SlideShare a Scribd company logo
No locked doors, No windows barred
     Hacking OpenAM Infrastructure
  George Noseevich
  Andrew Petukhov


             ZeroNights 2012
WTF OpenAM?
•   Open source Access Management, Entitlements and
    Federation server platform
    ➡   successor of Sun OpenSSO Enterprise

•   Written in Java, very Enterprisey
    ➡   hard to configure and maintain securely

•   Rather popular
    ➡   inurl:/amserver/UI/Login or inurl:/openam/UI/Login

•   Common use case: SSO across legacy apps
•   Usually extended via custom code
Motivation, Positioning & Layout
• Not just another hack via XXE
• Wanted to share our knowledge on how to develop
  an attack on OpenAM given an LFR and SSRF abilities
• Attack vectors on different OpenAM instances
  ➡   will start from the simplest one
  ➡   and steadily proceed to the worst case scenario (a security hardened one)

• Several interesting tricks
  ➡   data retrieval in blind XXE cases
  ➡   zip upload via HTTP PUT over gopher

• What is the proper way to fix XXE in Java?
Problem Statement
• OpenAM infrastructure
• Tomcat as a web container
• An ability to read local files and do SSRF
  ➡   e.g. XXE with gopher protocol enabled

• Goal: get an Admin in OpenAM Management Panel
• A side note: will not focus on general SSRF
  elaboration methodology, which is still valid here
To begin with: Loot da FileSystem!
Looting the FileSystem
• Gotta traverse directories
  ➡   Luckily possible to list them with XXE
  ➡   How would you tell a directory listing from a file contents?

• Gotta read files
  ➡   Special chars and binary are a problem as usual

• Would like to use GREP (General Resource
  Enumeration Protocol) and other posix tools
And along comes...

         XXE Fuse Demo

 A team of specially trained
monkeys are supporting this
         SaaS solution 24/7
        Request a free trial!


http://www.youtube.com/watch?v=7GtPgavI-sI
Looting the FileSystem
               XML-in-XML and OOB channels




• The vulnerable servlet performs two rounds of xml parsing
• In the first round we retrieve the data
• In the second round we pass it to the attacker host
Looting the FileSystem
                  Possible Targets and Outcomes
1. Other apps on host
 ➡   especially management and monitoring

2. Configs (& credentials)
 ➡   read container config and extract HTTP credentials if needed
 ➡   ldap.conf may be especially juicy

3. Logs
 ➡   may contain private data (e.g. SQL query logs)
 ➡   may enable further attacks (see below)
Demo Time
 RCE via SSRF over XXE using Tomcat App Manager




http://www.youtube.com/watch?v=ZnsFhGYqI3g
RCE via SSRF over XXE
                      Wait, tell us the details!!!
• How do you POST or PUT via XXE?
   ➡   use gopher; at least until admins won’t update Java

• How do you upload ZIP through gopher?
   ➡   java gopher contains byte [] => String => byte [] conversion
   ➡   this mangles characters >= 0x80
   ➡   use zip -0 (store compression method)
   ➡   with a bit of luck you can use 0x00 instead of mangled chars (i.e. find&replace)
   ➡   the resulting file will have invalid checksums
   ➡   surprisingly (!) Tomcat WAR parser tolerates this
Looting the FileSystem
                Configs & credentials
• Container configs
   ➡   e.g. /usr/share/tomcat6/conf/

• OpenAM configs
   ➡   /home/user/openam/{install.log, .configParam}
   ➡   /home/user/openam/config/xml/

• Password file
   ➡   recommended way of configuring OpenAM is via ssoadm CLI tool:
       “In most ssoadm subcommands, the password file is required option.The password file is a simple file that
       contains the administrator password for the given task.”

       may encourage admins to store passwords in plaintext
Exploring OpenAM Features
• OpenAM uses custom Auth tokens
 ➡   web container session tokens are useless
 ➡   good targets to highjack privileged sessions

• OpenAM does Encryption
 ➡   uses Password-Based Encryption (PBEWithMD5AndDES) with low iteration
     count
 ➡   admin pwd is encrypted with default key and stored in bootstrap file
 ➡   XXE won’t let you read the bootstrap file
 ➡   other pwds and session tokens are encrypted using randomly generated
     instance key which is stored in binary data store
 ➡   instance key is shared across interconnected OpenAM instances (e.g. failover)
Juicy OpenAM Features
• Debugging
 ➡   {CONFIG_DIR}/{INSTANCE_NAME}/debug/
 ➡   If verbose debugging is enabled, we can read auth tokens and hijack sessions
 ➡   Quickly check via grep -r "AQIC"
 ➡   Admins do not log in too frequently
 ➡   Sessions expire
 ➡   Disabled by default =(

