Breaking Parser Logic! Take Your Path Normalization Off and Pop 0Days Out

Video thumbnail (Frame 0) Video thumbnail (Frame 13792) Video thumbnail (Frame 18576) Video thumbnail (Frame 19462) Video thumbnail (Frame 21867) Video thumbnail (Frame 23037) Video thumbnail (Frame 24987) Video thumbnail (Frame 28297) Video thumbnail (Frame 29355) Video thumbnail (Frame 32055) Video thumbnail (Frame 33039) Video thumbnail (Frame 37071) Video thumbnail (Frame 39033) Video thumbnail (Frame 40557) Video thumbnail (Frame 41620) Video thumbnail (Frame 42519) Video thumbnail (Frame 43647) Video thumbnail (Frame 44914) Video thumbnail (Frame 47111) Video thumbnail (Frame 48052) Video thumbnail (Frame 49041) Video thumbnail (Frame 51617) Video thumbnail (Frame 55487) Video thumbnail (Frame 57177) Video thumbnail (Frame 60210) Video thumbnail (Frame 61604)
Video in TIB AV-Portal: Breaking Parser Logic! Take Your Path Normalization Off and Pop 0Days Out

Formal Metadata

Breaking Parser Logic! Take Your Path Normalization Off and Pop 0Days Out
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
We propose a new exploit technique that brings a whole-new attack surface to defeat path normalization, which is complicated in implementation due to many implicit properties and edge cases. This complication, being under-estimated or ignored by developers for a long time, has made our proposed attack vector possible, lethal, and general. Therefore, many 0days have been discovered via this approach in popular web frameworks written in trending programming languages, including Python, Ruby, Java, and JavaScript. Being a very fundamental problem that exists in path normalization logic, sophisticated web frameworks can also suffer. For example, we've found various 0days on Java Spring Framework, Ruby on Rails, Next.js, and Python aiohttp, just to name a few. This general technique can also adapt to multi-layered web architecture, such as using Nginx or Apache as a proxy for Tomcat. In that case, reverse proxy protections can be bypassed. To make things worse, we're able to chain path normalization bugs to bypass authentication and achieve RCE in real world Bug Bounty Programs. Several scenarios will be demonstrated to illustrate how path normalization can be exploited to achieve sensitive information disclosure, SMB-Relay and RCE. Understanding the basics of this technique, the audience won't be surprised to know that more than 10 vulnerabilities have been found in sophisticated frameworks and multi-layered web architectures aforementioned via this technique.
Computer program Digital electronics Java applet Code Water vapor Insertion loss Parameter (computer programming) Mereology Software bug Formal language Web 2.0 Uniform resource locator Fluid statics Mechanism design Mathematics Different (Kate Ryan album) Pattern language Software framework Information security Multiplication Physical system Vulnerability (computing) File format Software developer Normal distribution Sound effect Bit Regulärer Ausdruck <Textverarbeitung> Flow separation Demoscene Web application Message passing Arithmetic mean Process (computing) Order (biology) Website Pattern language Escape character Reading (process) Reverse engineering Point (geometry) Ocean current Surface Server (computing) Implementation Game controller Functional (mathematics) Computer file Observational study Patch (Unix) Device driver Online help Prime ideal Latent heat Goodness of fit Hacker (term) String (computer science) Software testing Proxy server Traffic reporting Pairwise comparison Standard deviation Consistency Surface Projective plane Directory service Uniform resource locator Maize Spring (hydrology) Integrated development environment Personal digital assistant Logic Query language String (computer science) Formal grammar Family Window Resolvent formalism Library (computing)
Aliasing Computer program Server (computing) Implementation Computer file Code Direction (geometry) Multiplication sign Source code Maxima and minima Stack (abstract data type) Number Formal language Web 2.0 Fluid statics Goodness of fit String (computer science) Vector space Inheritance (object-oriented programming) Block (periodic table) Aliasing Directory service Cartesian coordinate system Cache (computing) Uniform resource locator Benutzerhandbuch Vector space Pattern language Resultant Buffer overflow
Implementation Computer file Key (cryptography) Sheaf (mathematics) Electronic mailing list Database Mereology Flow separation Host Identity Protocol Web 2.0 Web application Spring (hydrology) Personal digital assistant Software framework Configuration space
Implementation Building Computer file Java applet Patch (Unix) Multiplication sign Real number Set (mathematics) Directory service Rule of inference Traverse (surveying) Element (mathematics) Web 2.0 Revision control Spring (hydrology) Mechanism design Single-precision floating-point format Pattern language Software framework Information security Inheritance (object-oriented programming) Patch (Unix) Consistency Electronic mailing list Sound effect Directory service Flow separation Element (mathematics) Message passing Uniform resource locator Spring (hydrology) Integrated development environment Personal digital assistant String (computer science) Uniform resource name Order (biology) Pattern language Iteration Arithmetic progression Resultant Window
