 remote enable stream remote. Do we want that disabled? I think you want it enabled don't you? That was my assumption. All right well we should be going live now we were live. Okay let's push that recording button. All right chat if anybody is hanging out watching track one feel free to start talking in the track one channel on discord. You're also welcome to start giving us some questions over in the track one live QA channel. In the meantime, let's introduce our guests for right now. We have Olik and we have Poon tester or I'm sure you too will come up with better ways to explain how to pronounce your names. But thank you very much for joining us today. Give us the name of the talk that you did and we'll start asking you some silly questions about it. Okay yeah so the the talk was room for escape. A scribbling outside the lines of template security. A talk around content matchman systems and in particular the template engines used in these systems and how we were able to break out of boxes if you have any questions about the talk or anything else maybe he would can help you. Just feel free to ask to ask anything. How do you like your your handle pronounced? I pronounce it Poon tester. Poon tester? I don't know if that's some better. Yeah I think that we just entered into one of the mighty converse arguments in the hacker world if it's Poon or Poon. So we're gonna go with Poon because that sounds a little bit better. So Olik, let's give you a give you a little bit of an intro. About myself? Yeah we'll click over to you. I'm a security researcher for already more than 10 years and working for a macro focus Spotify and I'm happy to to have chance to work with Poon tester for a couple years already and it's our fourth chart research and I'm happy with these results and hope to get something similar in the next years. Absolutely. Before I will retire. Yeah so that's a good segue actually to talk about while we're waiting for people to come up with some good questions for you. Tell us a little bit about some of the this is definitely not your first talk here at DEF CON. So just briefly give us some background on where you came from and what the earlier talks were so that people know how to reach back and find you in the archives and then maybe touch on how does this one feel different than the other talks that you've done? Okay so I think the first one that we did together was Friday the 13th Jason attacks. No actually it was sorry it was J&J injections it was first one. Did we present at DEF CON or just a black hat? Just a black hat you're right. So the first one that we presented together was the J&J injection. The full title was something like J&J injection. Dreamland to RC something. Yeah like a trip into RC I don't know I don't remember the title anymore. That was around J&J injection in Java world there are ecosystems which was then used for many of the visualization gadgets so that was a good one and then before that one I presented at DEF CON one with Dennis Cruz and Aifkang that was called resting in your laurels will get you pwned or pooned. Yeah that was a nice one so the first one that we did together was this about J&J injection attacks then the one the first one that when we presented at DEF CON and we had to drink our shots as newbie speakers was this one about Jason attacks Jason digitalization attacks. Gotcha. And then last year we presented singles I know SSO wars the token menace where we presented an attack on SAML implementation in Microsoft stacks that was flowing in the net framework and now this year we repeat again as a team with this one. Excellent we really appreciate that you both came out to do that so you two did as we're waiting for people to jump in with more questions you did present me with one that I'm going to sneakily slide in here as if somebody else asked it. The vulnerabilities that you disclose all seem to require that the attacker have user level access to the system is that true is that a hurdle for most oh see now I'm talking over you so your turn you go. Okay I think it's mostly true it still depends on applications on configuration or specific configuration but to be able to perform such attacks attackers should be able to create or at least modify some template and in most cases it's at least user level account for sure point it's just user level account it's it's default configuration and just user level account any user can do this for other applications it still depends sometimes it's just user level sometimes you need to be like writer and or some other roles more powerful roles sometimes even administrator so one requirement for our attack should be able to manage this the plates or ISPX pages in case of share point. Okay so maybe not the minimum is just they have to be able to to deal with the share point side they have to be able to control that but it's not necessarily that yeah so for sure point case so for sure a point it's a bit simpler any user can can can have access to all private site and can manage it it's your your your site and you can use to this at least this site for performing attacks for other applications yes it's it depends on configuration depends on the permission for specific projects for specific sub sites and other things. Okay so I was going to add that our assumption in this talk is that we were able or the attacker were able to control the templates right so and then our research was around breaking outside of those sandboxes so in a similar way that we may present something around breaking mitigations for buffer overflows but our research was not how to find those buffer overflows in the first place so I'm saying that because apart from being able to control the contents of the template different vectors may include things like server side template injection or maybe for example if there is a cross-site scripting vulnerability in that page you can use that to fool a victim into submit a malicious template in your behalf or maybe there is a cross-site request for JD that you can have used in order to manipulate or modify their template content