A vulnerability researcher at Digital Defense, Inc. A vulnerability researcher at Digital Defense, Inc



Yüklə 1,23 Mb.
tarix08.08.2018
ölçüsü1,23 Mb.
#61094



A vulnerability researcher at Digital Defense, Inc.

  • A vulnerability researcher at Digital Defense, Inc.

      • Write explicit checks for vulnerabilities for DDI's proprietary vulnerability scanner
      • Data mine for common configurations and applications
  • Education – Massachusetts Institute of Technology

      • Bachelor of Science in Computer Science and Engineering, 2005
      • Master of Engineering in Computer Science and Electrical Engineering, 2008
  • Digital Defense, Inc – vulnerability assessment and penetration testing

    • http://www.ddifrontline.com/


Some recently disclosed vulnerabilities

  • Some recently disclosed vulnerabilities

  • How some vendors were affected by these vulnerabilities

  • A little bit about how to deal with this problem



You're probably thinking “I'm among the best software developers in the industry, why do I need to care about vulnerable frameworks?”

  • You're probably thinking “I'm among the best software developers in the industry, why do I need to care about vulnerable frameworks?”

      • Odds are good that you are using a framework
        • Java – Struts, Hibernate
        • Microsoft .Net
        • Ruby – Rails, Merb, Ramaze
        • Python – Django, Twisted, web.py
      • Have you audited your framework?


Framework - “A framework is a set of cooperating classes that make up a reusable design for a specific class of software [Deu89,JF88]” - p.26 Design Patterns by Gamma, Helm, Johnson, Vlissides (GoF)

  • Framework - “A framework is a set of cooperating classes that make up a reusable design for a specific class of software [Deu89,JF88]” - p.26 Design Patterns by Gamma, Helm, Johnson, Vlissides (GoF)



For those unfamiliar with VMware

  • For those unfamiliar with VMware

      • One of the most popular computer virtualization companies
  • vCO is software which lets system administrators automate tasks







What is Struts2, OGNL, and how do they fit together?

  • What is Struts2, OGNL, and how do they fit together?

      • Struts2 is basically a framework for building Java web applications that uses a Model-View-Controller (MVC) architecture
      • Object-Graph Navigation Language (OGNL) is a language for getting and setting the properties of Java objects
      • Struts2 treats HTTP parameters as OGNL expressions




OGNL happens to refer to variables by using a '#' prefix

  • OGNL happens to refer to variables by using a '#' prefix

  • Additionally, there are predefined context variables such as #session, #context...



1. Meder found that the ParametersInterceptor module which performs the transformation from GET variables to Java does not escape '#' properly when it is provided as a unicode string value '\u0023'.

  • 1. Meder found that the ParametersInterceptor module which performs the transformation from GET variables to Java does not escape '#' properly when it is provided as a unicode string value '\u0023'.

  • 2. He investigated further and found two key values:

      • #context – OgnlContext – this has a property called 'xwork.MethodAccessor.denyMethodExecution' which denies method execution
      • #_memberAccess - SecurityMemberAccess, contains a field called 'allowStaticAccess' which prevents static method execution


It's easy to see where this is going...

  • It's easy to see where this is going...



It's easy to see where this is going...

  • It's easy to see where this is going...



May 31 - email to security@struts.apache.org with vulnerability report.

  • May 31 - email to security@struts.apache.org with vulnerability report.

  • June 4th - no response received, contacted developers again.

  • June 5th - had to find an XWork developer on IRC to look at this.

  • June 16th - Atlassian fixes vulnerability in its products. Atlassian and Struts developers worked together in coming up with the fix.

  • June 20th - 1-line fix committed

  • June 29th - Struts 2.2.0 release voting process started and is still going...



I wasn't hopeful when I saw the vCO error...

  • I wasn't hopeful when I saw the vCO error...

  • (curl -0 vco:8282/auth/Login.action -H "Accept:")





Notified the vendor

  • Notified the vendor

  • Was patched within a month

      • http://www.vmware.com/security/advisories/VMSA-2011-0005.html
      • VMSA-2011-0005 - VMware vCenter Orchestrator remote code execution vulnerability
      • VMSA-2011-0005.1 - VMware vCenter Orchestrator and Alive Enterprise remote code execution vulnerability


If the VMware developers had been monitoring the mailing lists for the frameworks they had built vCO on, they could have patched by August 2010

  • If the VMware developers had been monitoring the mailing lists for the frameworks they had built vCO on, they could have patched by August 2010

      • Maybe you and I as developers should do our part by joining these mailing lists
  • Be wary of the points where technologies meet

      • Higher likelihood of error
      • In this case, the attacker gains control of the system




SAP – The Best-Run Businesses Run SAP

  • SAP – The Best-Run Businesses Run SAP

      • They sell a lot of software... and it's a lot of complex software
  • People have been auditing SAP for a while