Logical constant Computer file Equals sign File system Exploit (computer security) Element (mathematics) Spring (hydrology) Different (Kate Ryan album) File system Information security Default (computer science) Inheritance (object-oriented programming) Consistency Normal distribution Coma Berenices Directory service Flow separation Element (mathematics) Spring (hydrology) Fluid statics String (computer science) Table (information) Sinc function Resultant Window Asynchronous Transfer Mode
Code Multiplication sign Numbering scheme Uniform resource locator Database normalization Fluid statics Spring (hydrology) Mechanism design Hooking Computer configuration Software framework Extension (kinesiology) Information security Vulnerability (computing) Structural load Software developer Computer file Sound effect Numbering scheme Web application Data management Software framework Website Freeware Physical system Resultant Asynchronous Transfer Mode Web page Server (computing) Computer file Token ring Real number Computer-generated imagery Rule of inference Element (mathematics) Frequency Integrated development environment Default (computer science) Projective plane Java applet Content (media) Code Spring (hydrology) Software Personal digital assistant Query language String (computer science) Iteration Flag Extension (kinesiology)
Surface Dataflow Computer program Server (computing) Game controller Dependent and independent variables Code Chemical equation Patch (Unix) Parameter (computer programming) Mereology IP address Web 2.0 Uniform resource locator Response time (technology) Cache (computing) Software testing Computer-assisted translation Reverse engineering Information security Proxy server Addition Information Physical law Code Variance Parameter (computer programming) Bit Flow separation Cache (computing) Personal digital assistant Configuration space Remote procedure call Reverse engineering
Computer program Context awareness Java applet View (database) Parameter (computer programming) Front and back ends Web 2.0 Data management Fluid statics Different (Kate Ryan album) Single-precision floating-point format Arrow of time Information security Vulnerability (computing) Scripting language Mapping Normal distribution Electronic mailing list Data management Pattern language Normal distribution Resultant Reverse engineering Classical physics Ocean current Server (computing) Game controller Inheritance (object-oriented programming) Proxy server Computer file Patch (Unix) Computer-generated imagery Directory service Graph coloring Latent heat Hacker (term) Video game console Reverse engineering Proxy server Default (computer science) Domain name Context awareness Vulnerability (computing) Inheritance (object-oriented programming) Surface Consistency Java applet Interactive television Directory service Cartesian coordinate system Uniform resource locator Logic
Server (computing) Inheritance (object-oriented programming) Computer file Mountain pass Direction (geometry) Authentication Password Hidden Markov model Directory service Theory Twitter Product (business) Broadcasting (networking) Casting (performing arts) Single-precision floating-point format Directed set Website Determinant Proxy server Domain name Electronic mailing list Login Bit Cartesian coordinate system Demoscene Data management Website Resultant
Email Computer program Digital filter Game controller Server (computing) Functional (mathematics) Observational study Code Patch (Unix) Projective plane Password Code Login Digital photography Exclusive or Casting (performing arts) String (computer science) Internet service provider Core dump Website Address space
Default (computer science) Dependent and independent variables Email Server (computing) Information Server (computing) Patch (Unix) Computer-generated imagery Workstation <Musikinstrument> Price index Content (media) Subject indexing Process (computing) Oval Network topology HTTP cookie Proxy server Error message HTTP cookie Reverse engineering Data type
Context awareness Server (computing) Inheritance (object-oriented programming) Computer file Open source Structural load Token ring Price index Directory service Perturbation theory Menu (computing) Group action Formal language Web 2.0 Uniform resource locator Subject indexing Casting (performing arts) Data management Error message Personal digital assistant Configuration space Extension (kinesiology) Error message
Server (computing) Computer file Multiplication sign Patch (Unix) Motion capture Password Number Process (computing) Error message Sanitary sewer Area Boss Corporation CAPTCHA Server (computing) Structural load Login Bit Instance (computer science) Data management Message passing Process (computing) Password Website Point cloud CAPTCHA
Injektivität Server (computing) Injektivität Computer file Interface (computing) Patch (Unix) Structural load Template (C++) Template (C++) JSON Data management Blog Oval Fuzzy logic Video game console Gastropod shell Exception handling Exception handling
Digital photography Malware Injektivität Computer file Structural load Website Login Gastropod shell Instance (computer science) Disk read-and-write head Exploit (computer security) Exception handling
