Introducing
Your new presentation assistant.
Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.
Trending searches
there are bugs in all
kinds of software
many written by enthusiasts
in their spare time as non-profit
lack of proper management
and funds in community-driven
products
still insufficient intrest of
security researchers
<form method="post" enctype="multipart/form-data" action="https://www.bank.com/login">
<input type="hidden"
name="multipartRequestHandler.servlet.servletContext.attribute(org.apache.struts.action.MODULE)"
value="exe" />
<input type="submit" value="DIE !!!">
</form>
POST https://www.bank.com:443/login HTTP/1.1
Host: www.bank.com
Content-Type: multipart/form-data; boundary=---------------------------437802734279294578219753573
Content-length: 255
-----------------------------437802734279294578219753573
Content-Disposition: form-data; name="multipartRequestHandler.servlet.servletContext.attribute(org.apache.struts.action.MODULE)"
exe
-----------------------------437802734279294578219753573--
Why do the developers like Expression Languages?
before:
<%=HTMLEncoder.encode(((Person)person).getAddress().getStreet())%>
after:
<c:out value=”person.address.street”/>
Timeline
May 31st - email to security@struts.apache.org with vulnerability report.
June 4th - no response received, contacted developers again.
June 5th - had to find an XWork developer on IRC to look at this.
June 16th - Atlassian fixes vulnerability in its products. Atlassian and Struts developers worked together in coming up with the fix.
June 20th - 1-line fix commited
June 29th - Struts 2.2.0 release voting process started and is still going...
Fri Aug 20 2010: Struts2 team finally released 2.2.1 on Aug 16th (2.5 months to release fixed version!).
http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html
At last - whitelist for allowed chars:
// Allowed names of parameters
private String acceptedParamNames = "[a-zA-Z0-9\\.\\]\\[\\(\\)_'\\s]+";
framework
security
app
development
server upgrades
Balance the risk right
Note: not all vulnerabilities' details are known public, even after the fix release.
From my experience: it may take YEARS.
Do not hesitate to ask your developers about it.
https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex
Acceptance tests
Assessments
Server upgrades are not enough.
You do have to care about your application,
even if there are no changes in its code.
Remember, that keeping track of external libraries' security
is a task very prone to human error, and often unfairly forgotten.
BUT HOW CAN WE ASSURE THIRD PARTY CODE…
Almost all software projects use a significant amount of third party code, such as libraries, frameworks, and products. This code is just as important from a security perspective as custom code developed specifically for your project. We believe that the responsibility for ensuring the security of this [external] code is best borne by Developer, although they may not have the full capability themselves to guarantee this security. However, security must be a part of the "build or buy" decision, and this seems like the best way to encourage that.
Developer, of course, has the option of passing this responsibility through to the providers of third party software. Developer can also analyze the third party code themselves, or hire security experts to analyze it for them.
Fix released
Go Live!
Fix applied by
developers
App developers notified
about the problem
Public disclosure
of security vulnerability
in framework
they all do take care of security, don't they?
But, is the 3rd party libraries security directly mentioned and properly dealt with?
Risk?
OWASP Secure Software Contract Annex
Maintaining applications
Compliance, procedures...
App Owners
to improve the security?
And what would
YOU do
<Agenda>
Web Application Frameworks
Summary
What are they?
How do they help?
Why are so common?
To know there is a problem, is the first step to resolve it.
Vulnerabilities
Why are they here?
Some interesting examples.
Fix timelines.
Real life
No Man's Land
Critical applications are written in J2EE with a broad help of frameworks, which do take care
of most crucial security components.
Frameworks are complex piece code, not always written with industry standards, and thus prone to errors.
There are many vulnerabities, from simple XSS to remote code execution.
Dealing with these vulnerabilities may be easily overlooked or simply beyond duties of all
involved in application maintenance. So fix timeline from public disclosure to production release
of application may take very long. During this time the application is exposed to serious risk of attack.
All involved in application maintenance can do something to improve the situation.
But the most suitable group to deal with the problem at its roots are Developers.
But they have to overcome their limits, and perhaps cooperate with some security professionals.
Developers
Admins
Pentesters
Application owners
What can we do?
Vulnerabilites in J2EE frameworks
How can we probe for
specific vulnerabilities?
BTW, note that not all vulnerabilities are in CVE, BID or other databases.
Even if they are, sometimes they do get there delayed.
Consult Jira entries on specific vulnerabilities,
search the net...
You can try some Expression Language Injections:
${1+1}
%{1+1}
Remember to check manually external libraries for known vulnerabilities!
if you have complete filesystem listing, in some cases there are also deployed applications' contents.