• Monitoring
 ➡   HTTP/JMX/SNMP facility to monitor OpenAM instance
 ➡   OpenAM-specific MBeans do not seem to provide anything useful
 ➡   Also disabled by default
Wait, but we need the features!
• Debugging
 ➡   Every single action in admin interface is СSRF-protected
 ➡   Debug.jsp is a quick page to control debug settings
 ➡   Devs didn't worry too much about CSRF there => you can CSRF verbose
     logging
 ➡   SSRF at Tomcat Shutdown Port to force admin login (or social engineer him)

• Monitoring
 ➡   Enable monitoring using the hijacked session; it will have the default (i.e. known)
     password
 ➡   SSRF at Tomcat Shutdown Port again to force reload
Putting it All Together
                  Dealing with the Worst Case
• Enable debugging
 ➡   CSRF and then read admin session token from logs

• Use admin session token to enable Monitoring
 ➡   SSRF at Tomcat Shutdown Port to force reload

• Pwn
 ➡   Use HotSpotDiagnostic MBean to force a heap dump into DOC_ROOT
 ➡   Download and analyze the dump (strings util would do)
 ➡   Grep out the encryption key and encrypted admin password
 ➡   Decrypt the password and rule'em all
Demo Time
Debugging, Monitoring and Heap Dump Scenario




http://www.youtube.com/watch?v=Fb2zEqwvbpw
Wrap Up
 Fixing XXE
Fixing XXE in Java
• Problem statement - devs want to:
 ➡   use a single class for all XML parsing (validating and not)
 ➡   use external DTD's from local jar files
 ➡   avoid being pwned

• Most XML hardening guides recommend:
 ➡   turn off general and parameter entities:
     setFeature("http://xml.org/sax/features/external-general-entities", false)
     setFeature("http://xml.org/sax/features/external-parsed-entities", false)
 ➡   enable XMLConstants.FEATURE_SECURE_PROCESSING to prevent entity
     expansion DoS

• Not Enough!
Fixing XXE in Java
• In Java, if validation is enabled, SSRF is still possible




• Devs: okay, let's use our custom Entity resolver:
 ➡   documentBuilder.setEntityResolver(new XMLHandler())

• Almost there!
 ➡   make sure that XMLHandler returns an empty InputStream on error
 ➡   if you return null, JAXP will fall back to default resolvers!
Wrap Up
                                Conclusions
• Specific advice
 ➡   Never store passwords in files (who may have thought... )
 ➡   It's good to change monitoring password even if you do not use the feature
 ➡   Update Java and OpenAM (fix is available in nightly builds) - this would prevent
     XXE and disable gopher

• General advice: in SSRF world it is no longer safe to
  trust
 ➡   IP-based authentication could be subverted instantly
 ➡   Defying patching? Pwned! (think about delayed exploitation)
 ➡   Defying least privilege in DMZ? Very arrogant!
Question Time!
• George Noseevich
 ➡   Twitter: @webpentest
 ➡   Email: webpentest@gmail.com

• Andrew Petukhov
 ➡   Twitter: @p3tand
 ➡   Email: andrew.petukhov@internalsecurity.ru

• Show us the Source!
 ➡   Tools: http://internalsecurity.ru/media/resources/openam-xxe-tools.zip
 ➡   Video: http://www.youtube.com/playlist?
     list=PL1CBT43qUw294xCw79B01PbRQNKI6Qqdj
 ➡   WWW: http://internalsecurity.ru/research/

More Related Content

What's hot

Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
David Jorm
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Christian Schneider
 
NDK Primer (Wearable DevCon 2014)
NDK Primer (Wearable DevCon 2014)NDK Primer (Wearable DevCon 2014)
NDK Primer (Wearable DevCon 2014)
Ron Munitz
 
Java and Java platforms
Java and Java platformsJava and Java platforms
Java and Java platforms
Ilio Catallo
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!
Luca Carettoni
 
Java Profiling
Java ProfilingJava Profiling
Java Profiling
zeroproductionincidents
 