so we didn't really care about how you were able to get access to the content it may be because you have access to like all examples and their explain is then the normal case for example in things like SharePoint or a wiki for example where you can edit your own articles and things like that but maybe in other systems some of the ones that we reported like office for example they were vulnerable to server side template injection and and for example in some cases we were able to request trial accounts in content matching systems that were deployed on the cloud like in server software as a service architectures and with those trial accounts we were able we were able to phone those servers and compromise the underlying service so in a big way you've given us another step in our chain another tool to escalate how much damage we can do once we have a foothold yeah exactly excellent what what level of access were you using to get that remote remote code execution were you just a regular user enabled to escalate that far so in some cases like Alexander explained for SharePoint just having an account in SharePoint like a regular user account allows you to create your own site and then you can control the template or the ASPX page in this case for SharePoint and then you can use that to get remote code execution on the underlying server in other cases like xRiki just a regular user as well other systems like for example Atlassian Confluence you were required to be administrator in order to edit a template so in those systems either you are an administrator so it's kind of more like an insider attack or maybe those systems are vulnerable as I explained before you find a cross-site script in vulnerability and you can escalate from cross-site scripting to remote code execution by being able to fool the victim to submit or modify a template on your behalf okay so can you give us a little bit of background on how you came upon this type of research what was your entry point into doing this attack it's not easy to answer it's as usual when you have some target that allows you something and you think wow it's a lot of things for attackers and it's start game and you try to use one thing to bypass something to for example SharePoint it allows you to upload ASPX pages so first thing why we cannot put only the code there and execute code there no we cannot why we can't and game starts and it's not only SharePoint there are a lot of such such server or services that allows you to define some templates for dynamic content and actually you can access gatters you can access some methods you can access some objects like we cannot abuse them well let's try well let's see what we can do what we can do further with all this stuff and it's start our research investigation and at the end we have such results you chained it down I'm on mute so you pushed it down that direction that makes sense and I'm assuming then we're kind of talking to a general mindset of when you're doing your normal day-to-day work you find something that's a little funny and you just can't let it go I mean this is a that greater question about what does it take to be a hacker it's always nice to hear people who are out there in the world doing these presentations doing this research talk to the rest of us who are getting our feet wet in the world of web application security or whatever the whatever your niche is you know how do the rest of you folks who are getting all of the success doing these cool presentations and research how do you approach these how do you know when you have something cool so in my case and continuing Alexander response I guess I started this research because Oleg came to me and said like okay I found these four different ways of breaking the server in safe mode so he said like maybe if we also look at the Java side we get something interesting that can be interesting like a full research like something that is more self-contained somehow and then he told me like can you take a look at some of the like most popular engines in Java and when I was there I was like okay let's see it's before I started looking it in the implementation of those engines and do like code review and things like that it was like okay I'm here I get access I assume that I get access to the template what can I do now what objects are available so I started looking and inspecting the template context by debugging the applications and setting some some breakpoints and then I was surprised that I was able to access thousands of objects that were non-intentionally exposed they were like they're indirectly exposed by other objects and with that big amount of that surface it was like this is going to be easy to find something that I can have used to get remote execution that was the case and then as a second part of the research we started looking at the implementation of those libraries and then we found some specific flaws in the implementation of the way they were checking block lists for example or gaps on those block lists or things like that that I explained in the talk. That was your entry you all of a sudden like I have something and then you spent a significant amount of time checking testing the boundaries of the thing that you had until you worked your way towards where we are now that's that makes sense so it's good to hear hear from you folks kind of where you're coming from on that so I saw a few different content management systems that you looked at and I imagine at some point you just kind of run out of time to keep checking things do you think that there are still more out there that people could follow your techniques and do the same kind of thing too to find vulnerabilities is that also going to be an area that you plan to continue to research or are you guys kind of done with this one? Definitely there should be a lot of products we think there are a lot of products as you mentioned there just a couple of them are under our focus and actually for example if you're talking about SharePoint it is not an automated approach it's just manual and just to find some