Configuration review
Source code analysis
Penetration tests
Try to suggest whitebox. If not possible,
there are some tricks for blackbox
".do" extension in old Struts 1 applications
.action
!action
How can we know if there is
given framework used?
Their job is to maintain servers
Security: they do upgrade & harden operating system components, web application servers, http servers, database servers...
slawomir.jasek@securing.pl
web application is just a war/ear bundle to deploy
peeping at the application entrails is just beyond their competence
and the framework code is bundled within the application package, as jar library
OWASP Poland Local Chapter Meeting, 18.01.2012, Kraków
ASVS does cover it in L2.2, 3.2...
L2.2 The scope of the verification includes the code for all third-party framework, library, and service security functionality that is invoked by or supports the security of the application. This is a new requirement at Level 2.
Communicate to your client clearly
what is in the scope of the contract.
And in bold communicate what is not.
Scope of the assessment
Admins
J2EE frameworks
in
Vulnerabilities
Pentesters
Why we will focus on J2EE?
Java 2 Enterprise Edition is the most common platform for
high-availability business applications
Why
source: Veracode State of Software Security Report Volume 4, Dec 2011
examples
The chart illustrates software which owners are willing to pay for static code analysis.
We can safely assume high importance of these applications.
And most probably it is not just compliance-driven.
jar tvf roller-5.0.0-tomcat.war WEB-INF/lib
0 Sun May 08 15:05:40 CEST 2011 WEB-INF/lib/
118483 Wed Apr 28 23:42:28 CEST 2010 WEB-INF/lib/commons-beanutils-1.6.jar
69300 Wed Apr 28 23:42:44 CEST 2010 WEB-INF/lib/spring-security-core-2.0.5.RELEASE.jar
136446 Wed Apr 28 23:42:22 CEST 2010 WEB-INF/lib/tiles-core-2.1.4.jar
772997 Sun Jan 30 14:06:02 CET 2011 WEB-INF/lib/struts2-core-2.2.1.jar
65261 Wed Apr 28 23:33:10 CEST 2010 WEB-INF/lib/oro-2.0.8.jar
220277 Wed Apr 28 23:36:12 CEST 2010 WEB-INF/lib/rome-1.0.0.jar
4075943 Mon Feb 21 20:17:50 CET 2011 WEB-INF/lib/openjpa-2.0.1.jar
284773 Wed Apr 28 23:43:18 CEST 2010 WEB-INF/lib/xmlsec-1.3.0.jar
144541 Wed Apr 28 23:43:06 CEST 2010 WEB-INF/lib/openxri-client-1.2.0.jar
488282 Wed Apr 28 23:42:36 CEST 2010 WEB-INF/lib/spring-beans-2.5.6.jar
361107 Wed Apr 28 23:43:26 CEST 2010 WEB-INF/lib/openid4java-nodeps-0.9.5.jar
12851 Sun May 08 15:02:58 CEST 2011 WEB-INF/lib/roller-core-5.0.0.jar
34407 Wed Apr 28 23:37:46 CEST 2010 WEB-INF/lib/ws-commons-util-1.0.2.jar
984708 Sun May 08 15:05:32 CEST 2011 WEB-INF/lib/roller-weblogger-web-5.0.0.jar
285491 Wed Apr 28 23:42:40 CEST 2010 WEB-INF/lib/spring-core-2.5.6.jar
31825 Wed Apr 28 23:42:18 CEST 2010 WEB-INF/lib/commons-fileupload-1.1.jar
129775 Wed Apr 28 23:43:20 CEST 2010 WEB-INF/lib/spring-dao-2.0.6.jar
3233439 Wed Apr 28 23:43:06 CEST 2010 WEB-INF/lib/icu4j-3.4.4.jar
are there vulnerabilities
in frameworks
it is not hard - war/ear is just a zip file,
and libraries' versions are in filenames
?
XSS
A few popular web application
frameworks
Maybe we could manage security updates just like
any other, system libraries?
complexity
focus on features
Struts
Insecure object
reference
Is it possible to export external libraries from application bundle into server environment?
It is partly possible with frameworks being part of official EE specification (e.g. JSF).
But in most cases, unfortunatelly, no.
CVE-2005-3745
Cross-site scripting (XSS) vulnerability in Apache Struts 1.2.7, and possibly other versions
CVE-2006-1548
Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message.
CVE-2008-2025
Cross-site scripting (XSS) vulnerability in Apache Struts.
CVE-2008-6682
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.
The issue was finally resolved only in 2010 (we will cover it later on).
CVE-2011-1772
Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element.