Deserialization vulnerabilities
Deserialization vulnerabilitiesDeserialization vulnerabilities
Deserialization vulnerabilities
GreenD0g
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
CODE WHITE GmbH
 
55 new things in Java 7 - Devoxx France
55 new things in Java 7 - Devoxx France55 new things in Java 7 - Devoxx France
55 new things in Java 7 - Devoxx France
David Delabassee
 
Introduction to the Java bytecode - So@t - 20130924
Introduction to the Java bytecode - So@t - 20130924Introduction to the Java bytecode - So@t - 20130924
Introduction to the Java bytecode - So@t - 20130924
yohanbeschi
 
Metamodeling of custom Pharo images
 Metamodeling of custom Pharo images Metamodeling of custom Pharo images
Metamodeling of custom Pharo images
ESUG
 
Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Fixing the Java Serialization Mess
Fixing the Java Serialization Mess
Salesforce Engineering
 
Exploring lambdas and invokedynamic for embedded systems
Exploring lambdas and invokedynamic for embedded systemsExploring lambdas and invokedynamic for embedded systems
Exploring lambdas and invokedynamic for embedded systems
InfinIT - Innovationsnetværket for it
 
Java history, versions, types of errors and exception, quiz
Java history, versions, types of errors and exception, quiz Java history, versions, types of errors and exception, quiz
Java history, versions, types of errors and exception, quiz
SAurabh PRajapati
 
Java byte code & virtual machine
Java byte code & virtual machineJava byte code & virtual machine
Java byte code & virtual machine
Laxman Puri
 
Understanding Java Dynamic Proxies
Understanding Java Dynamic ProxiesUnderstanding Java Dynamic Proxies
Understanding Java Dynamic Proxies
Rafael Luque Leiva
 
NDK Primer (AnDevCon Boston 2014)
NDK Primer (AnDevCon Boston 2014)NDK Primer (AnDevCon Boston 2014)
NDK Primer (AnDevCon Boston 2014)
Ron Munitz
 
Java bytecode and classes
Java bytecode and classesJava bytecode and classes
Java bytecode and classes
yoavwix
 
Invoke dynamics
Invoke dynamicsInvoke dynamics
Invoke dynamics
Balamurugan Soundararajan
 
The Art of Metaprogramming in Java
The Art of Metaprogramming in Java  The Art of Metaprogramming in Java
The Art of Metaprogramming in Java
Abdelmonaim Remani
 

What's hot (20)

Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
 
NDK Primer (Wearable DevCon 2014)
NDK Primer (Wearable DevCon 2014)NDK Primer (Wearable DevCon 2014)
NDK Primer (Wearable DevCon 2014)
 
Java and Java platforms
Java and Java platformsJava and Java platforms
Java and Java platforms
 
The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!The old is new, again. CVE-2011-2461 is back!
The old is new, again. CVE-2011-2461 is back!
 
Java Profiling
Java ProfilingJava Profiling
Java Profiling
 
Deserialization vulnerabilities
Deserialization vulnerabilitiesDeserialization vulnerabilities
Deserialization vulnerabilities
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (RuhrSec Edition)
 
55 new things in Java 7 - Devoxx France
55 new things in Java 7 - Devoxx France55 new things in Java 7 - Devoxx France
55 new things in Java 7 - Devoxx France
 
Introduction to the Java bytecode - So@t - 20130924
Introduction to the Java bytecode - So@t - 20130924Introduction to the Java bytecode - So@t - 20130924
Introduction to the Java bytecode - So@t - 20130924
 
Metamodeling of custom Pharo images
 Metamodeling of custom Pharo images Metamodeling of custom Pharo images
Metamodeling of custom Pharo images
 
Fixing the Java Serialization Mess
Fixing the Java Serialization Mess Fixing the Java Serialization Mess
Fixing the Java Serialization Mess
 
Exploring lambdas and invokedynamic for embedded systems
Exploring lambdas and invokedynamic for embedded systemsExploring lambdas and invokedynamic for embedded systems
Exploring lambdas and invokedynamic for embedded systems
 
Java history, versions, types of errors and exception, quiz
Java history, versions, types of errors and exception, quiz Java history, versions, types of errors and exception, quiz
Java history, versions, types of errors and exception, quiz
 
Java byte code & virtual machine
Java byte code & virtual machineJava byte code & virtual machine
Java byte code & virtual machine
 
Understanding Java Dynamic Proxies
Understanding Java Dynamic ProxiesUnderstanding Java Dynamic Proxies
Understanding Java Dynamic Proxies
 