Group action Injektivität Code Java applet Multiplication sign Workstation <Musikinstrument> File format Parameter (computer programming) Mereology Software bug Formal language Web 2.0 Database normalization Uniform resource locator Casting (performing arts) Different (Kate Ryan album) Software framework Process (computing) Series (mathematics) Website Information security Exception handling Area Source code Collaborationism Simulation Observational study Mapping Content management system Web page Database transaction Instance (computer science) Control flow Flow separation Formal language Message passing Order (biology) Software framework Configuration space Hacker (term) Physical system Electric current Web page Game controller Server (computing) Implementation Regulärer Ausdruck <Textverarbeitung> Open source Computer file Patch (Unix) Evolute Wave packet Number Latent heat String (computer science) Authorization Data type Authentication Domain name Context awareness Expression Length Code Login Cartesian coordinate system Performance appraisal Uniform resource locator Pointer (computer programming) Query language Logic String (computer science) Blog
Authentication Context awareness Computer program Game controller Injektivität Regulärer Ausdruck <Textverarbeitung> Computer file Binary code Code Control flow Exploit (computer security) Formal language Wave packet Performance appraisal Performance appraisal Doubling the cube String (computer science) Partial derivative Software framework Arrow of time
Ocean current Game controller Digital electronics Proxy server Computer file Java applet Length Real number Multiplication sign Streaming media Parameter (computer programming) Mereology Formal language Element (mathematics) Chain Exponential function Single-precision floating-point format String (computer science) Software framework Monster group Partial derivative Simulation Matching (graph theory) Run time (program lifecycle phase) Consistency Reflection (mathematics) Expression Normal distribution Electronic mailing list Code Operator (mathematics) Streaming media Login Directory service Tablet computer Subject indexing Message passing Order (biology) Software framework Pattern language Iteration Computer worm
Web page Surface Computer program Game controller Context awareness Presentation of a group Server (computing) Open source Observational study Java applet Patch (Unix) Multiplication sign Direction (geometry) Hyperlink Branch (computer science) Front and back ends Twitter Software bug 2 (number) Data management Architecture Personal digital assistant Video game console Proxy server Multiplication Parsing Observational study Information Server (computing) Consistency Normal distribution Computer program Parameter (computer programming) Core dump Cartesian coordinate system Flow separation Front and back ends Type theory Data management Personal digital assistant Blog Website Remote procedure call Musical ensemble Reverse engineering
okay hi thanks for coming in the next 15 minutes I will present breaking pathologic tech your personalization of empathy Oh days out also a chorizo is a common problem in web applications but it still had to provide a good security mechanism there are lots of pitfalls and edge cases that programmers may ignore but the only thing they care about is still that does slash in this talk I would we try to pay more attention and analyzing the logics and personalizations during this process we fight we noticed an interesting feature that could be perfectly applied on multi-layered architectures we will adhere this attack surface and give several case studies ok let's go hi an orange a security researcher from deathcore we provide the most professional reading service and penetration testing in Asia my job is researching and finding new three days and a text service and also a member of hit Kong will hold the largest hacker conference in Taiwan apart from that an asura speaker bounty hunter and CTF traitor this is our agenda today we will first highlight prime site and patch normalization and talk about hi I focus on death by knowing the bright side we try to review existing web frameworks and fight bugs from them we will show the others on both Ruby and rails and spring framework lastly the new attack service of course in order to convince this is olsun we will keep syrup we will keep several bug bounty cases ok first last learn new ward normalize to max tender determine the value by comparison to an i10 of non-standard the definition is easy but if every since turn has their own standards it must be province and the next high normalization insecurity it means that you need to protect something in order to fix the park we saw impact in business logic is common to apply the water run or filter instead of catching the bug directory to apply the filter you need to pass the data first but it's hard to implement a real decide passer everyone follows RFC a stair stander I've C defined a specification but didn't tell you how to implement so the more complicated that they'd have format the more hard is to pass so what's wrong with what's wrong means paper Hosmer is passed normally with normalization yes inconsistency this is a typical dangerous written and easy to fight warrant on it the behavior in check must be the same as the behavior in use otherwise the check