 Hi, welcome. Thanks for attending our talk. This is room for escape scribbling outside the lines of template security So my name is Alvaro Muñoz, also known as Pond Tested in the social media I'm a security researcher with the github security lab and with me my colleague Alexander Mirage Also known as Oleg Mirage in Twitter and he is a security researcher with micro focus fortified team so today we will be reviewing the security of content management systems or CMS and Basically, we will be focusing on the security of the template systems that are used by CMS's So a content management system is basically an application that is used to manage different types of web content So that users can actually create, upload and publish different type of content So normally this content is based on some structures and some kind of Documents called templates which are used to generate and create dynamic content So these templates normally allow a subset of different programming language capabilities So they are powerful in the sense that they can be used to run an arbitrary code Because of that, they are normally sandboxed in order to prevent arbitrary code execution and remote code execution So our research will focus on both .NET and Java based content management systems Because these are the languages that are more prevalent across enterprises And our assumption is that the attacker can control the templates So we don't really care about how the attacker gets control of these templates in the first place If it's through a server-side template injection Or if it's maybe through our cross-site scripting that allows him to submit arbitrary templates in the in behalf of someone else Or maybe they have permissions like if you are a user for example in SharePoint If you have an account in SharePoint, you are allowed to create your own sites and content So no matter how the attacker can edit the content of a template Our research will focus on escaping and breaking all the mitigations put in place to prevent arbitrary code execution So we will first start with .NET Basically we will focus on SharePoint We will present five different ways we were able to break the sandbox used by SharePoint to prevent arbitrary code execution And then we will move into the Java part Where we will present four different template engines including the most popular ones such as Velocity and FreeMarker And then we will present 10 different content management systems and we will try our bypasses on them So we will wrap up with some takeaways and conclusions and then open the floor for Q&A So let's start with the .NET part Thank you, Arvaro In this part of our presentation we will present different types of security problems in content management systems We will give examples of them in SharePoint But before that we need to explain some basics of SharePoint security SharePoint has two types of ASPX pages The first type is application pages Each of these pages are a part of SharePoint server and implement some application logic They are stored in specific folders on the file system Of course users are not able to chain them They have ASPX pages and are processed by server without any restrictions In opposite to them there are side pages They are stored in database and they can be customized even by users SharePoint parts with them in special mode also known as safe mode Actually they are more like some sort of templates for presenting dynamic content On this slide we can see a diagram how server works with these pages Virtual provider can fetch content from file system or database Based on the virtual path of the current page, ASP page parts virtual will decide either It is side page and safe mode should be applied Or it is an application page and it will be processed without any restrictions So page filter is critical element from security design Let's have a look on simple of ASPX page For our attacks we are only interested in server side components For example directives There are special instruction on how server should process the current page Often they have some number of attributes We can include server side code either in special blocks or as embedded server side code To be processed by server, control should have the runaut server attribute The next our element is server side common block It is ignored by server And server side include directives allow us to include raw content of arbitrary file Now we can better understand what safe mode means Safe page will not be compiled so we cannot use server side code We are not able to include files from file system We can only use allowed controls This list is defined in safe control section of web config file Page filter also applies an allow list for directives and even for attributes of most of them There are many other restrictions For example event binding is blocked as well As we can see it is a set of quite strong restrictions How it can be bypassed As we know safe mode is enforced by page filter So our first question was Either any place where SharePoint does not use it And answer yes there are such places Page filter will not be applied for the content argument of the parse control method If it's called only with one argument Or if the second one that actually has name ignore parse filter is true In addition page filter is used at rendering time But is ignored at design time But even if page filter is not applied SharePoint uses another way to verify the input It is verify control on safe list method from editing page parse type That aim to do the same task at the original page filter Block, markup with unsafe elements But let's imagine for a second that we are able to bypass either this method or page filter By the way each such bypass is separate vulnerability And we will present them in a few minutes So how could we get remote code execution after escaping into the safe mode Remember since parse control method never goes compilation We are not able to use server-side code or perform any other attack that require compilation But if we escape safe mode we can use unsafe controls or directives Let's review several of them One of the most interesting unsafe controls is object data source It allows us to invoke public methods from arbitrary public type We can see an example of payload that uses start method from process type