Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Critical vulnerability: Server-Side Template Injection/ RCE Attack #2677

Closed
buxu opened this issue Dec 5, 2018 · 5 comments
Closed

Critical vulnerability: Server-Side Template Injection/ RCE Attack #2677

buxu opened this issue Dec 5, 2018 · 5 comments

Comments

@buxu
Copy link

buxu commented Dec 5, 2018

Describe the bug

Attackers may execute OS commands by Creating/Editing a template file (.ftl filetype) which use FreeMarker lib to render webpage.

To Reproduce

Steps to reproduce the behavior:

  1. Edit a template file
    1

  2. Add code as shown below and OK
    2

  3. View web page, Window OS command was executed (Testing on windows)
    3

Specs

Version

3.0.18

OS

Windows

Browser

Firefox

@sumerjabri sumerjabri added this to Backlog in Crafter CMS v3.0 via automation Dec 6, 2018
@sumerjabri sumerjabri added this to Backlog in Crafter CMS v3.1 via automation Dec 6, 2018
@sumerjabri sumerjabri added this to the Crafter CMS v3.0.19 milestone Dec 6, 2018
@sumerjabri
Copy link
Member

@buxu Thanks for finding this issue and filing a ticket.

Attack Surface

Authenticated and authorized developer can add code that runs on the preview server. This isn't an attack on the delivery system, but an attack by a trusted agent against the development tool/system they're using.

It's important to note that Crafter CMS is an author-by-the-few, consume-by-the-many system. This means a trusted developer that's authorized to develop code on this system (one of the trusted few), is intentionally developing code to exploit the preview subsystem and if their code is allowed (approved) for final go-live, it can exploit the delivery tier. See the first arch diagram: https://docs.craftercms.org/en/3.0/developers/architecture.html

Premise

  • Studio is a code and content development tool
  • Only authenticated and authorized users have access
  • Code developed in Studio and deployed in the preview server executes (as expected) on the server
  • The attacker is granted access to create/manage code that will execute on the server side

Risk

  • An authorized developer can RCE on the preview server, which can potentially be harmful

Mitigation

  • Jail/limit the preview server
  • Limit access to code to trusted developers

Code changes

  • Use TemplateClassResolver.SAFER_RESOLVER in FreeMarker to help limit what can be done
  • Use similar tactics for the Groovy machinery without limiting legitimate development

@buxu
Copy link
Author

buxu commented Dec 6, 2018

Yes, using TemplateClassResolver.SAFER_RESOLVER can prevent some classes like freemarker.template.utility.ObjectConstructor, freemarker.template.utility.Execute and freemarker.template.utility.JythonRuntime which can be used to perform RCE attack.
Thanks!

@avasquez614
Copy link
Member

Freemarker fix has been implemented, as well as a Java Tomcat policy. A full Groovy Sandbox will be implemented in a later version.

Crafter CMS v3.0 automation moved this from Backlog to Completed Dec 26, 2018
Crafter CMS v3.1 automation moved this from Backlog to Completed Dec 26, 2018
@behrk2
Copy link

behrk2 commented Apr 29, 2019

Was the 3.0.18E AMI updated with the Freemarker fix? If so, as of what date? December 26th? I don’t currently see a way to view AMI update history, so I’m just trying to determine whether or not my current instances are vulnerable (without manually attempting to reproduce myself). Thanks.

@sumerjabri
Copy link
Member

Are you able to switch to 3.0.20 AMI?
https://aws.amazon.com/marketplace/seller-profile?id=6d75ffca-9630-44bd-90b4-ac0e99058995&ref=dtl_B07CQGKR6L

If not, you can patch/upgrade your AMI's binaries, see the built-in upgrade script.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Crafter CMS v3.0
  
Completed
Crafter CMS v3.1
  
Completed
Development

No branches or pull requests

4 participants