Room for Escape: Scribbling Outside the Lines of Template Security
Conference: Defcon 28
2020-08-01
Summary
The presentation discusses the security vulnerabilities found in content management systems and template engines, and the need for security testing and reduction of attack surface.
- 30 new vulnerabilities were found and reported to the vendors
- 20 different products are affected
- Content management systems should be on the radar of red teams
- Template for dynamic content that can be managed by user is the main target in such systems
- Specific areas with higher risk from security point of view should be reviewed and tested
- Reduce attack surface as much as possible
Abstract
Now more than ever, digital communication and collaboration are essential to the modern human experience. Shared digital content is everywhere and Content Management Systems (CMS) play a crucial role allowing users to design, create, modify and visualize dynamic content. In our research we discovered multiple ways to achieve Remote Code Execution (RCE) on CMS platforms through which an attacker can take full control of the resources your organization relies on.
Using a Microsoft SharePoint server as our main CMS attack surface, we combined flaws in its implementation and design with framework and language specific features to find six unique RCE vulnerabilities. In addition, we discovered ways to escape template sandboxes of the most popular Java Template engines and achieved RCE in many products including: Atlassian Confluence, Alfresco, Liferay, Crafter CMS, XWiki, Apache OfBiz, and more.
We will analyze how these products and frameworks implement security controls and review the various techniques that we used to bypass them. We will describe all the vulnerabilities we uncovered in detail and show working demos of the most interesting attacks. Finally, we will present our general review methodologies for systems with dynamic content templates and provide practical recommendations to better protect them.
Materials:
Tags: