![Company
LOGO
www.company.com
5. Mitigation Advices
What about Compiler and
hardware based protections?
We can remove this from the Web developers'
hands…
… And leave it with the compiler and
architecture guys ...
Like what was done with stack-smashing… =]](https://image.slidesharecdn.com/h2hc2018richfaces0dayjoaomatos-181108131314/85/A-little-bit-about-code-injection-in-WebApplication-Frameworks-CVE-2018-14667-H2HC-2018-87-320.jpg)
A little bit about code injection in WebApplication Frameworks (CVE-2018-14667) - H2HC 2018
- 1. Company LOGO www.company.comgithub.com/joaomatosf João Filho Matos Figueiredo [email protected] @joaomatosf
- 2. Company LOGO www.company.com Whoami • Independent developer and researcher • Enjoys server-side exploitation and lateral movement • Reported some critical bugs (RCE) in companies like: – Apple.com, PayPal.com, AT&T, Samsung.com, BlackBerry, RedHat, GM, Oracle Cloud, US Department of Defense (DoD) , SonyPictures, Starbucks, Banks, Telecoms, Government, etc. • Helped some authorities in cybersecurity cases (eg. FBI) • Bachelor and Master Degree in Computer Science at Federal University of Paraíba (UFPB), Brazil. • Author of JexBoss Audit and Exploitation Tool. @joaomatosf https://github.com/joaomatosf
- 3. Company LOGO www.company.com Agenda 1. T(101) 2. #{Motivations} 3. %{#’simple.Example’} 4. ${new Richfaces0day()} 5. %23%7BAbout Mitigation%7D
- 4. Company LOGO www.company.com • Injection Flaws are “very prevalent”1 • Broad Vulnerability Category: § LDAP Injection; § Log Injection; § OS command Injection; § SQL/NoSQL Injection; § XSS; § XPath Injection; § Code Injection § . . . 1. 101 2004 2007 2010 2013 2017
- 5. Company LOGO www.company.com • Injection Flaws are “very prevalent”1 • Broad Vulnerability Category: § LDAP Injection; § Log Injection; § OS command Injection; § SQL/NoSQL Injection; § XSS; § XPath Injection; § Code Injection § . . . 1. 101 2004 2007 2010 2013 2017
- 6. Company LOGO www.company.com 1. 101 CWE-94: “Improper Control of Generation of Code” "Data Only" "Feature" “interpreter” Code Flow
- 7. Company LOGO www.company.com 1. 101 We need to put tainted data into a Sinkhole function.Sanitizers Validators Danger Flow
- 8. Company LOGO www.company.com Database Params Headers Uploads EnvVars APIs Cache Tainted data comes from untrusted sources (or just get in touch) DNS
- 9. Company LOGO www.company.com Sinkholes are sensitive methods .eval(trusted input) .getValue(trusted input) .invoke(trusted input) .sockets(trusted input) .parseExpression(trusted input) .file(trusted input) .instance_eval(trusted input) render inline: trusted input .from_string(trusted input).render()
- 10. Company LOGO www.company.com 1. 101 CWE-94: “Improper Control of Generation of Code” Code MethodExpression .invoke() "#{request.getClass().getC lassLoader().loadClass("j ava.lang.Runtime").getMet hod("getRuntime").invoke (null).exec("calc")}" Tainted Data Improper Input Validation Taint Sink Flow
- 11. Company LOGO www.company.com 1. 101 • Some specific cases: § CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection’); § CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection’) § CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') § CWE-624: Executable Regular Expression Error § CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection’).