CVE-2011-2087
Multiple cross-site scripting (XSS) vulnerabilities in component handlers in the javatemplates (aka Java Templates) plugin in Apache Struts
Not quite strict security-minded
developers & procedures
closed internal structure
Directory traversal
DoS
They do a lots of "dirty work"
for the programmers.
They have to be complex.
CVE-2011-1368
Summary: The JavaServer Faces (JSF) application functionality in IBM WebSphere Application Server 8.x before 8.0.0.1 does not properly handle requests, which allows remote attackers to read unspecified files via unknown vectors.
Struts, BID 32104 (no CVE), 2008
FilterDispatcher (in 2.0) and DefaultStaticContentLoader (in 2.1) have a security vulnerability that allows an attacker to traverse the directory structure and download files outside the "static" content folder, using double-encoded urls and relative paths, like:
http://localhost:8080/struts2-blank-2.0.11.1/struts..
http://localhost:8080/struts2-blank-2.0.11.1/struts/..%252f
http://exampletomcat.com:8080/struts2-blank-2.0.11.1/struts/..%252f..%252f..%252fWEB-INF/classess/example/Login.class/
https://issues.apache.org/jira/browse/WW-2779
backward compatibility
Struts cancel
CVE-2006-1546
The Struts <html:cancel> tag sets a request parameter (org.apache.struts.taglib.html.Constants.CANCEL) which causes validation to be skipped.
Spoofing this request parameter however, could be used maliciously in order to circumvent an applications validation.
What is framework?
simply adding parameter
org.apache.struts.taglib.html.Constants.CANCEL=true
turned off whole validation ;)
Struts action
Default behaviour allows to execute methods, which were
not meant to be public
http://localhost:8080/mywebapp/recoverpassword!getUserPassword.action
More info:
http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation
Similar problem with Session
http://www.example.com/SomeAction.action?session.somekey=someValue
https://issues.apache.org/jira/browse/WW-2264
https://issues.apache.org/jira/browse/WW-3631
"XML Bomb"
Example: Struts < 1.2.9
It is rather misconfiguration problem, but mentioned
here because is very common.
In fact, 100% tested applications which included some
XML parsing of user-supplied data were vulnerable.
The core problem is XML nested entity processing, which
can be triggered by user to exponentially use CPU power.
CVE-2006-1547
Very old (2006), but still "in the wild".
Single POST multipart type will crash the entire application.
After that it will render 500 Internal Server Error to all subsequent requests.
Frameworks are just some piece of software,
but a bit more complex and thus susceptible to errors
A framework is a library of classes and files that solves a set of well known and commonly occuring problems.
EL injection
Improper cryptography
Spring
Struts
JBoss Seam
...
Example - Struts CVE-2007-4556
Full PWND
check out more features of OGNL
http://commons.apache.org/ognl/language-guide.html
But Expression Languages, like OGNL, evaluating where nobody expected,
are the root cause of many vulnerabilities.
"Having any sort of custom expression language in a web framework is always a sign of potential vulnerabilities (...), since framework developers will try to add support for that expression language to various components, and some of those components may in turn handle user-controlled inputs without developers realizing it."
http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html
CVE-2010-4007
Oracle Mojarra (Java Server Faces implementation) uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.
more info:
http://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf
Struts - remote code execution
More will follow.
Security misconfiguration
Also vulnerable:
very similar problems
Spring Framework
CVE-2010-1622, Jun 2010
CVE-2011-2894, Sep 2011
http://www.springsource.com/security/cve-2010-1622
http://www.springsource.com/security/cve-2011-2894
JBoss Seam Framework
CVE-2010-1871, Jul 2010
http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html
There are many features in frameworks
that allow developers to restrict some user-controlled data
by proper configuration.
But the defaults are seldom touched.
framework = framing construction for the application
Many critical vulnerabilities could be avoided
with a little bit of hardening - for example the
Struts remote execution bugs could not be exploited
if the special configuration parameter excludeParams
would be set (default: empty).
JBoss Seam
To my best knowledge, tools do not have any built-in database of known external libraries' security.
And code review usually does not cover external sources.
Broad topic for another presentation:
struts.xml validators
Disclaimer: vulnerable version included in WEB-INF/lib does not necessarily mean the app is also vulnerable.
many others...
Fix timelines
During penetration test from the outside we do not see internal application structure
Configuration review usually does not cover libraries bundled in application
Example 1 - remote code execution
Benefits
Fix #4
Fix #5
Fix #1
Fix #2,3
OpenSymphony WebWork
anyone?
Source code analysis
Configuration review
Jun-Oct 2008
bypass security measures in
ParameterInterceptor
Jul 2010
Dec 2011
Ouch, there is more...