projects and we try to to show this pattern in our presentation and I believe there's still a lot of things to look for in SharePoint and specifically and about other content management even not content management system in any other system like it may be email servers so if you can define a template for then I'm content for some after creation emails it can be starting point for your research as well so our proposed of our research our presentation just show our patterns our approaches and say hey guys we use this and we got such results like 30 new vulnerabilities you can use the same it's not only for offensive side it's for defensive as well guys if you are developing something that go in this bucket you need to to look on on these areas to to check this because you can see what what what can happen and so of course anybody welcome to to continue this research about myself I'm not sure I need to have some rest vacation couple month after that maybe but usually if you can see our talks they're not linear we are jumping from one topic to another topic it's it's more interesting for me but I'm not I do not know maybe maybe if I still find something interesting I will continue but for the next year you'll be honest it will be more difficult because competition will be more higher and maybe it's better to to live this for others and try to find some in your areas yeah it based on how all the different presentations that you two described earlier it seems like you two work together really well and finding these types of things I know some people earlier were asking how should somebody go about starting out research and picking out targets do you have any suggestions for people on how they can just kind of start getting into the type of research field that you two do seem to really do really well so I don't think that one is easy to answer so it's just like at least for me being up to date with the latest research from other people in the in the community and industry or maybe reading articles that are not directly related with what you do so for example I think that the J&DI injection that was the first one that we did together started out of reading an article about a malware analysis and in that malware analysis the malware was using some J&DI lookups we found that interesting we started researching that and that led to the J&DI injection attack as part of that attack we found some gadgets that were using setters instead of like magic methods in like Java digitalization and so on and we found that as an entry point to the JSON digitalization attacks that we did like following year so sometimes one thing takes you to the to the next one and sometimes they are not even related like jumping from J&DI to a JSON digitalization or a master digitalization so sometimes just like reading a lot of stuff gives you ideas sometimes you just are playing with something in your regular work and then you find something interesting and you just pull the thread and find something else so it's just I mean things are not going to come to you you have to be actively reading looking for things and then you will always find something that is interesting and you can pull the thread and find something more if you just stay passive like reading but not asking yourself why things are working in such or such other way then I don't think that there is room for research and my suggestion not to be focused on the results of the talk my career started you it's very difficult to on the first year to to be accepted in black cat or devcon or something like that and produce such several results I would suggest just to be focused on something some area what you like this and you are passionate about that and follow for new research try to understand each new novel technique and maybe try own thing maybe you have ideas and be passionate I think I I do not know for me it took couple years to to to get some if your new stuff will start to give your results and you can start to think about how to summarize this and present to others and just to to start a career from let's talk at devcon it's for me it's difficult to imagine you need to have some background to this area and produce something new and for this you need year not years you need time for for somebody it's it's month for somebody it's years but still for me it's main target it's it's it's my passion in in that areas areas not just talking devcon devcon it's results if you have results you can present it at devcon if you do not have results let's wait let's try other other direction but you need to like this without passion it's it's difficult I love that you two said really quite different things there in one case you have hey I was reading an article and then I thought really deep about that article but it would seem like it was something different from your previous research and then the other answer would be I just really like this stuff and I learned everything I could about it so it's it's nice to hear the two different two different sides if not the two different sides about how to approach a new topic and how to find something cool in it which is probably why they work together so well and have had so much great research through the years we have very different approaches for everything so it's it's it's like even research is different I'm one thing and one approach I was just completely different approach for example I never read documentation before I research it took more time but I have some some some rule do not open documentation Aruvaro start his documentation and can find something more more quickly the the the significant quickly the fucking manual yeah rtfm right yep yep so um what did we not get to see during this presentation I know you've already talked about when you your presentations tend to jump around a little bit so maybe you have the opportunity to hit more content or whatever you wanted to present during your your go but due to time or due to not having it fully formed in your head what would you have liked to have put into this presentation where there more time more ability