- 14. Company LOGO www.company.com 90’s Binary Code Injection1 (before Memory Protections) 2000... 2006 2007 2010 2010 Meder Kydyraliev (CVE-2010-1622) 2. Motivations Andrea Vettori (CVE-2007-4556) Meder Kydyraliev (CVE-2010-1870) Meder Kydyraliev (CVE-2010-1871) Many vulnerabilities RCE in Ruby on Rails (CVE-2006-4111) 2010 James Kettle talked about some cases and called them as SSTI 2015 Nike Zheng CVE-2017-5638 some milestones 1 Cowan et al., 1998
- 15. Company LOGO www.company.com 2. Motivations Source: Meder Kydyraliev, 2010
- 16. Company LOGO www.company.com 2. Motivations Source: Asankhaya Sharma, 2018
- 17. Company LOGO www.company.com 2. Motivations Management / Monitoring Virtual Machine (JVM) Code that generate code
- 18. Company LOGO www.company.com 2. Motivations Management / Monitoring Virtual Machine (JVM) Code that genera te code Examples: • Template Specifics • OGNL • SpEL • JSP EL • MVEL • JEXL • JUEL • (JSR 245, 341) • …
- 20. Company LOGO www.company.com 3. Simple Example Description: The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content- Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. CVE-2017-5638
- 21. Company LOGO www.company.com 3. Simple Example Description: The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error- message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content- Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. CVE-2017-5638
- 22. Company LOGO www.company.com 3. Simple Example Description: The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error- message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content- Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. CVE-2017-5638Vulnerable Component Taint Sink Tainted data
- 23. Company LOGO www.company.com 3. Simple Example Description: The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error- message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content- Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. CVE-2017-5638Vulnerable Component Taint Sink How to get in the taint sink with controlled tainted data? Tainted data
- 24. Company LOGO www.company.com 3. Simple Example CVE-2017-5638 Sinkholes Taint Source • Runtime tainting (data-flow analysis):
- 25. Company LOGO www.company.com 3. Simple Example CVE-2017-5638 POST /page.action Content-Type: multipart/form-data “Normal” tainted data tracking
- 26. Company LOGO www.company.com 3. Simple Example CVE-2017-5638 This is fine! It’s all ok... “Normal” tainted data tracking POST /page.action Content-Type: multipart/form-data
- 28. Company LOGO www.company.com 3. Simple Example Description: The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. CVE-2017-5638
- 29. Company LOGO www.company.com 3. Simple Example CVE-2017-5638 POST /page.action Content-Type: multipart/form-datax00 Invalid data
- 30. Company LOGO www.company.com 3. Simple Example CVE-2017-5638 Invalid data POST /page.action Content-Type: multipart/form-datax00
- 31. Company LOGO www.company.com 3. Simple Example CVE-2017-5638 Invalid data POST /page.action Content-Type: multipart/form-datax00
- 32. Company LOGO www.company.com 3. Simple Example CVE-2017-5638 Invalid data POST /page.action Content-Type: multipart/form-datax00 JakartaMultiPartRequest.class Flow deviation by Exception Handler
- 33. Company LOGO www.company.com 3. Simple Example CVE-2017-5638 POST /page.action Content-Type: multipart/form-datax00
- 34. Company LOGO www.company.com 3. Simple Example CVE-2017-5638 POST /page.action Content-Type: multipart/form-datax00
- 35. Company LOGO www.company.com 3. Simple Example CVE-2017-5638 POST /page.action Content-Type: multipart/form-datax00 %{ (#[email protected]@DEFAULT_MEMBER_ACCESS). (#commandarray={'/bin/bash','-c','calc'}). (#p=new java.lang.ProcessBuilder(#commandarray)). (#process=#p.start()).multipart/form-data } Disable protections Execute OS command
- 36. Company LOGO www.company.com 3. Simple Example CVE-2017-5638 POST /page.action Content-Type: %{ognl_payload}.multipart/form-data
- 37. Company LOGO www.company.com 3. Simple Example CVE-2017-5638 POST /page.action Content-Type: %{ognl_payload}.multipart/form-data PS: Don’t forget of the Black Swan Theory This analysis had the benefit of hindsight
- 38. Company LOGO www.company.com CVE-2018-14667 Remote Code Execution in WepApps using Richfaces 3.X
- 39. Company LOGO www.company.com 4. Richfaces 0day • For years (since 2007) one of the most used frameworks for JSF components; – Primefaces started to get more attention in about ~2013. • Faced some critical vulnerabilities: • Richfaces v 3.X: – RCE via deserialization (CVE-2013-2165) – RCE via EL Injection (CVE-2018-12533) • Before assign of CVE-2018-12533, Markus Wulftange (from CodeWhite) tweeted about the his find...
- 40. Company LOGO www.company.com 4. Richfaces 0day • Next day I had find the same as Markus and others two more RCEs in the Richfaces... – Two of them were used in bugbuntys like PayPal.com, Apple.com... – A few weeks later the one of Markus was published • I responsibly notified to the RedHat on 2018-10-15 • RedHat replied very quickly and assign the CVE-2018-14667 After a friend (@reefbr) get my attention to this tweet I decided to deep look into Richfaces....