NDK Primer (AnDevCon Boston 2014)
NDK Primer (AnDevCon Boston 2014)NDK Primer (AnDevCon Boston 2014)
NDK Primer (AnDevCon Boston 2014)
 
Java bytecode and classes
Java bytecode and classesJava bytecode and classes
Java bytecode and classes
 
Invoke dynamics
Invoke dynamicsInvoke dynamics
Invoke dynamics
 
The Art of Metaprogramming in Java
The Art of Metaprogramming in Java  The Art of Metaprogramming in Java
The Art of Metaprogramming in Java
 

Similar to No locked doors, no windows barred: hacking OpenAM infrastructure

Noseevich, petukhov no locked doors no windows barred. hacking open am infr...
Noseevich, petukhov   no locked doors no windows barred. hacking open am infr...Noseevich, petukhov   no locked doors no windows barred. hacking open am infr...
Noseevich, petukhov no locked doors no windows barred. hacking open am infr...
DefconRussia
 
Your Inner Sysadmin - LonestarPHP 2015
Your Inner Sysadmin - LonestarPHP 2015Your Inner Sysadmin - LonestarPHP 2015
Your Inner Sysadmin - LonestarPHP 2015
Chris Tankersley
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
Nikhil Mittal
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
Anthony D Hendricks
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015
Chris Tankersley
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Chris Tankersley
 
EhTrace -- RoP Hooks
EhTrace -- RoP HooksEhTrace -- RoP Hooks
EhTrace -- RoP Hooks
Shane Macaulay
 
Java troubleshooting thread dump
Java troubleshooting thread dumpJava troubleshooting thread dump
Java troubleshooting thread dump
ejlp12
 
What's New and Newer in Apache httpd-24
What's New and Newer in Apache httpd-24What's New and Newer in Apache httpd-24
What's New and Newer in Apache httpd-24
Jim Jagielski
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
VeilFramework
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
IngridRivera36
 
0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri0507 057 01 98 * Adana Klima Servisleri
Shall we play a game
Shall we play a gameShall we play a game
Shall we play a game
jackpot201
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
Peter Hlavaty
 
How many ways to monitor oracle golden gate-Collaborate 14
How many ways to monitor oracle golden gate-Collaborate 14How many ways to monitor oracle golden gate-Collaborate 14
How many ways to monitor oracle golden gate-Collaborate 14
Bobby Curtis
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016
Aaron Hnatiw
 
Engage 2022: The Superpower of Integrating External APIs for Notes and Domino...
Engage 2022: The Superpower of Integrating External APIs for Notes and Domino...Engage 2022: The Superpower of Integrating External APIs for Notes and Domino...
Engage 2022: The Superpower of Integrating External APIs for Notes and Domino...
Serdar Basegmez
 
(phpconftw2012) PHP as a Middleware in Embedded Systems
(phpconftw2012) PHP as a Middleware in Embedded Systems(phpconftw2012) PHP as a Middleware in Embedded Systems
(phpconftw2012) PHP as a Middleware in Embedded Systems
sosorry
 

Similar to No locked doors, no windows barred: hacking OpenAM infrastructure (20)

Noseevich, petukhov no locked doors no windows barred. hacking open am infr...
Noseevich, petukhov   no locked doors no windows barred. hacking open am infr...Noseevich, petukhov   no locked doors no windows barred. hacking open am infr...
Noseevich, petukhov no locked doors no windows barred. hacking open am infr...
 
Your Inner Sysadmin - LonestarPHP 2015
Your Inner Sysadmin - LonestarPHP 2015Your Inner Sysadmin - LonestarPHP 2015
Your Inner Sysadmin - LonestarPHP 2015
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015Your Inner Sysadmin - MidwestPHP 2015
Your Inner Sysadmin - MidwestPHP 2015
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
 
EhTrace -- RoP Hooks
EhTrace -- RoP HooksEhTrace -- RoP Hooks
EhTrace -- RoP Hooks
 
Java troubleshooting thread dump
Java troubleshooting thread dumpJava troubleshooting thread dump
Java troubleshooting thread dump
 
What's New and Newer in Apache httpd-24
What's New and Newer in Apache httpd-24What's New and Newer in Apache httpd-24
What's New and Newer in Apache httpd-24
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
 
Shall we play a game?
Shall we play a game?Shall we play a game?
Shall we play a game?
 
