
almost 3 months after it was public (remember CRA?)
announced only in September
logging (jokes logging and his history, about NIH syndrome)
web: spring, jersey, dropwizard
js: jquery, bootstrap, angular
Bouncycastle: more cipher suites and algorithms, ability to read arcane formats like PEM and ASN.1
librec (more than 70 algorithms)
spring is #1 on hotframeworks.com / java
struts is #5 on hotframeworks.com
vert.x is #6 on hotframeworks.com