- 41. Company LOGO www.company.com 4. Richfaces 0day • Next day I had find the same as Markus and others two more RCEs in the Richfaces... – Two of them were used in bugbuntys of PayPal.com, Apple.com... – A few weeks later the one of Markus was published • I responsibly notified to the RedHat on 2018-10-15 • RedHat replied very quickly and assign the CVE-2018-14667 After a friend (@reefbr) get my attention to this tweet I decided to deep look into Richfaces.... Let’s resume...
- 42. Company LOGO www.company.com 4. Richfaces 0day • Richfaces receives serialized objects via URL but uses the following restrict whitelist (look-ahead): • Let’s suppose that this tainted data can be used in one of the two possibilities: 1. Deserialization attack 2. Code Injection attack (via EL) 1) org.ajax4jsf.resource.InternetResource 2) org.ajax4jsf.resource.SerializableResource 3) javax.el.Expression 4) javax.faces.el.MethodBinding 5) javax.faces.component.StateHolderSaver 6) java.awt.Color
- 43. Company LOGO www.company.com 4. Richfaces 0day • Let’s reduce the “problem” to: 1. Analysis of the allowed types; 2. Look for possible sinkholes sensitives to data we can control (yeah, we can decompile all the things); 3. Try to find a Flow that leads the tainted data to the identified sinkholes; "#{7*7}" Sinkhole (“tainted data”) Flow "#{7*7}"
- 44. Company LOGO www.company.com 4. Richfaces 0day 1. Analysis of the allowed types; 1) org.ajax4jsf.resource.InternetResource 2) org.ajax4jsf.resource.SerializableResource 3) javax.el.Expression 4) javax.faces.el.MethodBinding 5) javax.faces.component.StateHolderSaver 6) java.awt.Color Magic Methods: readObject()*readResolve() readExternal()* finalize()readObjectNoData() validadeObject() … “Indirect” Magic invoke()* (InvocationHandler or MethodHandler) toString() hashCode() transform() ** compare() equals()… “eval” Methods: getValue() invokeMethod() invoke()getMethodInfo() createMethodExpress ion()resolveVariable() …
- 45. Company LOGO www.company.com 4. Richfaces 0day 1) org.ajax4jsf.resource.InternetResource 2) org.ajax4jsf.resource.SerializableResource 3) javax.el.Expression 4) javax.faces.el.MethodBinding 5) javax.faces.component.StateHolderSaver 6) java.awt.Color
- 46. Company LOGO www.company.com 4. Richfaces 0day 1) org.ajax4jsf.resource.InternetResource 2) org.ajax4jsf.resource.SerializableResource 3) javax.el.Expression 4) javax.faces.el.MethodBinding 5) javax.faces.component.StateHolderSaver 6) java.awt.Color What about inheritance?
- 47. Company LOGO www.company.com 4. Richfaces 0day 1) org.ajax4jsf.resource.InternetResource TemplateCSSResource InternetResourceBase AnimationResource ProgressBarAnimatedBg JarResource ClientScript Java2Dresource BaseImage CancelControlIcon CalendarSeparator ComboBoxArrowImage + more…. StaticResource URIInternetResource UserResource QueueScript Paint2DResource + more….
- 49. Company LOGO www.company.com 1) org.ajax4jsf.resource.InternetResource TemplateCSSResource InternetResourceBase AnimationResource ProgressBarAnimatedBg JarResource ClientScript Java2Dresource BaseImage CancelControlIcon CalendarSeparator ComboBoxArrowImage + more…. StaticResource URIInternetResource UserResource QueueScript Paint2DResource + more…. 4. Richfaces 0day Sinkholes
- 50. Company LOGO www.company.com 4. Richfaces 0day taintedData .sinkhole() Flow Tainted data sinkhole
- 51. Company LOGO www.company.com 4. Richfaces 0day sinkhole Analyzing the sinkhole of UserResource To be exploitable, two conditions are needed: 1) Achieve this method (send()); 2) Control of the “context” variable. But are they enough?