function will be bypassed it just like my essays I've taught in last year citing inconsistencies between URL passes and URL fetches that lead to hole SS I've bypass so for the past two years I paid more attention and the park inconsistency for example this is an interesting implementation in Java there are different file handles for each operating systems in Windows driver treat file as UNC path but Leena's treat it as URL the most difference between each other is the URL suppose the Christian but you will see person once we once we note that there are several dangerous patterns for example the main circuit pass only in return the path before the question but the files in stone still recognize all as its past so here is an inconsistency and the other hand the Mesa get file or to external phone return all the URL part but if the check relied on the normalized resolver and then we can forge a valid pass to bypass the trick and read actually file on the leaners so back to our topic why attack yet past normalization because most websites handle files also pester resource is an old problem in many web application but that is also the press but but that is also the press with lots of protections and bypasses as I mentioned before there are lots of dangerous patterns so that if you can find a difference between the between the check and the use you can bypass the protection another reason is in large projects the code change too fast and lack an overall security review for the new commits is there any side effect toward bypass existing security mechanism who knows let's talk about motorist story JavaServer faces is a standard on the Java EE but it's just a standard need someone to implement need someone to implement so the tab to implementation in the world are the my fences by a patch in Medora by Oracle while reading advisories I noticed a report that reviewed majora and find CVE 2013 3 8 to 7 the report also inspired me to pick more into sauce with a couple of tests I find a new vulnerability is the very obvious reversal just read the file from query string how do I find this I was very curious about why the Advisory didn't notice that with a little bit investigation I find a reason the park was calm made in 2015 but coal review was done in 2013 this points are a serious problem matera is a very fundamental library the scene stays know when to a formal security review since 2015 so that is the reason to push me dig into the past normalization and web application and frameworks ok so let's start our topic first how pastures could be fair here is the very obvious programming errors can use bad back disco disco was copied from girls girls is a powerful truly passed web application framework if we want to use groovy as European language you must have heard about girls this is the part of static file handling the abdomen roulette helped pass is attacker controllable in order to become always Windows environments the cold repressed current file separator with /soe did youth help you fight back ok the insert is the m?nster repairs girls would like to repress current file separator with regular expression so girls escape the past by patent accrued this is the prototype of mr. repressed but in Java repressed has a big brother and his name is will press all both mazes are very similar but the only difference between each other is the meaning of the first argument the first argument in repairs is the literal string to be repressed but other is the retrospect is the regular expression to be execute both arguments are the string type if since the developer used the wrong maser the patent across across the current file separator with escaped you and escapee because of the misuse girls will recognized escape in regular expression as literal string as the
result there's a new data slash in girls yes fails everywhere even worse the body
code was come made in 2014 so the park has been there for several years the
next tab is how single slash could be fail maybe you have set up several past in the past but does your pest and resource lash this is a good question is it important yes let me show you how single slash could be fair this isn't of path slash fail on engine X the first time this program is shown was in the end of 2016 and this created two uglies also this is not new still rose to mention this is a good attack vector without too much people known and the idea appears in the world again and again in entering ax days the alias directive and it can define replacement for the specified location this directive is very common in web architectures in practical applications such as jingle and rails are not familiar with the not familiar with handling static files so it's a prevalent pattern to put engine X in front of them but due to the lack of cheering slash in the location or the slash static dot that will also hit the alias block as the result entering as will append many paths to the home slash ab / static and we can service one label to parent directory so how single slash could be fail you can search how to service static file on nginx and Google or a Stack Overflow and you will fight numbers answers with mistakes this problem is also common in the implementation that you need to process the past by yourself it's just like string coupling in C language to append a slash or not is a serious problem to you so how to find this problem in the real world we keep a private but Ponte cache here front direct SS in the SS folder entering s will return for the OC forbidden however when we try the slash and third data slash it also returned for the OC it look like we have successfully traversed a label to parent directory but how to prove this we append we append as SS / a PP that is again and check the counter yes the same so now we can download all the source