0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri0507 057 01 98 * Adana Klima Servisleri
0507 057 01 98 * Adana Klima Servisleri
 
Shall we play a game
Shall we play a gameShall we play a game
Shall we play a game
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
How many ways to monitor oracle golden gate-Collaborate 14
How many ways to monitor oracle golden gate-Collaborate 14How many ways to monitor oracle golden gate-Collaborate 14
How many ways to monitor oracle golden gate-Collaborate 14
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016
 
Engage 2022: The Superpower of Integrating External APIs for Notes and Domino...
Engage 2022: The Superpower of Integrating External APIs for Notes and Domino...Engage 2022: The Superpower of Integrating External APIs for Notes and Domino...
Engage 2022: The Superpower of Integrating External APIs for Notes and Domino...
 
(phpconftw2012) PHP as a Middleware in Embedded Systems
(phpconftw2012) PHP as a Middleware in Embedded Systems(phpconftw2012) PHP as a Middleware in Embedded Systems
(phpconftw2012) PHP as a Middleware in Embedded Systems
 

More from Andrew Petukhov

Армия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникацииАрмия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Andrew Petukhov
 
You Can Be Anything You Want to Be: Breaking Through Certified Crypto in Bank...
You Can Be Anything You Want to Be: Breaking Through Certified Crypto in Bank...You Can Be Anything You Want to Be: Breaking Through Certified Crypto in Bank...
You Can Be Anything You Want to Be: Breaking Through Certified Crypto in Bank...
Andrew Petukhov
 
Обнаружение уязвимостей логики приложений методом статического анализа. Где п...
Обнаружение уязвимостей логики приложений методом статического анализа. Где п...Обнаружение уязвимостей логики приложений методом статического анализа. Где п...
Обнаружение уязвимостей логики приложений методом статического анализа. Где п...
Andrew Petukhov
 
Безопасность веб-приложений: starter edition
Безопасность веб-приложений: starter editionБезопасность веб-приложений: starter edition
Безопасность веб-приложений: starter edition
Andrew Petukhov
 
Обеспечение безопасности расширений в корпоративных информационных системах
Обеспечение безопасности расширений в корпоративных информационных системахОбеспечение безопасности расширений в корпоративных информационных системах
Обеспечение безопасности расширений в корпоративных информационных системах
Andrew Petukhov
 
Detecting Insufficient Access Control in Web Applications
Detecting Insufficient Access Control in Web ApplicationsDetecting Insufficient Access Control in Web Applications
Detecting Insufficient Access Control in Web Applications
Andrew Petukhov
 
Benchmark сканеров SQL injection
Benchmark сканеров SQL injectionBenchmark сканеров SQL injection
Benchmark сканеров SQL injection
Andrew Petukhov
 
Обнаружение уязвимостей в механизме авторизации веб-приложении
Обнаружение уязвимостей в механизме авторизации веб-приложенииОбнаружение уязвимостей в механизме авторизации веб-приложении
Обнаружение уязвимостей в механизме авторизации веб-приложении
Andrew Petukhov
 
Access Control Rules Tester
Access Control Rules TesterAccess Control Rules Tester
Access Control Rules Tester
Andrew Petukhov
 
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Andrew Petukhov
 

More from Andrew Petukhov (10)

Армия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникацииАрмия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникации
 
You Can Be Anything You Want to Be: Breaking Through Certified Crypto in Bank...
You Can Be Anything You Want to Be: Breaking Through Certified Crypto in Bank...You Can Be Anything You Want to Be: Breaking Through Certified Crypto in Bank...
You Can Be Anything You Want to Be: Breaking Through Certified Crypto in Bank...
 
Обнаружение уязвимостей логики приложений методом статического анализа. Где п...
Обнаружение уязвимостей логики приложений методом статического анализа. Где п...Обнаружение уязвимостей логики приложений методом статического анализа. Где п...
Обнаружение уязвимостей логики приложений методом статического анализа. Где п...
 