to launch calculator So actually it is arbitrary code execution, jackpot But let's review a couple other unsafe controls XML data source and XML controls allow us to get content of arbitrary XML files The similar results we can get by server-side include directives that return us content of any text files Let's see how we can escalate from arbitrary file read to arbitrary code execution If we can access web config file we will be able to get validation queue from machine key section By the way this value may be present in other places such as internal share point properties We will see this example a bit later With validation queue we can generate a valid view state that will execute arbitrary code commands On the target server we can use tools such as user-serial.net for this Now when we know what safe mode is and how we can compromise share point server if we did bypass We can move to our next part of this talk Here we will present five different types of security problem in content management system We will show examples of each type in share point We would like to stress here that our target is share point server with default configuration All vulnerabilities allow us to execute arbitrary code on the target And all attacks were performed by regular user, no admin rights were needed Let's start The first type of security problem is access to resources with sensitive information It can be configuration or business information in various files, logs, database or even process memory Of course proper sandbox should prevent this problem, but it is not always the case We already mentioned that page filter block server-side includes directives And verify control on safe list method should do this as well and actually it does But if it's called with false in block server-side includes argument it will not block them And we found such usage of this method it was used for design mode The next building block for our talk how we can provide our markup for this mode We can send it in web part XML parameter of the render web part for edit method of the web part page services So we can try to include web config file there Here we can see the full payload for the mentioned parameter and address relevant web services Server returned us the entire web config with validation key We used it for view state-based digitalization attack which led us to executing arbitrary OS command on the server Time for our next type of security problems in content management system A loud dangerous element that can be used for attacks We have found an example in SharePoint's safe control list Or should we call it not so safe control list in this case It is contact link suggestion micro view control We can see snippet with interesting code from its implementation where request parameter is passed to data set read XML method If we can control input for this method we can get our data deserialized by XML serializer with control type We already showed in one of our previous work that in this case we can get arbitrary code execution Unfortunately this payload is too big for slides but you can find it in our white paper The last piece of the puzzle is our site page with this dangerous control You can see it on this slide For the attack we just need to place the payload into the text box and click on submit button And desired command will be executed on SharePoint server For us the next type of security problems looks quite interesting So we will explain it with more details and present two separate examples from SharePoint server Dynamic content usually means that we will have at least read access to some properties or attributes of some objects For some system like SharePoint we can even write values there Of course, sandbox should filter out the access to dangerous property or attributes Let's review basic type of such filtering The first case is when only one level of properties or attributes is allowed We can see examples on the slide Name property of user object or select value from menu We can imagine the object and its properties like a branch with only leaves If an allow list is applied it is relatively easy to review all elements And after such review we can make sure that there is no dangerous elements What if block list is used instead? We still need to verify available objects and it can be a bit difficult So in general we do not consider block list as a safe approach because of potential gaps there We will see in Java part a couple of examples of such bypasses The most interesting case for us is when access to nested properties or attributes is allowed For example request.authuser.name or menu.selecteditem.text Because of branch leaves analogy many developers may imagine this case as branch with branches and leaves And they may apply a filter only for the first level objects But it is not true, it is network And we may jump from one branch to another branch or even to the trunk For example on the slide we can see how we can access application instance from menu web control Let's illustrate this problem by examples from SharePoint There is wiki content web path control It is allowed and can pass our markup into the parse control method Please note it is called with false value in ignore parse filter argument So page filter will not be ignored The following snippet shows that in this case the virtual path will be created from a relative virtual path property And if you remember page filter will apply restriction based on this virtual path If we are able to change it we can full the page filter to not apply any restriction to our markup Let's try to graph such payload First snippet fails because when ASPX parser tries to assign a new value to a relative virtual path The page property of our control is not defined yet So we need to delay this assignment a little bit We can do this by data binding So by the time the property is bound the page property will be already defined Here is our final payload We can notice that our new path points to application page setting ASPX It is assigned to tooltip property and later will be transferred to a relative virtual path So the page filter will think that this is system page and will allow any unsafe markup For example we can use object data source control to start calculator Let's see how the real attack may look We can see a site