Room for Escape: Scribbling Outside the Lines of Template Security

Presented at Black Hat USA 2020 Virtual, Aug. 5, 2020, 10 a.m. (40 minutes).

Now more than ever, digital communication and collaboration are essential to the modern human experience. People around the globe work together online as they share information, create documents, send emails, and collaborate on spreadsheets and presentations. Shared digital content is everywhere and networked communication platforms and software play a crucial role. Content Management Systems (CMS) allow the user to design, create, modify, and visualize dynamic content. For many companies, CMS platforms are pivotal to their content pipelines and workforce collaboration.

In our research, we discovered multiple ways to achieve Remote Code Execution (RCE) on CMS platforms where users can create or modify templates for dynamic content. In today's multi-tenancy ecosystems, this often implies that a co-tenant on the same system can take over control of the CMS resources on which your organization relies.

Using a Microsoft SharePoint server as our main CMS attack surface, we combined flaws in its implementation and design with framework and language specific features to find six unique RCE vulnerabilities. In addition, we reviewed some of the most popular Java Template engines such as Apache Velocity, Apache FreeMarker, Pebble, and JinJava. As a result of this effort, we discovered ways to escape template sandboxes and achieve RCE in many products including: Atlassian Confluence, Alfresco, Liferay, Crafter CMS, dotCMS, XWiki, Apache OfBiz, and more.

We will analyze how these products and frameworks implement security controls and review the various techniques that we used to bypass them. We will describe all the vulnerabilities we uncovered in detail and show working demos of the most interesting attacks where unprivileged users can run arbitrary commands on SharePoint or Liferay servers.

Finally, we will present our general review methodologies for systems with dynamic content templates and provide practical recommendations to better protect them.


Presenters:

  • Alvaro Muñoz - Staff Security Researcher, GitHub
    Alvaro Muñoz (@pwntester) works as Staff Security Researcher with GitHub Security Lab. His research focuses on different programming languages and web application frameworks searching for vulnerabilities or unsafe uses of APIs. Before joining the research field, he worked as an Application Security Consultant helping enterprises to deploy their application security programs. Muñoz has presented at many security conferences including DEF CON, RSA, AppSecEU, Protect, DISCCON, etc and holds several InfoSec certifications, including OSCP, GWAPT and CISSP, and is a proud member of int3pids CTF team. He blogs at http://www.pwntester.com.
  • Oleksandr Mirosh - Security Researcher, Micro Focus Fortify
    Oleksandr Mirosh has over 12 years of computer security experience, including vulnerability research, penetration testing, reverse engineering, fuzzing, developing exploits, and consulting. He works on the Fortify Software Security Research team at Micro Focus investigating and analyzing new threats, vulnerabilities, security weaknesses, new techniques of exploiting security issues and development vulnerability detection, protection and remediation rules. In the past, he has performed a wide variety of security assessments, including design and code reviews, threat modeling, testing, and fuzzing in order to identify and remove any existing or potentially emerging security defects in the software of various customers.

Links:

Similar Presentations: