Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: defcon

[Defcon] Exploiting WebSphere Application Server’s JSP Engine

Exploiting WebSphere Application Server’s JSP Engine – Ed Schaller

Note: Apologies for the notes…. Ed talks REALLY fast!

WebSphere Application Server

IBM’s JEE Application Server

One of the top 3

Not cheap –> free trial available

Common Network Architecture

Client Browser –> Web Servers –> WebSphere AS

Web server plugin –> Extension module for common HTTP servers (IIS, Apache, etc…)

  • Communicates with WAS via HTTP
  • Load Balancing
  • Fail over
  • Not Security!

Plugin URL Handling

Not all requests get forwarded back to the WAS.

  • Based on URL mappings in web.xml and ibm-web-ext.xmi (simple file globs)

If a match occurs the request is forwarded, if not its handled by the local HTTP Server

JSP & NUL

Strings

  • OS under Java is written in C
    • NUL terminates strings
    • Cannot contain NUL
  • Java
    • Counted
    • NUL Allowed

What about the JSP engine inside WAS. How does it handle NULs

  1. Locate and read file
  2. Translate .jsp to .java
  3. Compile
  4. Run as servlet

This means you can reading (some) specific files through the JSP engine. As long as it’s a valid JSP

What’s a valid JSP?

  • Anything starting with <%
  • HTML
  • XML
  • Most Text files
  • ….

What about directories… well you can read them to?

  • /root/dir/%00.jsp
  • /root/dir/.%00.jsp
    • Sometimes you need “..”

Web Server Plugin & NUL

Although not intended for security, it can get in the way of insecurity!

%00 works great on WAS, but getting it through the C compiled plugin isn’t

The next challenge is how to get %00 past the plugin

Character Encodings

UTF-8 is how Java reads strings natively

  • Multi-byte character encoding
  • Single byte values can be encoded as multiple bytes
  • Explicitly forbidden in the spec
    • Nobody follows the spec!

A fix for this issue was implemented… but the fix didn’t work!

It is however fixed in the latest JVM release (no direct patch from IBM as yet)

Encoding to bypass the plugin and get a NUL to the WAS –> %C0%80.jsp instead of %00.jsp

Web-INF & META-INF

Servlet specification says Return 404

Checked many places in WAS… but the missed one!

Fixed by IBM… but badly.

To bypass…

  • /ctxroot/%C0%AE/WEB-INF/web.xml

This also works for META-INF

The Whole Truth

JSP Strikes back

  1. Locate and read file
  2. Translate .JSP to .JAVA
  3. Compile
  4. Run

Doesn’t this mean we can get remote code-exec?

SOAP With attachments lets us read a file that we what to compile and execute

Anything over 32KB gets cached to a location readable….

Not many SOAP services however, handle attachments!

This makes it a lot less useable

SOAP Encoding

This allows you to reference attachments through the href in a SOAP message

When used with AXIS 1, it parses the attachment and caches the larger ones to the disk

AXIS 1 provides an interesting feature, A client can send a fault to the server as the first request… which is parsed

Faults use SOAP encoding and can therefore can be used to send an attachment

Putting it all together

Attachment filenames are random.

To bypass this .:

  1. Get the directory listing first
  2. Uploads the JSP
  3. Get another directory listing to find the filename

This process however is pretty noisy and can cause a large amount of logs.

An example exploit code that performs this will be made available

Affected platforms

  • WAS runs on a lot of platforms
  • AIX and Linux tested and vulnerable
  • Case insensitive file systems are not vulnerable to %00.jsp –> e.g Windows

Fixes

Fixes are out for 6.x, and 7.x

Took IBM 2 weeks to fix this flaw (16 different variants)

Providing security reports as a PMR works!

Fix from IBM is very elegant

  • Double checks the file being opened to make sure it’s really the end file being opened
  • WEB-INF doesn’t appear in the patch –> Not so elegant

Workarounds

  • Disable runtime compilation and reloading of JSPs
    • disableJspRuntimeCompilation
  • Block access to .jsp before WAS
    • Not always possible
    • JSP Extensions such as jsv, jsw, etc….

