You are here

You are here

Templates pose security threat for dynamic web, CMS servers

Rob Lemos Writer and analyst

Content management systems and other dynamic web applications that allow users to edit content can allow attackers to remotely execute code, if they can inject or edit the templates used to display content, according to two researchers presenting at the Black Hat Security conference today.

Microsoft SharePoint, Atlassian Confluence, and a variety of Java templating engines typically allow users to create and edit templates and protect the application by sandboxing those scripts. However, two software-security researchers have found more than 30 vulnerabilities that could allow attackers to escape template sandboxes and remotely execute code on the application's server by exploiting templates.

In their presentation at Black Hat USA 2020, the two researchers will show six vulnerabilities that allowed them to escape the template sandbox on Microsoft's SharePoint server, but they have discovered weaknesses in many more products, said Oleksandr Mirosh, one of the presenters and a security researcher with Micro Focus's Software Security Research division. The other presenter is Alvaro Muñoz, senior security researcher at GitHub. 

Here's what your team needs to know about this exploit.

Who's at risk?

The researchers conducted a security analysis of Microsoft SharePoint, finding ways to combine implementation and design flaws to create six unique remote code execution (RCE) vulnerabilities.

"We think examples of such problems might be found in various products and frameworks and not only in CMS systems. Anyplace where an attacker is able to create or modify templates of dynamic content might be under the risk of such attacks."
Oleksandr Mirosh

In their Black Hat briefing, the researchers plan to show how to find and exploit such vulnerabilities, as well as issues in more general templating engines.

"[These templating engines] support a subset of programming language capabilities such as method invocation and property read/write, which may be abused to execute arbitrary code. Because of that, they are normally sandboxed so content creators can't execute arbitrary code on the underlying servers. These sandboxes are not perfect and in this research we were able to escape all the ones that we analyzed."
Alvaro Muñoz

A significant issue for the development teams behind these systems is that the security review of an application that relies so much on user-provided content is difficult. SharePoint, for example, is highly customizable and can be used for a variety of information sharing tasks, such as document management, bug tracking, or as a content management system. Because the system allows users to upload dynamic web (ASPX) pages and stores information in an SQL database, the two researchers analyzed protected application pages and user-customizable site pages.

Understand the exploit

The exploit techniques require the attackers to be able to control the contents of a template. This could be through exploitation of another vulnerability, such as server-side template injection (SSTI) or cross-site scripting, or could involve attackers who already have a user account that gives them some access to the templating functionality.

"Our research focused on bypassing the sandbox controls once the attacker is in, not in getting that access in the first place."
—Alvaro Muñoz

A key security weaknesses in many templating systems is that they allow nested properties without a strict hierarchy, which makes validating the relationships between different properties difficult and could allow attackers to take advantage of properties that have a security impact.

One of the six SharePoint vulnerabilities abuses write access to properties to set the Active Server Page Extended (ASPX) markup, while another, more complex vulnerability abuses read access to allow code from an external server to run.

Beyond the immediate threat

Template-engine attacks also pose a potential threat to other applications running on a multi-tenanted system, the researchers say.

In today's multi-tenancy ecosystems, remote execution "often implies that a co-tenant on the same system can take over control of the CMS resources on which your organization relies," the researchers stated in their paper.

Companies that use Java template engines—such as FreeMarker, Velocity, JinJava, and Pebble—also have to beware. The two researchers found that such engines have the same security issues as content management systems.

For the most part, the vulnerabilities require vendors to fix and harden their products against such attack. There is not a lot that IT organizations can do to protect against such templating attacks, except to continue to create a mature security program.

How to mitigate risk

Customers should "focus on general approaches" such as ensuring proper patch management, avoiding insecure configurations, and following the principle of least privileges, Mirosh said.

"The ball is more in the field of vendors of such servers [and] services. Those vendors should perform security review and testing for risky features, and we hope that our work can help to identify potential problems in their products."
—Oleksandr Mirosh

Fixing those bugs may not be easy, however. Reproducing the researchers' steps may reveal thousands of potential vulnerabilities, said Muñoz.

Some of the bugs reported are easy to fix but some are not; removing some of the attributes or objects from the template APIs may break backward compatibility, he said.

"[There] may be thousands of objects unintentionally exposed, and many of them may lead to RCE, so blacklisting them may be similar to playing whack-a-mole!"
—Alvaro Muñoz

Muñoz recommends that companies encapsulate all their exposed objects in wrappers that only expose desired and controlled attributes. 

Keep learning

Read more articles about: SecurityApplication Security