Room for Escape: Scribbling Outside the Lines of Template Security

Presented at DEF CON 28 (2020) Virtual, Aug. 6, 2020, 10:30 a.m. (30 minutes)

Now more than ever, digital communication and collaboration are essential to the modern human experience. Shared digital content is everywhere and Content Management Systems (CMS) play a crucial role allowing users to design, create, modify and visualize dynamic content. In our research we discovered multiple ways to achieve Remote Code Execution (RCE) on CMS platforms through which an attacker can take full control of the resources your organization relies on. Using a Microsoft SharePoint server as our main CMS attack surface, we combined flaws in its implementation and design with framework and language specific features to find six unique RCE vulnerabilities. In addition, we discovered ways to escape template sandboxes of the most popular Java Template engines and achieved RCE in many products including: Atlassian Confluence, Alfresco, Liferay, Crafter CMS, XWiki, Apache OfBiz, and more. We will analyze how these products and frameworks implement security controls and review the various techniques that we used to bypass them. We will describe all the vulnerabilities we uncovered in detail and show working demos of the most interesting attacks. Finally, we will present our general review methodologies for systems with dynamic content templates and provide practical recommendations to better protect them.

Presenters:

• Alvaro Muñoz   as Alvaro Munoz
  Alvaro Munoz Alvaro Muñoz (@pwntester) works as Staff Security Researcher with GitHub Security Lab. His research focuses on different programming languages and web application frameworks searching for vulnerabilities or unsafe uses of APIs. Before joining the research field, he worked as an Application Security Consultant helping enterprises to deploy their application security programs. Muñoz has presented at many Security conferences including Defcon, RSA, AppSecEU, Protect, DISCCON, etc and holds several InfoSec certifications, including OSCP, GWAPT and CISSP, and is a proud member of int3pids CTF team. @pwntester
• Oleksandr Mirosh
  Oleksandr Mirosh, Software Security Researcher, Micro Focus Fortify Oleksandr Mirosh has over 12 years of computer security experience, including vulnerability research, penetration testing, reverse engineering, fuzzing, developing exploits and consulting. He is working for Fortify Software Security Research team in Micro Focus investigating and analyzing new threats, vulnerabilities, security weaknesses, new techniques of exploiting security issues and development vulnerability detection, protection and remediation rules. @olekmirosh

Links:

• https://defcon.org/html/defcon-safemode/dc-safemode-speakers.html#Mirosh
• https://infocon.org/cons/DEF CON/DEF CON 28/DEF CON Safe Mode video and slides/DEF CON Safe Mode - Alvaro Muñoz and Oleksandr Mirosh - Room For Escape Scribbling Outside The Lines Of Template Security - Q&A.mp4
• https://infocon.org/cons/DEF CON/DEF CON 28/DEF CON Safe Mode video and slides/DEF CON Safe Mode - Alvaro Muñoz and Oleksandr Mirosh - Room For Escape Scribbling Outside The Lines Of Template Security.mp4
• https://infocon.org/cons/DEF CON/DEF CON 28/DEF CON Safe Mode video and slides/DEF CON Safe Mode - Alvaro Muñoz and Oleksandr Mirosh - Room For Escape Scribbling Outside The Lines Of Template Security.srt (subtitles)
• https://www.youtube.com/watch?v=DeU3H6-9zCE

Similar Presentations:

• Black Hat USA 2020 Virtual / Room for Escape: Scribbling Outside the Lines of Template Security
• Black Hat USA 2015 / Server-Side Template Injection: RCE for the Modern Web App
• AppSec USA 2014 / Reversing Engineering a Web Application - For Fun, Behavior & WAF Detection