A Note on Browsers

  • Browsers may normalize the characters
  • Could cause issues with exploitation

Links:

  • Talk Information –> LINK
  • Slides –> LINK

Blackhat/BSides/DefCon

I’ve been putting off my selections for this years Blackhat/Bsides/DefCon for as long as I could for a number of reasons. The biggest is, that I have absolutely no idea where I should be and what I should be trying to see. As if things weren’t already confusing enough, this years conferences schedules are even more packed than last years. More tracks at Blackhat, and the addition of BSides (which I totally missed last year).

Still, I guess it’s about as late as it can be, and it’s time to put down a few key presentations that I hope to see. I’m going to limit myself to 3 per conference, as after last year, I know that seeing that talks isn’t as easy as it seems 😉

  • Ivan Ristic: State of SSL on the Internet: 2010 Survey, Results and Conclusions Routers
  • Nathan Hamiel, Marcin Wielgoszewski: Constricting the Web: Offensive Python for Web Hackers
  • Barnaby Jack: Jackpotting Automated Teller Machines Redux

  • Dave Kennedy (Rel1K): SET 0.6 release with special PHUKD Key
  • frank^2: Fuck Tools, Do It yourself Jerk
  • Frank Breedijk, Ian Southam: The road to hell is paved with best practices

  • Ed Schaller: Exploiting WebSphere Application Server’s JSP Engine
  • Joseph McCray: You Spent All That Money And You Still Got Owned…
  • Chema Alonso, José Palazón “Palako”: FOCA2 – The FOCA Strikes Back

I’ll be in town a few days before the conference to take part in some training… so if anybody is about and wants to catchup for some drinks, just shoot me a message.

Looking forward to seeing you all in Vegas…

New image

A little over a month back I spoke to Marisa about the InfoSec Mentor program. At the time I thought it was a great chance to really help people in the industry to learn from people more experienced or knowledgeable. With that said, I obviously thought there’s no way I’m smart enough to be a mentor. As such I threw my name into the hat to be a mentee. I’ve only been in the industry for a little over 2 years after all…. I wouldn’t dare claim to be anything more than somebody who tries, and sometimes succeeds! But only sometimes 😛

Flash forward to a month later and the selections are made for mentors and mentees…. so, drum roll please….. Who did I get partnered with….. None other than Jayson E. Street (incase you don’t know him… here is a picture). How ironic… especially considering my comments on Twitter when I made my application. Still, Jayson is a friend and a great guy. So I’m sure this will work out great.

So, to my first steps as a mentee…. time to change my image. It needed an update, the fat English guy look wasn’t working for me anyway. So here it is. The new mentee look…

The journey has only just begun…. there are many choices still to be made, and I’m sure Jayson will guide me through them. The hard ones however, I’ll have to make myself….

Hopefully I’ll have made the choice before DefCon rolls around!

Links

Defcon, is it over already ?

Well Defcon has come and gone. For those following my blog (sorry about that), you might have noticed a lack of posts covering what I saw at Defcon. This was for several reasons. They’re  good reasons honest, and none of them are that I was too scared to get on the Defcon network or that I was too hungover (although I won’t deny I attended a party or 6).

Defcon was, for me, a chance to finally meet a group of people who I’ve been conversing with online for some time now. I set myself a goal before I left, to meet people and actually communicate with people (not really my primary skillset). Although I did get to attend some talks, I didn’t feel that blogging about the 2/3 a day I actually saw, was going to be interesting to my readers (yes, both of you).

Although you’ve probably already got your fill of Defcon recaps by now, Id like to recommend Frank Breedijk’s blog over at cupfighter.net as he has various writeups on presentations that we attended together or individually. Frank and I were also lucky enough to talk to F1nux from HPR (Hacker Public Radio) about the event. If you want to listen, you can grab a copy at the Hacker Public Radio website.

I’d like to thank the various people I met at Defcon. Especially Frank (@autonessus), Martin (@mckeay), Chris Nickerson (@indi303), Carlos (@carlos_perez), Tom (@agent0x0), Mick (@bettersafetynet), John Strand (@strandjs) and the rest of the #pauldotcom crew.I met so mmany people I couldn’t start to list them all. So i’ll just say thanks to everyone, and don’t be strangers 😉

Hope to see you all at another event soon 😉