so there is a lot of content that is not in the actual talk in the actual video but it's available in the white paper that we released as part of the talk it's simply that we were not able to feed all the content in those 40 minutes apart from that that's something that just didn't fit into the time allocated for the video I think that I would also like to have look into other languages we just focus on dotnet and java maybe for dotnet I would also have uh looked into other content management systems that are different from Serpent maybe I don't know I'm not really very familiar with um the dotnet ecosystem but for example dotnet nuke is a potential um target that we just didn't have time to to look into Agrivi Zelvaro actually we have more findings and usually when when you start to search something you have more findings but you need to to collect them in some topic in some scope of course a lot of things out of scope maybe for the later research maybe for for some blog post maybe not maybe it's not interesting something like that it depends if you will have like two hours talk maybe we will include some some new stuff for SharePoint there was something interesting stuff because there was some playing with roles and other things but I think current current our white paper means scope what what what what we draw before this white paper and talks and it's it's more interesting when you have a lot of stuff it's not good as well because it's very difficult to focus on on something even this stuff you have two parts and dotnet and java it's a bit different java has a lot of template and giants dotnet has only sharepoint it's a bit difficult to fall to to keep focus audience for for these two parts I think if you want to include something else maybe it's better to have separate talk no no no not in this to build a new talk yeah makes sense it's nice to to be able to isolate down we always give some sprouts you say that in english like something like seeds roads for the next talk something that looks promising maybe it's a new way into a new road that can lead to something so yeah that's also something that we normally don't include in the talks that's that you're never going to retire from this are you there's always going to be something new and interesting to do a talk on it's difficult because competition from year to year it's it's it's more harder and harder a lot of new guys and a lot of old guys and it's not easy let's hope that you will have motivation and time and resources for new researchers we like this life will show so we have about five minutes left in our scheduled time here is there anything that you like what's your call to action where would you direct people to to keep poking at this or what's something that as you were hunting through all of this that you were like oh this would be something that i want somebody to look at but maybe i don't have the background of the time or or what's the what's the gap yeah there's your question yeah so as i said uh we didn't look at other languages i i know there is a lot of research around server site template injection in javascript and python but yeah so those are sandboxes as well and probably those sandboxes need to be bypassed so if a good direction for for people like wanting to look into this area of research is looking at how these other languages implement sandboxes and maybe try to find a way still to break them i agree with that of our actually we have two different dotnet and java languages i think if we found something similar in these two languages we can assume that many other are affected and it's not problem languages it's a problem in design actually it's very difficult to to to implement good sandbox for these cases i believe it's it's it's very difficult and there are a lot of potential areas and we try to to highlights the most obvious of them and i think it's a good idea to look any places like this in any in any languages in any system in any other place that makes sense well thank you for that um do if you would be so kind uh you can toss us in probably the track one channel be a good place for this any place that folks can contact you later since this is a new format we can actually put down if there's an email address or a twitter profile or something that or a github you could post that in the chat guys i don't know if you can hear me i can as a matter of fact oh maybe i can hear you we might have just lost him but you're back yeah i guess i'm back i lost all of you well welcome back uh so we were just chatting about if there is a you know github or a twitter profile or an email or something that you i believe you put something like that in your talk but can everybody hear me well yeah yeah so my personal twitter handle is a contestor obviously and um also i work for the github security lab where all the advisories for the different content matching systems with the details about how we were able to exploit them or break their sandboxes um are being published some of them have been published already some of them are still to be published so you may also want to to follow that one um i think it's g-h um security lab just yep you can you could type that into the track one channel at your leisure um and people can see that there if there's and that's pretty much that's the last of the questions i have i want to thank you both very much for building this presentation and taking time out of your day to come and do this qa with us this is what makes this community better than anything else i've ever been a part of so thank you very much for your efforts and i hope to see more from you folks in the near future thank you very much for having us and hopefully yeah we can present again in in DEF CON next year and in this time in person definitely the next time in person well i appreciate it i have a great rest of your day enjoy the con and to everyone watching um you should be able to see here in the next little while the um contact information show up in the track one channel otherwise we will see you for the next one bye everyone have a good one