Безопасность веб-приложений: starter edition
Безопасность веб-приложений: starter editionБезопасность веб-приложений: starter edition
Безопасность веб-приложений: starter edition
 
Обеспечение безопасности расширений в корпоративных информационных системах
Обеспечение безопасности расширений в корпоративных информационных системахОбеспечение безопасности расширений в корпоративных информационных системах
Обеспечение безопасности расширений в корпоративных информационных системах
 
Detecting Insufficient Access Control in Web Applications
Detecting Insufficient Access Control in Web ApplicationsDetecting Insufficient Access Control in Web Applications
Detecting Insufficient Access Control in Web Applications
 
Benchmark сканеров SQL injection
Benchmark сканеров SQL injectionBenchmark сканеров SQL injection
Benchmark сканеров SQL injection
 
Обнаружение уязвимостей в механизме авторизации веб-приложении
Обнаружение уязвимостей в механизме авторизации веб-приложенииОбнаружение уязвимостей в механизме авторизации веб-приложении
Обнаружение уязвимостей в механизме авторизации веб-приложении
 
Access Control Rules Tester
Access Control Rules TesterAccess Control Rules Tester
Access Control Rules Tester
 
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
 

Recently uploaded

TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Zilliz
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
TIPNGVN2
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 

Recently uploaded (20)

TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Data structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdfData structures and Algorithms in Python.pdf
Data structures and Algorithms in Python.pdf
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 