page with our payload Path to system page it will be assigned to a relative virtual path Unsafe markup contains object data source control We will invoke start method of the process type and will start calculator Let's save it here For our tag we need to upload it to the target server In our case it's share point with default configuration That means regular user have access to their own personal sites And we can use them to host our site page We are ratificated as regular user with name attacker Sneaky isn't And here is his personal site Let's upload our page here Now to trigger our tag we just need to click on it But before that let's take a look on the right slide of our screen We can see task manager on our share point server And we will notice if calculator start Now let's start our tag and here is our calculator Let's move to our next vulnerability in share point Now we will try to exploit read access to nested properties We will use control parameter It allows to bind value of property from another control to select parameter Also it supports nested properties We need to deliver value of target property back to us To do this we will use XML URL data source control That sends value of select parameters to external server Now we need to find accessible property with sensitive information Here we should expand a little bit configuration process of share point online servers Obviously they are installed and configured automatically But what about configuration parameters that are unique for each installation? They will be provided in special file that will be used for unintended configuration What is important for our tag? All such parameters including validation key will be stored in initialization setting property So we just need to find a path of nested property to it from any allowed control And here it is Here is the whole page that will send value of validation key to attackers.server.com With this value we successfully got arbitrary code execution by unsafe desalization in view state Now let's move to the next type of security problems It is connected with our previous work on unsafe desalization Such kind of problem are relevant when text or binary data is converted to an object And the type or class of this object is under attacker control Plus it is not properly limited Actually it doesn't really matter what mechanism is used Classical desalizers, JSON and marshallers, type converters or even some custom approaches All of them are potentially dangerous For successful exploitation attacker just may need to find proper gadget on the system We have found examples of such problems in share point And were able to perform arbitrary code execution tag using it But patch is not available yet So we are going to publish all details of this problem when fixed is a list The last type of security problems in this part is the classical time of check to time of use problems They occur when the server invalidates some input But this input is later changed before the server uses We have found such problem in web part editing surface page User input is validated by the already mentioned verify control on safe list method But later the server may modify the input and remove substring that marshes specific regex pattern Let's look on the next input For validation control on safe list it is just one server side common block So it will pass validation But share point removes the highlighted yellow substring And parse control will see two comments and some markup No, parse control has only one argument so page filter will be ignored Time for our payload We can notice our unsafe object data source control and calculator command In this part of our talk we saw multiple ways to achieve arbitrary code execution On the share point server by regular user These vulnerabilities revealed five different types of security problems in content management system Now let's switch back to Alvaro and he will present even more vulnerabilities with templates for dynamic content in different Java frameworks and products Thank you Alexander So switching to the Java part we will be reviewing four of the most popular Java template engines Including FreeMarker, Velocity, Pebble and GeneJava And also we will be reviewing ten different content management systems that are using these engines And then we will be trying our bypasses on these content management systems So a brief introduction into what template engines are Basically these are systems that take two different inputs One is the template where we are mixing static and dynamic expressions And also the template context where we store objects that are required by the engine in order to resolve the dynamic expressions in the template So for example here we have the user.name expression In order to resolve it we need to get access to the user object in the context and then invoke the get name method So because it's invoking Java methods it's basically dangerous in the sense that attackers can execute arbitrary Java code And that's the reason why most of them are sandboxed in order to prevent arbitrary code execution So apart from the objects that are normally and directly used by the template There are a number of other objects that are exposed as part of a template API that is normally provided by the content management systems Which basically provides objects such as for example the request, the response, the self led context or even the STTP session So those objects are available in most of the template APIs and also many more that are part of this API So we will be discussing first some genetic bypasses That means that are independent of which engine is used No matter if it's a free marker, velocity, Pebble or Jinjava So those bypasses are based on finding different objects that we can use to get arbitrary code execution So we need to inspect the template context and look for these kind of objects So in order to do that if we have access to the JVM we can basically debug it or we can instrument it Dump the template context and inspect and analyze all the objects in there However if we don't have access to the JVM we will have to read the template API documentation Maybe do some brute forcing in order to guess names like for example request or REC or response REST and things like that And also in some of the engines like