The fix was not sufficient.
Clearing stack disallowed access to many context variables. But there were others
08 Jun 2008
CVE-2008-6504
7 Jan 2004
18 Dec 2003
Hello XWork developers,
I believe I've discovered a vulnerability that allows attackers to bypass security measures
implemented in ParametersInterceptor. OGNL is a pretty complex language and provides a lot of features,
so, for example, using expression evaluation
(http://www.ognl.org/2.6.9/Documentation/html/LanguageGuide/expressionEvaluation.html)
it is possible to bypass the '#' protection and modify objects in the context.
So, for instance, to set #session.user to '0wn3d' the following parameter name can be used:
('\u0023' + 'session[\'user\']')(unused)=0wn3d
which will look as follows once URL encoded:
('\u0023'%20%2b%20'session[\'user\']')(unused)=0wn3d
It turned out, that the problem concerns not only ParametersInterceptor, but also CookieInterceptor, DebuggingInterceptor, and ExceptionDelegator ;)
Same patch - whitelist of allowed chars in cookie names.
Additionally, it turned out that ParametersInterceptor allowed to overwrite arbitrary files, because an attacker could still access public constructors with only one parameter of type String.
25 Dec 2011 - Struts 2.3.1 released
Security Bulettin: http://struts.apache.org/2.x/docs/s2-008.html
Bug entered in Jira
"Patrick says he has fixed this"
http://jira.opensymphony.com/browse/XW-641
Struts does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
The single most important
business reason to use framework
http://jira.opensymphony.com/browse/WW-434
"When setting a parameter, methods should not be invoked. This is neccessary to prevent paremeter names such as:
* @System@exit(1)
* class.classLoader.somethingScary() "
https://issues.apache.org/jira/browse/WW-3470
http://struts.apache.org/2.x/docs/s2-005.html
http://www.exploit-db.com/exploits/14360/
http://jira.opensymphony.com/browse/WW-434
Ooops... the parameter names are evaluated as java.
What it actually means is: remote code execution,
for example: @System@execute('shell cmd')
14 Oct 2008 - Xwork 2.0.6, Struts 2.0.12
[few months discussion on how to fix the vulnerability
without breaking OGNL features]
BUT: there are still cases where the whitelist mechanism does not prevent the context from being manipulated, thus XWork 2.0.5 and Struts 2.0.11.2 DO NOT FIX THE ISSUE SATISFACTORILY.
22 Jun 2008 - Xwork 2.0.5,
Struts 2.0.11.2; security bulletin
fixed - value stack clearing
updated security bulletin
cast:
http://jira.opensymphony.com/browse/XW-641
https://issues.apache.org/jira/browse/WW-2692
http://struts.apache.org/2.x/docs/s2-003.html
Penetration tests
TIME = MONEY
Most popular frameworks
Imagine an intruder having "root" on your
server from the Internet - by single crafted URL.
Isn't it worth to check the application's "entrails" to avoid that?
You can develop function rich applications much more quickly
Applications follow many best practices that make them maintainable
Example 2 - XSS
http://www.veracode.com/blog/2011/12/about-veracodes-december-platform-release/
Mar 2010
Jan - Feb 2008
Ouch, they can use <sCript>, not just <script>!!!
XSS discovery & fix
you could list application external dependencies
and check for relevant security advisories
But maybe in your free time ;)
implemented fix for S2-002 only checks for "<script>",
not "<sCript>"
https://issues.apache.org/jira/browse/WW-3410
--- struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java 2008/01/24 07:37:32 614813
+++ struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java 2008/01/24 07:39:45 614814
@@ -174,10 +174,14 @@
buildParametersString(params, link, "&");
}
- String result;
-
+ String result = link.toString();
+
+ if (result.indexOf("<script>") >= 0){
+ result = result.replaceAll("<script>", "script");
+ }
+
try {
- result = encodeResult ? response.encodeURL(link.toString()) : link.toString();
+ result = encodeResult ? response.encodeURL(result) : result;
} catch (Exception ex) {
// Could not encode the URL for some reason
// Use it unchanged
Final fix:
- builder.append(name);
+ builder.append(translateAndEncode(name));
Veracode promised to publish soon more detailed statistics, stay tuned.
SecuRing assessed web application statistics:
the #1 most popular J2EE web application framework is Struts.
https://issues.apache.org/jira/browse/WW-2414
https://issues.apache.org/jira/browse/WW-2427
For both the <s:url> and the <s:a> tag, it is possible to inject parameter values that do not get escaped properly when the tag's resulting URLs are constructed and rendered.
