2. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 2
▪Research & Development
▪Security Team Lead
▪50% TYPO3 GmbH
▪50% freelance software engineer
▪#hof #cycling #paramedic #in.die.musik
~# whoami
Oliver Hader
@ohader
3. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 3
▪ session probably recorded
▪ real attack vectors are shown
▪ hackers probably knew already
▪ official security fixes available
▪ report to security@typo3.org
Disclaimer
4. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Agenda
4
▪ Attack technique basics (XSS, SQLi, deserialization)
▪ Attack tools/simulation (SQLmap, BeEF, BoNeSi)
▪ Phar Stream Vulnerability & Wrapper
▪ CVSSv3 vulnerability scoring
▪ TYPO3 Security Team
▪ Capture the Flag
Agenda
⏳
5. What is your agenda?
Do you have questions?
5TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
6. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Web Application
Security Basics
6
7. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Web Application Security
7
▪ CIA/compliance triad
▪ confidentiality
▪ private, personal, sensitive information
▪ integrity
▪ manipulation of information (“fake news”)
▪ availability
▪ denial of service
▪ online bank account
▪ blocking information flow https://www.ibm.com/blogs/cloud-computing/2018/01/16/drive-compliance-cloud/
8. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 8
Hacking Playground
CONFIDENTIALITY - unauthorised access to information
9. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 9
Hacking Playground
INTEGRITY - e.g. manipulated information
10. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 10
Hacking Playground
AVAILABILITY - information/service not available
11. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 11
Web Application Security
Open Web Application Security Project - TOP 10 vulnerabilities
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
TYPO3 core TYPO3 3rd party extensionsPHP world
TYPO3vulnerabilitiesinpast5years
12. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 12
Web Application Security
attack chains - multiple components might be affected
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
19. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 19
Cross-Site Scripting - basics
XSS with Fluid - f:format.html relies on TypoScript being available
20. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 20
Cross-Site Scripting - basics
ViewHelper without any escaping == potentially vulnerable to XSS
21. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 21
http://typo3v9-hack.ddev.site:3000/ui/panel // admin & joh316
22. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 22
XSS exploitation
23. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 23
Browser Exploitation Framework in action
24. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 24
Browser Exploitation Framework in action
27. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
SQL injection basics
27
▪ SELECT … WHERE uid=10 AND pid>0;
▪ SELECT … WHERE uid=10 AND 1=1 -- AND pid>0; // bool true
▪ SELECT … WHERE uid=10 AND 1=0 -- AND pid>0; // bool false
▪ SELECT … WHERE uid=10 AND SLEEP(10) -- AND pid>0; // time
▪ comment literals (MySQL)
▪ --
▪ #
▪ /* data */
28. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
SQL injection basics
28
▪ SELECT … WHERE uid=10 AND pid>0;
▪ SELECT uid,pid,header WHERE uid=10
UNION SELECT username,password,3
FROM be_users WHERE SUBSTR(username, 1, 1) = ‘a’
LIMIT 1,1
-- AND pid>0;
▪ … FROM be_users WHERE SUBSTR(username, 2, 1) = ‘d’ …
▪ … FROM be_users WHERE SUBSTR(username, 3, 1) = ‘m’ …
▪ … FROM be_users WHERE SUBSTR(username, 4, 1) = ‘i’ …
▪ … FROM be_users WHERE SUBSTR(username, 5, 1) = ’n’ …
29. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 29
SQL injection QueryBuilder WHERE
SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = TEST;
30. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 30
SQL injection QueryBuilder WHERE
SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = 0;
31. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 31
SQL injection QueryBuilder WHERE
(prepared statement)
SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = :dcValue1;
✔
32. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 32
SQL injection QueryBuilder WHERE
… WHERE `header` LIKE ‘%a%_%b%';
33. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 33
SQL injection QueryBuilder WHERE
… WHERE `header` LIKE ‘%a%_%b%’;
✔
44. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 44
Insecure Deserialization - Basics
__destruct() or __wakeup() methods are executed on deserialization
45. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 45
Insecure Deserialization - Basics
user submitted payload to be deserialized
46. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 46
allowed_classes introduced with PHP 7.0 (Polyfill available)
47. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Insecure Deserialization - TYPO3-CORE-SA-2019-020
47
▪ https://typo3.org/security/advisory/typo3-core-sa-2019-020/
▪ https://blog.ripstech.com/2019/typo3-overriding-the-database/
▪ overrideVals[<table>][l10n_diffsource]=<serialized payload>
▪ addressed on June 25th, 2019
48. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 48
Insecure Deserialization - Basics
__destruct() saves content to filesystem
49. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 49
Remote Code Execution #1
making use of FileCookieJar as attack container
50. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 50
Remote Code Execution #1
prepare attack against TYPO3 backend
51. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 51
Remote Code Execution #1
actual attack payload that shall be executed
52. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 52
Remote Code Execution #1
XSRF token needs to be know (valid backend user required)
53. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 53
Remote Code Execution #1
output of injected & executed /typo3/hack.php
54. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 54
Remote Code Execution #1
… new admin user h4ck3r31 …
56. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Other™ random topics
56
▪ File Upload
▪ check/deny extensions (file deny pattern)
▪ check mime-types - image/png, text/html, …
▪ Extbase controller actions
▪ user/group access needs individual handling