- 52. Company LOGO www.company.com 4. Richfaces 0day UserResource If we can control variable “context” Restore a object from a ResourceContext
- 53. Company LOGO www.company.com 4. Richfaces 0day UserResource.UriData Cast to UserResource.UriData
- 56. Company LOGO www.company.com 4. Richfaces 0day UserResource.UriData createContent field StateHolderSaver
- 58. Company LOGO www.company.com 4. Richfaces 0day UserResource.UriData createContent field StateHolderSaver MethodExpression #{7*7}
- 59. Company LOGO www.company.com 4. Richfaces 0day UserResource.UriData createContent field StateHolderSaver MethodExpression .invoke() #{7*7}
- 60. Company LOGO www.company.com 4. Richfaces 0day UserResource.UriData createContent field StateHolderSaver MethodExpression .invoke() #{7*7}
- 61. Company LOGO www.company.com 4. Richfaces 0day UserResource.UriData createContent field StateHolderSaver MethodExpression org.ajax4jsf.resource.UserResource$UriData createContent: javax.faces.component.StateHolderSaver savedState: org.jboss.el.MethodExpressionImpl exp: "${Expression Language}" Using a chain like this one: PS: there are other possible chains! .invoke() #{7*7}
- 62. Company LOGO www.company.com 4. Richfaces 0day UserResource.UriData createContent field StateHolderSaver MethodExpression .invoke() org.ajax4jsf.resource.UserResource$UriData createContent: javax.faces.component.StateHolderSaver savedState: org.jboss.el.MethodExpressionImpl exp: "${Expression Language}" Using a chain like this one: PS: there are other possible chains!
- 63. Company LOGO www.company.com 4. Richfaces 0day taintedData .sinkhole() Flow ? Tainted data sinkhole
- 64. Company LOGO www.company.com 4. Richfaces 0day taintedData .sinkhole() Flow ? Static AnalysisDynamic Analysis taintedData .sinkhole() Flow ?
- 66. Company LOGO www.company.com 4. Richfaces 0day From static analysis we can see that resources can be triggered by URLs path = {Resource Class Name}
- 67. Company LOGO www.company.com 4. Richfaces 0day From static analysis we can see that resources can be triggered by URLs path = {Resource Class Name}/n/s
- 68. Company LOGO www.company.com 4. Richfaces 0day From static analysis we can see that resources can be triggered by URLs path = {Resource Class Name}/n/s/{mimeHashCode}
- 69. Company LOGO www.company.com 4. Richfaces 0day We can also include serialized objects in the same URL pattern... path = {Resource Class Name}/n/s/{mimeHashCode}/DATA/{encoded payload}
- 70. Company LOGO www.company.com 4. Richfaces 0day We can also include serialized objects in the same URL pattern... path = {Resource Class Name}/n/s/{mimeHashCode}/DATA/{encoded payload} UserResource Object Chain!
- 71. Company LOGO www.company.com 4. Richfaces 0day Let’s test the injection point and track the tainted data.... "{7*7}"
- 72. Company LOGO www.company.com 4. Richfaces 0day "{7*7}" 1. Mark all data from untrusted sources as tainted… 2. Mark all data that comes in contact with as tainted… 3. Check if tainted data gets in sinkholes.
- 75. Company LOGO www.company.com 4. Richfaces 0day "{7*7}" resource contains a UserResource instance!
- 78. Company LOGO www.company.com 4. Richfaces 0day Our chain is put inside a ResourceContext
- 82. Company LOGO www.company.com 4. Richfaces 0day CVE-2018-14667 Unauthenticated Remote Code Execution in Web Applications using Richfaces Framework 3.X https://access.redhat.com/security/cve/cve-2018-14667 link
- 84. Company LOGO www.company.com 5. About Mitigation Sanitize data from untrusted sources, right?
- 85. Company LOGO www.company.com 5. Mitigation Advices It is good and needed, but not enough.
- 86. Company LOGO www.company.com 5. Mitigation Advices • It is not so simple… • Taint propagation is a complex issue “every application that copies untrusted input verbatim into an output program is vulnerable to code injection attacks. Proved by Ray & Ligatti (2012) based on formal language theory.” • Scape may depend on semantics/context: – HTML, JavaScript, URLencoded, JSON, XML, Binary Objects, Unicode Strings, Exception Messages… • Who writes filters does not always think like who writes exploits
- 87. Company LOGO www.company.com 5. Mitigation Advices What about Compiler and hardware based protections? We can remove this from the Web developers' hands… … And leave it with the compiler and architecture guys ... Like what was done with stack-smashing… =]
- 88. Company LOGO www.company.com 5. Mitigation Advices • Until then... • Look for bugs in your frameworks/libs/platforms… – Not only for your custom code • Make the appropriate hardening of every layer! – Eg. grsec, selinux, lib’s update… • And remember: Black Swan events are more common than we think… “Finding bugs brings more $$$ then solving classes of problem” (Meder, 2012)
- 89. Company LOGO www.company.comgithub.com/joaomatosf João Filho Matos Figueiredo [email protected] @joaomatosf Thank you! “Truth is ever to be found in simplicity, and not in the multiplicity and confusion of things.” (Isaac Newton)