for example free marker it is possible to list all the variables or objects that are exposed in the context So apart from those objects that are directly exposed to the context we have some objects that are indirectly exposed Like for example if we are exposing the HTTP session because it contains some attributes All of those attributes will be available for the users and attackers to access and use Same thing with the servlet request and same thing with the servlet context So those are stores of attributes, stores of objects that the attacker can get access to and use to look for interesting objects So let's see how many objects we can find in one simple content management system In this case it will be live ray and in order to do that we will be generating this template that I'm showing you Which basically is listing all of the context variables, then all of the request attributes Then we will show all the session attributes, then the servlet context attributes And because the servlet context will expose the spring framework context We will be also listing all of the spring beans or the objects registered in the spring context So if we render that you will see that we have a bunch of objects directly exposed to the context Those are part of the template API and some of them are very interesting Others are exposed as part of the request attributes, session attributes and servlet context attributes So as we can see here we have interesting objects like an instance manager Or for example the web application context for a spring that we used to list and access all the spring based So as you can see there are hundreds and thousands of objects here There is a total of almost 900 objects and because some of them will have public fields that we can get access to Then this number will increase to thousands of objects So back to the slides, this is why we call it object dumpster diving because this is how we felt When trying to find very few interesting objects that can lead to remote code execution among thousands and thousands of objects So now we will be reviewing the top three objects that we found that lead to remote code execution So for example the first one, the class loaders was available in 10 out of the 10 content management systems that we analyzed So normally you can get access to this class loader instance through the get class loader method in the class type But that is normally blocked by any block list by any sandbox So you can still get access if you get access to a protection domain or a servlet context as we saw before So once that you get access to a class loader you can obviously load arbitrary classes and then also load arbitrary resources from the class path But apart from that you get access to a URL object and then from there you can access any file from the file system that the application server has permissions to access So here you have an example, you get the URL using the get resource method and then you point the URL to the password file And then you open a connection and read all the bytes from that file So apart from the standard class loaders because content management systems are normally deployed on top of servlet containers or application servers The instance of the class loader that you will be able to access is normally an instance of a web application class loader That are slightly different because of the way that class loading delegation work But also because they expose a number of additional methods that are not part of the abstract class loader class So here are just some examples, just mentioned because we don't have time to cover them in this talk Although it's explained in the white paper that we are publishing as part of this talk There are different ways of using these methods in this web application class loader to get remote code execution Just to mention some of the vectors, we will be able to upload web cells, instantiate arbitrary objects, perform JNDI injections Or even initialize attacker controlled classes So we were able to find web application class loaders in 9 out of the 10 content management systems that we analyzed And then the second most easy to find object in this template context was the instance manager or the object factory So this was found in 9 out of the 10 content management systems and is normally found as part of the servlet context attributes But also it can be accessed through one of these web application class loaders So if you get access to an instance manager what you can do is basically instantiate arbitrary types So with that it's very easy to escalate to remote code execution Here we have an example using the script engine manager But there are a bunch of classes that can lead to remote code execution Once that you can instantiate them and then invoke arbitrary methods on them So the number 3 object was a spring application context It was only available in 4 out of the 10 CMSs that we analyzed Actually the only 4 that were using the spring framework underneath And it's normally accessible through one of the servlet context attributes But also if the content management system is using a spring MVC framework for the model, controller and view layers Then a spring will inject some additional objects in the template context Like this spring macro request context that will provide access to the spring application context So once that we have access to the spring context we can get an instance of a class loader And initiate a class loader based attacks like we saw before We can access the spring environment that will give us access to the system environment And also the system properties and also spring properties including things like encryption keys and so on But probably more interesting it will give us access to the spring pins registered in this spring application context So being able to access and manipulate those pins we can basically control the application logic And do things like register need users, delete users, perform transactions Anything that the application is normally doing So that's normally behind an authorization layer So no matter what roles we have we will be able to perform this kind of application logic control So apart from that we will also be able to disable the template engine sandboxes If we are able to get access to the template engine