No locked doors, no windows barred: hacking OpenAM infrastructure

  • 1. No locked doors, No windows barred Hacking OpenAM Infrastructure George Noseevich Andrew Petukhov ZeroNights 2012
  • 2. WTF OpenAM? • Open source Access Management, Entitlements and Federation server platform ➡ successor of Sun OpenSSO Enterprise • Written in Java, very Enterprisey ➡ hard to configure and maintain securely • Rather popular ➡ inurl:/amserver/UI/Login or inurl:/openam/UI/Login • Common use case: SSO across legacy apps • Usually extended via custom code
  • 3. Motivation, Positioning & Layout • Not just another hack via XXE • Wanted to share our knowledge on how to develop an attack on OpenAM given an LFR and SSRF abilities • Attack vectors on different OpenAM instances ➡ will start from the simplest one ➡ and steadily proceed to the worst case scenario (a security hardened one) • Several interesting tricks ➡ data retrieval in blind XXE cases ➡ zip upload via HTTP PUT over gopher • What is the proper way to fix XXE in Java?
  • 4. Problem Statement • OpenAM infrastructure • Tomcat as a web container • An ability to read local files and do SSRF ➡ e.g. XXE with gopher protocol enabled • Goal: get an Admin in OpenAM Management Panel • A side note: will not focus on general SSRF elaboration methodology, which is still valid here
  • 5. To begin with: Loot da FileSystem!
  • 6. Looting the FileSystem • Gotta traverse directories ➡ Luckily possible to list them with XXE ➡ How would you tell a directory listing from a file contents? • Gotta read files ➡ Special chars and binary are a problem as usual • Would like to use GREP (General Resource Enumeration Protocol) and other posix tools
  • 7. And along comes... XXE Fuse Demo A team of specially trained monkeys are supporting this SaaS solution 24/7 Request a free trial! http://www.youtube.com/watch?v=7GtPgavI-sI
  • 8. Looting the FileSystem XML-in-XML and OOB channels • The vulnerable servlet performs two rounds of xml parsing • In the first round we retrieve the data • In the second round we pass it to the attacker host
  • 9. Looting the FileSystem Possible Targets and Outcomes 1. Other apps on host ➡ especially management and monitoring 2. Configs (& credentials) ➡ read container config and extract HTTP credentials if needed ➡ ldap.conf may be especially juicy 3. Logs ➡ may contain private data (e.g. SQL query logs) ➡ may enable further attacks (see below)
  • 10. Demo Time RCE via SSRF over XXE using Tomcat App Manager http://www.youtube.com/watch?v=ZnsFhGYqI3g
  • 11. RCE via SSRF over XXE Wait, tell us the details!!! • How do you POST or PUT via XXE? ➡ use gopher; at least until admins won’t update Java • How do you upload ZIP through gopher? ➡ java gopher contains byte [] => String => byte [] conversion ➡ this mangles characters >= 0x80 ➡ use zip -0 (store compression method) ➡ with a bit of luck you can use 0x00 instead of mangled chars (i.e. find&replace) ➡ the resulting file will have invalid checksums ➡ surprisingly (!) Tomcat WAR parser tolerates this
  • 12. Looting the FileSystem Configs & credentials • Container configs ➡ e.g. /usr/share/tomcat6/conf/ • OpenAM configs ➡ /home/user/openam/{install.log, .configParam} ➡ /home/user/openam/config/xml/ • Password file ➡ recommended way of configuring OpenAM is via ssoadm CLI tool: “In most ssoadm subcommands, the password file is required option.The password file is a simple file that contains the administrator password for the given task.” may encourage admins to store passwords in plaintext
  • 13. Exploring OpenAM Features • OpenAM uses custom Auth tokens ➡ web container session tokens are useless ➡ good targets to highjack privileged sessions • OpenAM does Encryption ➡ uses Password-Based Encryption (PBEWithMD5AndDES) with low iteration count ➡ admin pwd is encrypted with default key and stored in bootstrap file ➡ XXE won’t let you read the bootstrap file ➡ other pwds and session tokens are encrypted using randomly generated instance key which is stored in binary data store ➡ instance key is shared across interconnected OpenAM instances (e.g. failover)
  • 14. Juicy OpenAM Features • Debugging ➡ {CONFIG_DIR}/{INSTANCE_NAME}/debug/ ➡ If verbose debugging is enabled, we can read auth tokens and hijack sessions ➡ Quickly check via grep -r "AQIC" ➡ Admins do not log in too frequently ➡ Sessions expire ➡ Disabled by default =( • Monitoring ➡ HTTP/JMX/SNMP facility to monitor OpenAM instance ➡ OpenAM-specific MBeans do not seem to provide anything useful ➡ Also disabled by default
  • 15. Wait, but we need the features! • Debugging ➡ Every single action in admin interface is СSRF-protected ➡ Debug.jsp is a quick page to control debug settings ➡ Devs didn't worry too much about CSRF there => you can CSRF verbose logging ➡ SSRF at Tomcat Shutdown Port to force admin login (or social engineer him) • Monitoring ➡ Enable monitoring using the hijacked session; it will have the default (i.e. known) password ➡ SSRF at Tomcat Shutdown Port again to force reload
  • 16. Putting it All Together Dealing with the Worst Case • Enable debugging ➡ CSRF and then read admin session token from logs • Use admin session token to enable Monitoring ➡ SSRF at Tomcat Shutdown Port to force reload • Pwn ➡ Use HotSpotDiagnostic MBean to force a heap dump into DOC_ROOT ➡ Download and analyze the dump (strings util would do) ➡ Grep out the encryption key and encrypted admin password ➡ Decrypt the password and rule'em all
  • 17. Demo Time Debugging, Monitoring and Heap Dump Scenario http://www.youtube.com/watch?v=Fb2zEqwvbpw
  • 19. Fixing XXE in Java • Problem statement - devs want to: ➡ use a single class for all XML parsing (validating and not) ➡ use external DTD's from local jar files ➡ avoid being pwned • Most XML hardening guides recommend: ➡ turn off general and parameter entities: setFeature("http://xml.org/sax/features/external-general-entities", false) setFeature("http://xml.org/sax/features/external-parsed-entities", false) ➡ enable XMLConstants.FEATURE_SECURE_PROCESSING to prevent entity expansion DoS • Not Enough!
  • 20. Fixing XXE in Java • In Java, if validation is enabled, SSRF is still possible • Devs: okay, let's use our custom Entity resolver: ➡ documentBuilder.setEntityResolver(new XMLHandler()) • Almost there! ➡ make sure that XMLHandler returns an empty InputStream on error ➡ if you return null, JAXP will fall back to default resolvers!
  • 21. Wrap Up Conclusions • Specific advice ➡ Never store passwords in files (who may have thought... ) ➡ It's good to change monitoring password even if you do not use the feature ➡ Update Java and OpenAM (fix is available in nightly builds) - this would prevent XXE and disable gopher • General advice: in SSRF world it is no longer safe to trust ➡ IP-based authentication could be subverted instantly ➡ Defying patching? Pwned! (think about delayed exploitation) ➡ Defying least privilege in DMZ? Very arrogant!
  • 22. Question Time! • George Noseevich ➡ Twitter: @webpentest ➡ Email: webpentest@gmail.com • Andrew Petukhov ➡ Twitter: @p3tand ➡ Email: andrew.petukhov@internalsecurity.ru • Show us the Source! ➡ Tools: http://internalsecurity.ru/media/resources/openam-xxe-tools.zip ➡ Video: http://www.youtube.com/playlist? list=PL1CBT43qUw294xCw79B01PbRQNKI6Qqdj ➡ WWW: http://internalsecurity.ru/research/

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. \n
  21. \n
  22. \n