and configuration file on the web loot in this case we create several sensitive information such as the jungle secret key and the secret light database thank you
so for the past several months I start to review the past normalization and pass the part on web applications of course we find several problems in diverse implementations and here is the list so the next section is in-depth
review of existing implementations due to the time consideration and our new fading is more important we will only show you two cases the first one directory traversal on Spring Framework we all agreed that spring is the famous framework in Java web ecosystem so we start from the patch of CVE 2014 status file it's also a path traversal so in order to prevent similar paths again spring applies several security mechanisms from the mezzanine we know spring first check whether the pass is valid or not and use its resource on the location of the last guardians to ensure the passed under proper add locations this is this is the simplified version of Mesa is invalid path it's just a simple black list and the most important is if there's any tucked up in the past spring will normalize the pass and check and return a ruling as I mentioned before this is the dangerous pattern because spring just rely on this building to protect orders in stone so if you can find progress in the clean pass or inconsistency between the check and the use you can bypass the pocket put the protection so how clean has worked in
order to compatible with Windows environment is simply depress backslash to fall slash spring spring also separate the past with the forward slash check the element one by one and store the result into path elements if the element is a single thought spring just do nothing but if it is the parent directory spring real set effect to the remote I turn in next iteration in the end spring use the forward slash to join all the elements okay that's all did you find a problem in this Mesa okay the problem is spring allows the empty
element that means you can fold an empty element in passed away during the normalization it will be normalized with the parent directory and constant in consistency with the file system it seems to be a small problem but the impact is huge this table shows the difference between the cream path and the files instant due to the empty element from this mode and one slash in the past since start going wrong the master is invalid past return shoe because there is no data in the result so spring believed without any thought and read a file with users upright path so how to expertly we crown the spring of fishes import from github as you can see the panel there are six slash normalized the next six data slash this exploring also works on the container such as Tomcat as the secured container tank had by default enables several security features but this exploit perfect bypassed or restrictions as the result we can read
actually file and windows so how to fix to now use windows
yeah this is the real medication from spring official website excellent as a bonus let's hook up let's talk about a cold in fact if t programa follows the DRI principle don't repeat yourself and spring is a popular framework under a free software license so lots of projects refer to cold front spring spark is also famous and the micro framework for web applications in 2014 spark want to improve their security mechanism and static file handling but since writing a good partner is really hard so it just copy the code from spring as the results park also copied a similar problem into their code base so spark also suffer from this vulnerability the next case is Ruby on Rails sprockets is the answer pipelines instant in rails which means that all static files will be manager compiled and served by spark cheese and of course we find a problem here but unfortunately rules only use the answer pipelines instant-on development mode also these only effective element mode the default rails comment is under threat so you can simply reproduce the pack by just to commence rails new and real server due to the tokens iteration I will not go into too much details the load cross is the sprocket support and undocumented spin in the past there are several pieces in this exploit but because of the time you can check the detail after this talk we will just go to the next page but it still worth to
say this is possible for Co execution because of the support of file scheme you can override some internal options with your queries as an SSL SNS appliance in stone sprocket will compile the content while processing the file if the file extension is ERP sprocket well in the period of file a slew be temperate engine this feature could be combined with the file upload attack your uploaded malicious file to temp folder and ask you the code by sparkies ty okay