configuration pins And also instantiate arbitrary objects like we will see later by accessing JSON or XML and martial arts So those were like genetic bypasses independent of what template engine was used underneath And now we will be reviewing some specific sandboxes bypasses for each of these four different template engines So we will start with free market because it's probably the most popular one And also because well it was analyzed and researched by different researchers in the past Like for example James Kettle back in 2015 when he presented server side template injection vulnerability class By the way if you haven't watched this talk it's highly recommended He presented a bypass that is based on kind of add-on or module that is deployed on the default configuration of free market So Tony Torralba last year presented a different bypass but this one is not universal in the sense that it depends on a non-default configuration of free market And also being able to find gadgets in third-party libraries that may or may not be available in a specific target Then Ryan Hansson this year probably at the same time that we were doing this research presented a vector that leads to remote code execution by uploading a web sale But this is not universal in the sense that it only works with Tomcat servers So free market sandbox is a method based block list Which basically means that for example methods like the get class loader method in the jabbaland class is blocked And you cannot get an instance of a class loader using this method But as we mentioned before you can still use the template context or the protection domain to get access to these class loaders Once that you get access to a class loader the class loader methods are not blocked by the block list So you can still interact with them load classes get resources or initiate remote code execution attacks that we saw before And also reflection is forbidden to set fields values but is allowed to get and read field values So we use that to perform an attack but this attack is not universal in the sense that it depends on being able to find an instance of a URL class loader So this is normally the case in Tomcat class fees and Yeti but it's not universal for other application servers So in this case we are basically getting the URL class loader from the protection domain or from the self-led context And then we are basically instantiating by invoking this new instance method A new URL class loader that is pointing to the attacker control jar file in this case the pond.jar file Once that we get access to this class loader we can get a load arbitrary classes from our own jar file And we will be loading the pond class and now the class is loaded but it's not initialized If we want to run arbitrary code we need to initialize the class We cannot instantiate the class we cannot invoke static methods So those vectors those ways of initializing the class are not a possibility for us But we can get access to public static fields So just by adding a public static field and getting access to that the class will be initialized and the payload will be executed So that was not a universal bypass in the sense that we are required to find an instance of a URL class loader And we want to find something that works no matter if we are able to find that kind of class loader or not So we are interested in finding some classes that contains public static fields of a given type Which contains a method that we can use to instantiate arbitrary types To find them we use codeql which is a language that you can use to query your source code in the same way that you use for example sql to query a database And what we wrote was this query that basically says okay find me all the public static fields which are of a given type that can instantiate arbitrary types We run this query on free market source code and we found four different results Those are four different fields of different types but all those types extend from the pins wrapper type Which contains a new instance method which we can use to instantiate arbitrary types Now this is the universal remote code execution bypass for free market Basically we need to get access to any type of class loader from either the protection domain, self-reliate context And then load the object wrapper interface and get the default wrapper field from this interface And then we can use that to instantiate arbitrary classes Since we want to have this payload basically contained in free market classes We are using the execute class in order to run arbitrary system commands But you can use other payloads, other classes to get arbitrary code execution So this was fixed in version 230 of free market And also if you get access to the spring pins and you can get access to the free market configuration As we saw in some of the content matching systems that we analyzed You can basically disable the sandbox For example you can get the class resolver for the default configuration that is non sandboxed And then set that class resolver as the class resolver for the current and sandboxed configuration So effectively disabling the sandbox and being able to execute the old payload from James Kettle once again So now we will be reviewing eight different ways to escape the sandbox and get remote code execution in LiveRay So let's see our LiveRay instance here And what we will be doing is basically using this template And here what we are going to do basically is first of all we are going to use the class loader payload Which will allow us to read the password file using the url trick that we explained before Then because the instance of the class loader is a web application class loader We will be using that class loader to upload a web cell by using the write method This will be available in the shell jsp file Then we will be also using the web application class loader to get access to an instance manager And then instantiate arbitrary classes, in this case we are instantiating an expression language processor And then running the id process Then we will be also showing different payload that depends on using an instance manager This time is taken from the self led context And again we are using the el processor to run the id command And then we will be using a JSON digitalizer as an instance manager in the