      • Onapsis – Focus on “business-critical” systems (SAP, PeopleSoft)
      • ProCheckUp – Artificial Intelligence based Penetration Testing
        • “SAP BusinessObjects” by Richard Brain (2009)
      • Rapid7 – Vulnerability Assessment Company with Exploit Toolkit
        • “Hacking SAP Business Objects” by Joshua 'Jabra' Abraham and Willis Vandevanter (2010)


ProCheckUp and Rapid7 highlight the Web Services aspect of BusinessObjects Business Intelligence (BI)

  • ProCheckUp and Rapid7 highlight the Web Services aspect of BusinessObjects Business Intelligence (BI)

    • BusinessObjects BI has web services built using Apache Axis2
      • This is a framework that assists in the development of web services (think WSDL and SOAP)
    • The BusinessObjects installation is not default but when enabled, gives access to the Axis2 console
      • Side note: Axis2 console comes configured with the default credentials of 'admin:axis2'


I'm familiar with Axis2

  • I'm familiar with Axis2

      • Enterprises run Axis2 *everywhere*
      • 13000+ triggers since last June
  • Axis2 has a patched, but serious information disclosure [AXIS2-4279]



Wolfram Kluge reported this issue to the Apache Axis2 team

  • Wolfram Kluge reported this issue to the Apache Axis2 team

      • https://issues.apache.org/jira/browse/AXIS2-4279
  • Timeline

      • Issue logged on March 21, 2009
      • First patch in March 24, 2009
      • Marked resolved on January 4, 2010
        • Moved from nightly to stable
  • A CVE does not exist for this flaw yet



Vulnerability Details

  • Vulnerability Details

      • Go to http://vulnerable_host/axis2/services/listServices
      • Select any of the deployed services
      • Submit something like: http://vulnerable_host/axis2/services/Version?xsd=../conf/axis2.xml




The ProCheckUp paper pointed out that the Axis2 services can be found on paths '/dswsbobje/axis2-admin' and '/BusinessProcessBI/axis2-web'

  • The ProCheckUp paper pointed out that the Axis2 services can be found on paths '/dswsbobje/axis2-admin' and '/BusinessProcessBI/axis2-web'

  • I thought that surely after these audits, the xsd vulnerability must be patched

  • Wrote the vulnerability check...

      • Triggered 8000+ times since last July
      • Big uptick after adding the two SAP-specific paths


Notified the vendor

  • Notified the vendor

  • SAP confirmed the information disclosure... they haven't notified me of a solution yet



Just like vCO, even though the framework has a published patch, but many deployments are still unpatched and vulnerable

  • Just like vCO, even though the framework has a published patch, but many deployments are still unpatched and vulnerable

  • Even after audits by two entities, the vulnerability remained

      • Don't expect an audit or penetration test to find everything
  • Axis2 xsd traversal doesn't have a CVE!

      • Don't expect everything to have a CVE
      • This is where unauthenticated vulnerability scanning is helpful


Some of my favorites

  • Some of my favorites

      • CVE-2009-1523 – Mortbay Jetty Servlet Directory Traversal
        • /vci/downloads/health.xml/%3F/../../../../../../../../../boot.ini
        • Learned this from Claudio Criscione's Ekoparty 2010 presentation
        • 1500 triggers since November 2010
      • CVE-2008-2938 – Apache Tomcat 5 and 6
        • Flaw is in the underlying Java Virtual Machine
        • http://vulnerable/servlet/%c0%ae/WEB-INF/web.xml
        • 6000+ triggers since January 2011




It's difficult to keep up with all of these vulnerabilities

  • It's difficult to keep up with all of these vulnerabilities

  • As developers, if we use a framework in our product:

    • 1. Register on the developer's list
    • 2. Encourage people to join your developer list
  • As system administrators:

    • 1. Do the same
    • 2. Check your vendor's website to see if they perform updates on underlying components
      • E.g. Avaya rebrands many CVEs as Avaya Security Advisories (ASA's)


Erich Gamma, Richard Helm, Ralph Johnson, and John Vlissides. Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley, Boston, MA, 2002.

  • Erich Gamma, Richard Helm, Ralph Johnson, and John Vlissides. Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley, Boston, MA, 2002.

  • Citations from the “Design Patterns” quotation:

  • [Deu89] L. Peter Deutsch. Design reuse and frameworks in the Smalltalk-80 system. In Ted J. Biggerstaff and Alan J. Perlis, editors, Software Reusability, Volume II: Applications and Experience, pages 57-71. Addison-Wesley, Reading, MA, 1989.

  • [JF88] Ralph E. Johnson and Brian Foote. Designing reusable classes. Journal of Object-Oriented Programming, 1(2):22-35, June/July 1988.





Yüklə 1,23 Mb.

Dostları ilə paylaş:




Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©genderi.org 2024
rəhbərliyinə müraciət

    Ana səhifə