the bottom part is over you can stretch yourself a little bit
okay here is the cat and let's go to the most interesting part however reading
the sauce I noticed a feature that could be perfectly exploited and matty laird architectures in the following patch i will introduce the idea and several cases including an SS control bypass in uber and two remote code execution in addition I would like to thanks Emerson and binder for the open my availability disclosure and their critical response time it's a very good experience working with them yeah we start with the HTTP feature URL path parameter it can define information to the specified test segment some researchers have already point out this feature may elect to security problems but their concerns the old depend on programming fails when I saw these I was thinking about how to make this feature more severely yes I find reverse proxy reverse proxy is a common web architecture there are several benefits resource sharing law bans cache and security for example you can share different services on the same pod and IP address or use low variance to distribute the requests to different back-end service as the security reverse proxy can isolate the server flow outside in configure the SS control in pasty layer
this is a classic reverse proxy architecture as I said before is the prevalent pattern to serve static file directly and pass the business logic to beckon service I have talked about the of path slash problem but this but now we focus on the interaction between the prosti and back-end servers engine acts will serve eight directory if the incoming requests match the static pattern such as files and scripts but if it is the request for business logic engine acts will pass the back-end servers okay so back to our topic
what will happen when the feature makes the reverse frosty URL path parameter is defined in HTTP specification but not all web server care about it however Java mostly support this feature reverse proxy is not a single request single server handling architecture the send request will be interpreted by different web servers so the inconsistency between the proxy and back-end servers will lead to security problems so I keep a name for this okay not really the domain still available to PI just kidding so how dangerous could be in the reverse proxy it can bypass as this control list no matter is practiced or whitelist it it can also escape from current context mapping to access the management in the fest and other contacts on the same server that apps all always believe that no one can touch their internal service but today this is posed to outside and their map there must be lots of fun for hackers and not affect by this this is the architectures problem and vulnerable by the foe to resolve any program arrows so if you are using reverse proxy with Java as your back-end service you are understood that scurry this best color this is a huge attack surface think about how many reverse proxy in the world could be bypassed so that you can touch many internal service from outside for an easy example to understand tongkat exposed to application Toto in localhost and maps to outside by a patch due to the normalization of a patch we cannot directly assess the bacon management in FS however we can use our traversal trick that does semicolon to traverse one label to touch the loot of tonk add a patch first handle this request from the view of front of view of a patch that a semicolon is the normal folder name and matches the contacts making so it passed to back-end service but in concat that a semicolon is a parent directory and we are normalized with the proto as the result we can access all
application under tongkat including the management in the fest everything looks good from this side but when they put all together every scene star goes wrong okay by knowing the theory less the real
broadcast is the first cast is uber over the stereo direct esters to determine uber internal takong so the name we know this is the domain for internal purpose once we assess it retract us to one looking single science service in this Twitter in this production was done by nginx we find a domain darada over internal takong and we also know that dries a java-based application hmm it seems to be reverse proxy again with a little bit searching we find this website is post a status API this appears to be a high list for monitor purples we applied our chorizo trick again it looks good in engine X and match the file X prefix so pass to Torah as the result we can assess the
juror internal and see the internal projects we can see the draw dashboard and see the internal practice and this
is another photo we assessed an internal code review Poteau ok so next how can we
do if we bypass the SS control we will keep a code execution cast in binder as curly I find this code execution in another on the program also I got a core exclusion I find my target it's not in their bounty scope because it's unless the party service but fortunately there's also a bounty program in that service provider so in the following cast I will use this side as example this is the this is the string screenshot for the website is just a log in patch without too much functionality
