August 6, 2020

Room for Escape: Scribbling Outside the Lines of Template Security

GitHub Security Lab Team

In a recent talk at Black Hat, GitHub Security Lab’s Alvaro Muñoz and Micro Focus Fortify’s Oleksandr Mirosh presented a vulnerability class found in Content Management Systems (CMS) such as Microsoft Sharepoint, Confluence, and Alfresco. They discovered multiple ways to achieve Remote Code Execution (RCE) on CMS platforms and eventually found more than 30 CVEs across 20 different products, by bypassing the existing mitigations. The result of their research is available in this whitepaper.

CMS are used all over the world — especially as digital communication and collaboration become increasingly essential to the modern human experience. What is the real impact of these bugs? Can any CMS user take over control of the resources of a company? And what should developers and security researchers do to better mitigate this risk? We’ll dive into some of these questions in the following Q&A with Alvaro.

Q: How severe are these vulnerabilities? Who can exploit them and what kind of damage can they do?

AM: CMS applications normally use a kind of structured document called templates to generate dynamic content. Being able to control these templates is very dangerous and it can be compared to being able to provide arbitrary code to be executed. Therefore these template systems are normally sandboxed so that users that are allowed to create templates cannot compromise the underlying servers.

In the most simple attack scenario, the attacker has access to the target CMS applications such as regular Sharepoint users being able to create their own sites and therefore being able to provide their own templates. In some cases we were able to get trial accounts on cloud-based CMS platforms and perform the attacks from our own trial admin account. These were the most interesting cases since we were able to compromise the underlying infrastructure which could have allowed us to initiate attacks against other tenants.

No matter the vector used, though, the impact is always critical since once the mitigations are bypassed, template engines can be used to evaluate arbitrary code leading to Remote Code Execution (RCE).

Q: Are these new attacks?

AM: James Kettle presented Server-Side Template Injection (SSTI) back in 2015 where he described how being able to inject arbitrary content on these template systems led to Remote Code Execution. So while the attacks are not new, our research was focused on bringing new techniques to bypass the sandboxes and mitigations, versus new approaches to find SSTI vulnerabilities.

Q: Since 2015, what did vendors implement to mitigate this threat?

AM: As James Kettle put it "sandboxes have only got tougher since." In general, the blocklist-based sandboxes have expanded their blocklists since 2015 to reduce the attack surface. In some cases, additional measures have been put in place or default configurations have been hardened to prevent arbitrary code execution. Finding techniques to bypass these sandboxes and mitigations was the focus of our research. You can think about it as bringing new techniques or approaches to bypass Buffer Overflow mitigations rather than new approaches to find them in the first place.

Q: How did you manage to bypass these mitigations?

AM: We didn't really care about how an attacker could create or modify these templates in the first place. Some of the CMS that we analyzed were vulnerable to SSTI and we were able to inject arbitrary content on the templates. In other cases a XSS vulnerability could be used to trick a legitimate user to create or modify an existing template.

As described in the whitepaper released today, we used a variety of approaches:

  • Abuse read access to sensitive server resources
  • Abuse not-so-safe elements from allowlists
  • Abuse gaps in blocklists
  • Abuse read/write access to unintentionally exposed objects and properties
  • Abuse Time of Check / Time of use (TOCTOU) vulnerabilities
  • Abuse String to Object conversion (unmarshalling)
  • Abuse flaws in the implementation of some of the sandboxes.

While some of these vectors, such as the flaws in the implementation of the sandboxes, are very specific to concrete template engines, others are generic in the sense that they work across different engines and will probably work even in future releases of these engines.

Q: What can developers learn from your research to implement more secure CMS solutions?

AM: I recommend developers and security teams to review the steps we took and try to reproduce them in their own applications. The whitepaper describes the details of all these bypasses and provides guidance to protect similar systems.

Moreover, it’s highly important to reduce the number of objects exposed to template creators to a minimum and make sure that these allowed and exposed objects cannot be used to access other, more dangerous objects.