▪ classic: logged in user can access profile data of others
▪ Directory Traversal
▪ zip bundle.zip ../malicious.php
▪ depends on how it is extracted
57. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
phar://…
57
58. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 58
https://packagist.org/packages/typo3/phar-stream-wrapper
59. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 59
▪ usually used like
require_once('phar://bundle.phar/vendor/autoload.php');
$service = new BundleService();
▪ Phar archives are vulnerable to insecure deserialisation
▪ all Phar archives in every PHP version (since 5.3)
▪ using “phar://“ stream wrapper is required here
▪ however, applies to regular file calls as well
▪ is_file(), file_exists(), fopen(), file_get_contents(), …
▪ is_file($_GET[‘fileName’]) // … user submitted data
60. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 60
demo web application
61. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 61
file does exist - correct
62. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 62
result of implicit insecure deserialization
64. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 64
building hybrid Phar archive
65. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 65
PharStreamWrapper in TYPO3 core
66. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 66
▪ TYPO3CMSCoreIOPharStreamWrapperInterceptor
▪ TYPO3 core - Phar only in typo3conf/ext/ directories
▪ TYPO3PharStreamWrapper…PharExtensionInterceptor
▪ Phar only with file extension “.phar”
▪ TYPO3PharStreamWrapper…PharMetaDataInterceptor
▪ Phar only without serialized objects in meta-data
67. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Vulnerability
Reporting
CVSSv3, Mitre & Co.
67
69. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
How to report a security vulnerability?
69
▪ always report via mail to security@typo3.org (Security Team)
▪ don’t post potential attacks to Forge, Twitter, … (public media)
▪ inform security team in case vulnerabilities are leaked
▪ please be patient & wait for feedback
▪ approx first response time is ~8 hours
70. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Responsible Disclosure Workflow
70
▪ report vulnerability to vendor (here: security team)
▪ wait for feedback, questions or confirmation of this issue
▪ ask for status updates in case there is no activity
▪ declare deadline for full disclosure (e.g. 90 days)
▪ in case vendor does not take actions - public disclosure
▪ vendors (should) have interest to release security bulletins
▪ hiding vulnerability caused feeling of false security
71. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 71
Responsible Disclosure Workflow
https://blog.ripstech.com/2019/typo3-overriding-the-database/
73. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 73
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
74. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 74
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
75. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 75
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
76. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
CVSSv3 example #1
76
▪ CVE-2013-1937
▪ phpMyAdmin Reflected Cross-site Scripting Vulnerability
▪ “Reflected cross-site scripting (XSS) vulnerabilities are present on
the tbl_gis_visualization.php page in phpMyAdmin 3.5.x, before
version 3.5.8. These allow remote attackers to inject arbitrary
JavaScript or HTML via the (1) visualizationSettings[width] or (2)
visualizationSettings[height] parameters.”
77. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 77
CVSSv3 example #1
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
78. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
CVSSv3 example #2
78
▪ CVE-2016-1645
▪ Google Chrome PDFium JPEG 2000 Remote Code Execution
Vulnerability
▪ “Allows remote attackers to execute arbitrary code on vulnerable
installations of Google Chrome. User interaction is required to
exploit this vulnerability in that the victim must visit a malicious
page or open a malicious file. Flaw exists within the handling of
JPEG 2000 images. Specially crafted JPEG 2000 image embedded
inside a PDF can force Google Chrome to write memory past the
end of an allocated object. Attacker can leverage this vulnerability
to execute arbitrary code under the context of the current process.”
79. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 79
CVSSv3 example #2
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
80. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 80
https://typo3.org/security/advisory/typo3-psa-2019-007/
81. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 81
https://typo3.org/security/advisory/typo3-psa-2019-007/
82. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 82
https://nvd.nist.gov/vuln/detail/CVE-2019-11831
83. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 83
https://nvd.nist.gov/vuln/detail/CVE-2019-11831
84. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
TYPO3
Security Team
84
85. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 85
▪ triage and answer reports
▪ communicate with reporters (individuals, pen-testers)
▪ forward information to maintainers (core, extension author, …)
▪ frankly remind people in case activity is kind of low
▪ coordinate releases & release dates
▪ compile information into security bulletins / announcements
▪ educate & raise awareness in teams & community
86. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Capture the
Flag
86
87. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 87
https://www.root-me.org/en/Challenges/Web-Server/
88. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 88
https://ctf.hacker101.com/ctf
89. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 89
▪ https://www.root-me.org/en/Challenges/Web-Server/SQL-
injection-Error # might work with SQLmap
▪ https://ctf.hacker101.com/ctf/launch/7 # check public API
90. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
References
90
▪ Running an SQL Injection Attack: // “Computerphile“, nice series
https://www.youtube.com/watch?v=ciNHn38EyRc
▪ WordPress WPDB SQL Injection: // nice, on “custom” escaping
https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-
sql-injection-technical.html
▪ CVSSv3 Examples:
https://www.first.org/cvss/v3.0/examples