Security Bulletin
http://struts.apache.org/2.x/docs/s2-002.html
"<script> tokens do get recursively escaped"
Please upgrade to Struts-2.0.11.1
Real world examples
Take an application, which development started some years ago, and you can be nearly 100% sure that it is based on Struts.
That's why most vulnerabilities I will be talking later on will concern Struts.
and dealing with the problem
a few dozen applications
I have tested, but can't name here - NDA, sorry ;)
Apache
J2EE blog application
blog.usa.gov blogs.oracle.com
blogs.apache.org IBM developerworks...
Developers often delegate to framework the most crucial security components
roller-4.0.1, released Feb 2009
contains Struts 2.0.9 & Xwork-2.0.4
with remote code execution vulnerability known since 2008
Does White House know about this?
next release: roller-5.0.0, May 2011
most up-to-date version as of today
Now they surely do,
they've got the Echelon, anyway
Struts 2.2.1 (also a few critical bugs)
Spring 2.5.6
Spring Security 2.0.5 - 2 serious vulnerabilities Sep 2011
But what about the others?
vCenter Orchestrator; Alive Enterprise
VMware vCenter Orchestrator is an application to automate management tasks. Alive Enterprise is an application to monitor processes
Disclaimers:
I DID NOT confirm any vulnerabilities in Apache Roller.
I have asked for clarification on roller-dev mailing list, and as of today the question was not answered.
Vulnerable versions of used libraries DOES NOT necessarily mean there are vulnerabilities in application.
Besides, Roller developers do care on upgrading libraries:
https://issues.apache.org/jira/browse/ROL-1840
What the Roller developers say?
I have asked about this problem on roller-dev mailing list.
"It's possible that those library vulnerabilities could be exploited, but I can't be sure without further investigation. The safest thing to do is probably to switch out those libraries for the newer security-fixed versions. I'll check to see if that can be done fairly easily.
I'm not aware of a relevant security procedure, but I'll do some research and see if there is a policy or procedure that we should be following."
Struts remote code execution (CVE-2010-1870) vulnerable.
Vulnerability details published Jul 2010.
Advisory released Mar 2011 (8 months later):
VMSA-2011-0005 VMware vCenter Orchestrator remote code execution vulnerability
"VMware would like to thank the Vulnerability Research Team of Digital Defense, Inc. for reporting this issue to us."
How long would it take if nobody told them?
And BTW, the first release of advisory did not mention Alive Enterprise, just vCenter Orchestrator. It took them another month to discover it ;)
And when will they address Dec 2011 critical Struts vulnerabilites?
Initial release (2011-03-14)
http://lists.vmware.com/pipermail/security-announce/2011/000129.html
Update (2011-04-12)
http://lists.vmware.com/pipermail/security-announce/2011/000132.html
Crucible, Fisheye, Confluence...
not to mention Jira
Today, all of LinkedIn’s applications use Spring as the foundation, and Spring is fully
integrated into the company’s development life cycle. Spring components used by LinkedIn include Spring Core, Spring IoC and Spring MVC.
In 2010, they were first to fix a serious vulnerability in Struts, and worked together on the problem with Struts developers.
They have released fixed versions of their products months prior the official release of fixed Struts library.
LinkedIn engages SpringSource, the company behind Spring, for technical support. This is an advantage for LinkedIn because the leading contributors to Spring are now on staff at SpringSource. In fact, 97% of Spring code has been written by employees of SpringSource. “If we have a problem, we can just open a ticket and get a response quickly,” Pujante relates. “All the employees at SpringSource are really smart and know what they are talking about.
They have dug really deep into the issues, they understand our problems, and they solve them.”
http://www.springsource.com/files/uploads/all/pdf_files/customer/S2_CaseStudy_LinkedIn_USLET_EN.pdf
Developers
focused on their own code
Developers are probably the most suitable group to
deal with security vulnerabilities in external libraries.
Anyway, they use frameworks to simplify the development,
and forget about "boring" problems.
But don't they trust frameworks too much?
reluctant to upgrade external dependencies
this can be very resource-consuming task
API changes among framework versions
sometimes have to rewrite a lots of application code
I saw real-life scenarios with developer's own fork of framework, written for particular application
The absolute minimum is monitoring of relevant security advisories. There should be a procedure for that.
But it would be advisable to have in team/consult someone security-minded.
Responsibility for finished deals.
Maybe it would be worth to have commercial support for most crucial libraries?
I personally did not encounter any developers procedure of monitoring external libs security
From my personal experience:
developers, asked about certain known vulnerability, will state the problem does not concern their code, until presented with the proof of concept exploit - working in black&white with their application.
It does not necessarily mean their bad intentions. They may just lack proper resources and knowledge.