when I would like to hack something the first thing I care about is the HTTP header for the header we can observe many interesting information the hater told you that it is running under engine X however the response also said a special cookie say station ID it seems to be the default station and in tongkat but high engine X need this cookie from our experience we believe this is also the reverse process the architecture by the way this is also a good methodology to note further the target is running on the reverse proxy or not we applied our
traversal tree again and got a cool patch this is a faulty oval patch but a speacial is the patch was returned by Tomcat this represents that we have already past the frets prosti and SS the backend service another thing is from the error message we got an important hint the hint is that hourly cost hourly cost past will be the past info in the backend index the CFM for
the hing we can construct the server configuration in our night engine acts just rely the request to pay can index the CFN but for the data / it will rest a 400 error because the past jumped out of the web loot however our trick our our trick can pass through the proxy and normalize the index the CFM so we can touch the load in tomcat as you seen the file extension is CFN the confusion Makah language for the extension we can cast hot bacon engine is it in this case it is running
on the rail or an open-sourced CFN engine fountain very low menu we also note that the management in the fest is under rail or contacts admin / web - CFN this is the screenshot for the
management in the fest but did you find something wrong yes the in the fest just ask you to set a new password but it's that easy no the first time I stole it was not like this it's a normal looking patch however when i refresh several times the patch changed so I don't know how so Hospital is it with a
little bit investigation I think I find a load close when there is a large number of the costs the website will use the crown to steal up automatically but while scrolling up is seems to focus had to put the password file so this is the loot cross to invite you to enter the new password however not all instance are vulnerable it seems to be only three to Foulke misconfigurations so we so we have about 16 percent probability to see the new password patch also that assesses successful logging is still not easy because there's a CAPTCHA in logging process and to make things worse every request to the cloud will be dispatched Brenda Lee to different back-end servers so exemple if the server in displaying the CAPTCHA is different from the server in receiving the credential it will rest in one capture area so it's just like entering a lottery we need to keep the station and poke the send server and boss CAPTCHA and locking passes with much time enshrine errors we
finally get into the management interface once we entered in the fest the next question is how to polish air in Reno there are several ways to pop our show but due to the request being dispatched to different servers we need to minified our steps here we choose
Lord injection Rios across many features one is the customized template file so we modified the fuzzy oval patch to exception the load and then we need to
inject our malicious code into exception that load however higher exploit this we face a problem the log file is too large to be a skewed but did you remember the website will scale up when there are lots of the costs so that we can use head request to force the crowd launch a new instance and exploit on that instance okay now every photo photo is our back
door and we gotta show back the last is
our Amazon cast while searching for targets we find a spatial domain from the nen is seems to be the collaborations instance for internal purpose and from the copyright we know this instant was built from an open-source departure Nastya Nastya is a content management system for business applications it written in Java but in that time I just want to improve my Java auditing skill so I start to review the code during the code review will find several training bugs can be chained together to gank osq ssin we first looked look at the SS control in nasty oh why auditing as those we find nasty on maps all URLs to a spatial authentication filter and the first part is lying on that from the filter we know most patches require a valid crittenton we know them we know most Authority from the filter we know most pages require a valid station but some entrances can bypass that like logging the ASP but how did filter retrieved current current patch to compared with it retrieved the past from the httpservlet we cost so how's the problem in order to handle URL path pervert nasty old chunk has the pass by semicolon as I mentioned