sense that we will be using that to instantiate arbitrary types We will be getting access to the JSON digitalizer from the spring application context And because this JSON digitalizer uses a wide list and allow list here We need to register or we can actually register any arbitrary types for us to use in the JSON payload So now by digitalizing this JSON payload we are effectively instantiating an el processor And then again running the id command Same thing but instead of getting the JSON digitalizer from the spring bin context Live ray directly expose this JSON factory URL which we can use to create a JSON digitalizer And then once again use that to instantiate arbitrary types And then we will see the two free market specific bypasses that we explained A few minutes ago the first one is using the URL class loader that is the case here Because live ray is deployed on Tomcat And then we can basically access our own jar file loaded And then by getting a public static field the class will be initialized and the payload will be executed And we will be able to check the output of this payload by checking the standard output And the last payload that worked in live ray actually there is a couple more But it was more than enough Is this universal RC So we are loading the object wrapper interface Loading the default wrapper field and then using that field to instantiate arbitrary types In this case the execute type that we will be using to run the id So now if we save this template and we will be showing the results of these payloads The first one was reading the password file The second one was deploying a web cell that we can now access and run arbitrary commands The third one was using different methods to run the id command As you can see here all of them worked So also the URL class loader was basically running the static initializer block of this class Which is basically printing pond in the standard output console We can check that Here it is so it worked And back to the payloads The universal RC payload also worked as we can see here So switching to the velocity sandbox This one is based on a class and package based block list So things like for example the whole java lang reflect package is forbidden And you can get access to it All the methods in java lang class and class loader are also blocked And you cannot use them But when we reviewed the implementation we found that there is a flow in the way that this sandbox is checking the block list So for example when you run the request sublet and then you get access to a class loader And run the load class method Basically the execution of this method will be checked against the block list And the class name of the current class loader will be checked against the block list Instead of checking the whole hierarchy of classes Only the current object class will be checked against the block list Which means that because java lang class loader is an abstract class It won't never be the case that the current object class will be a java lang class loader In this case is a parallel web app class loader Which is not present in the block list And therefore class loader methods are effectively allowed There is a feature in velocity which allows you to invoke static methods from a java lang class object So once that we are able to load a class We can just invoke any static method and use that to get remote code execution easily So now moving to Jinjava sandbox This one is based on a method block list This is actually very short, only nine methods And what it contains is a piece of code that is pretty effective in protecting the sandbox So every time that method invocation happens as part of the evaluation of the template The result type will be checked And if it's an instance of a java lang class Then it will throw an exception and it will refuse to return a java lang class instance By not being able to get in access to arbitrary classes We are normally not able to get or to be able to instantiate arbitrary types However, we found a flaw As you can see here The invocation of a class cannot return a java lang class instance It can return an array of java lang classes or a map Including java lang classes So what we can do is find a method Returning an array of classes and then accessing any arbitrary item of this array So the second part of this bypass Was basically being able to access a secret or hidden variable in the context That is called underscore underscore underscore interpreter in liter speech So by using this hidden variable we were able to access a bunch of different objects Including all the context objects And we were able to use those two parts to get an instance of a class loader So as you can see here we use the interpreter to get the context And from the context we got all the functions And from the functions we got the underlying methods Which are instances of java lang reflect method And this class contains this get parameter types method Which returns an array of java lang classes So as I explained before We are able to get an instance of any individual item of this array And by doing that we are finally getting an instance of a java lang class From there we can get the protection domain, get the class loader And then initiate any class loader based attack So last we were able to find a couple of bypasses that we reported to the maintainers Unfortunately they didn't have time to fix them on time So we decided not to leak these bypasses yet And we are keeping them classified for a few months So with that we will switch back to Alexander who will wrap up the talk with some conclusions Thank you Arvaro First of all let's summarize our results after this research More than 30 new vulnerabilities were found and reported to the vendor More than 20 different products are affected We can see their names on this slide Based on these results we can make the next conclusions These are not the problems of specific product or framework And content management system as a class should be on red team radar Templates for dynamic content that can be managed by user is the main target for such system There are specific areas with higher risk from security point of view It's a good idea to perform security review and testing for such places Always try to reduce attack surface as much as you can And stay safe