before the behavior in URL parameter aureus every web server has own implementation the nastiest way may be safe in the containers such as wide fry and WebLogic but now it's lungs on the tongkat the difference between the nausea and the tongkat will lead to the security problem so due to the transaction we can fold a request and that matches that matches the vilest in SS control perished reached the unauthorized area in Nastya however we still could not do anything in fact most patches return a null pointer exception because the subway logic was unable to obtain a valid credential but this still give us a chance to knock the door from the from the configuration file we notice that how the nacio is based on sim framework I have a review seen several years ago and fight number of ecofriendly features so for me the next step is training the first part to access the unauthorized the since the framework so let's talk about let's talk about the same feature in order to control the parcel same framework introduced a series of HTTP parameter action Mesa is one of them it can invoke specific expression language from the query string it seems dangerous however there are some pre-conviction before the invocation the invoke expression language must be in a certain format and in a file on the contacts loot for example there is the file name fo Oda XHTML and you can invoke the UT Ohta step by the following URL the future looks good you cannot control any file on remote server therefore you can involve any expression language however base one more crazy feature to make things worse if the previous invocation returns a string and a string looks like an expression language same framework will invoke again yes it's double evaluation but how the hell
is the double evaluation yeah I don't really understand with the crazy
feature if we can control the return value we can ask you to arbitrary arrow so we need to find a good gadget this is very similar to the our LP or in a return oriented programming in binary exploitation sorry we choose the file
with the loan then why we choose this it is because the request target returns a string that we can control from URL also the whole tag is supposed to assign a variable we can still ask you the pasture tag okay by training with the first assess control I pass we can now ask you to archery l without any authentication but it's still not over yet we fail to pop our show seeing also
knows that e l is risky so there is the blacklist to block dangerous invocations however is just a single simple simple stream matching and we all know that blacklist is always a bad idea so we simply use the array light of it return to avoid a bad pattern so let's summarize our steps and shown all together we first find a personal pest normalization but to bypass the SS control while we can SS the unauthorized seen sublet we use the feature and choose the good cages so that we can count show the return value we also prepared our second stage payload in the URL and use a real lack of iterator to bypass the blacklist the last step is to write our write write the shellcode with Java reflection API and wait for our show so this is the overview for how the export I will explain each part one by one in detail first the yellow hella is the SS control by past in order to bypass the hire list which was looking that the SP was our prefix nasty Oh will scan all the required pass and chunk at until the first first semicolon so due to the inconsistency between the nacio and the container we can bypass the authentication and touch the create file the XHTML which shows the file because it will be handled by sim framework once we can touch the since tablet we use the ocean Mesa to invoke partial expression language in a known file here we choose the culture under file with the long name so I will choose this it's because
the return value of the elasticated is a string and we can control from URL so we prepared our second stage panel in the current directory name for pop up as the crazy features in framework will invoke value as expression language again in order to avoid the bad pattern we use a real like operator to bypass the blacklist we also use travel reflection API to get to get all monsters from Java the length a long time the element index 7 is the main circuit wrong time to return an entire abjure and the index 15 is the Mesa exp C with a string type argument okay the last thing is the she'll come in here we would like to pop a shirt back and we
gotta show okay thanks okay so how to prevent this
type of tech attacks this is a heart this is how to fix because the URL path pyramid is a normal feature and not a bad in both size according to my experience impact reporting most vendors cannot patch the book completely in the first time their patch is by possible so immediate from two aspects one is to isolate your back-end application remote remote management in the fest and other contacts from your java container and the second is to ensure the behavior between the plasti and back-end servers but it seems there's no directive to disable the feature so I write a patch of that you can check the hyperlink after this talk okay summary in this talk we first show the branch site about the past posture and past normalization including inconsistency misuse macer and of by slash problem in nginx then we introduced a new attack service on the reverse proxy architecture that can bypass Asus control and ask that from context may be the last we'll show several case studies are not only open source applications but also bug bounty programs ok the last page here's my contact information please let me know if you have any further question or new findings also we will release the whole story of our case study in my blog you can follow my Twitter to know the latest post this is the end of my presentations thank you for being here thanks [Applause] [Music] [Applause]