Search This Blog

Showing posts with label CMS. Show all posts

Zero-day Exploit Detected in Adobe Experience Manager

 

A zero-day vulnerability in a prominent content management solution used by high-profile firms such as Deloitte, Dell, and Microsoft has been found. 

The flaw in Adobe Experience Manager (AEM) was detected by two members of Detectify's ethical hacking community.

Adobe Experience Manager (AEM) is a popular content management system for developing digital customer experiences like websites, mobile apps, and forms. AEM has become the primary Content Management System (CMS) for many high-profile businesses due to its comprehensiveness and ease of use. 

The flaw allows hackers to bypass authentication and obtain access to CRX Package Manager, making applications vulnerable to Remote code execution attacks. It affects CR package endpoints and can be fixed by denying public access to the CRX consoles. 

Detectify spokesperson stated, "With access to the CRX Package Manager, an attacker could upload a malicious package in Adobe Experience Manager to leverage it to an RCE and gain full control of the application." 

Ai Ho and Bao Bui, members of Detectify Crowdsource, initially detected the vulnerability in an instance of AEM used by Sony Interactive Entertainment's PlayStation subsidiary in December 2020. Three months later, the AEM CRX bypass was discovered within various Mastercard subdomains. The issues were reported to Sony and Mastercard at the time. 

Mastercard, LinkedIn, PlayStation, and McAfee were among the prominent companies affected by the flaw, according to the members of Detectify. 

A Detectify spokesperson explained: "The CRX Package Manager is accessed by bypassing authentication in Dispatcher, Adobe Experience Manager’s caching and/or load balancing tool. Dispatcher checks user’s access permissions for a page before delivering the cached page and is an essential part of most – if not all – AEM installations. It can be bypassed by adding a lot of special characters in combination in the request." 

Bao Bui, a security researcher and former CTF player of the Meepwn CTF Team, began hunting bug bounties around a year ago. Ai Ho, a security engineer, and developer, has been involved in the bug bounty industry for two years, developing and releasing his own bug-catching tools on GitHub. 

Adobe was notified of the zero-day problem and quickly issued a patch. 

On Detectify's platform, the AEM CRX Bypass zero-day was then implemented as a security test module. "Since it went live in May 2021, around 30 instances of the AEM CRX Bypass vulnerability have been in customers’ web applications," added a Detectify spokesperson. 

So far, Detectify's scans for over 80 specific AEM vulnerabilities have produced over 160,000 hits.

SQL Triggers Used by Hackers to Compromise User Database

 

Over the past year, a broader pattern of WordPress malware with SQL triggers has occurred within infected databases to mask intrusive SQL queries. Whenever the trigger condition is fulfilled, these queries insert an admin-level user into a contaminated database. Users can use a MySQL database to store essential data, including CMS settings and a common CMS is used on their website (such as WordPress). Something that might change the MySQL database is whether injecting harmful code or removing the content of your Website, could also do severe harm to the website. 

Potential for protection is one factor why the MySQL database has its own unique username and password, which will deter someone from checking the MySQL database manually without the required login details. Unfortunately, if attackers have unauthenticated access, they can also read a wp-config.php file to understand the website's database authentication credentials — which can then be used to connect to the database using code from the attacker and malicious adjustments. 

An intruder with unwanted access to a website, who would like to create a permanent loophole if the files of the Website are washed, is indeed an example from real life.

An intruder's approach is to set an admin user in the CMS database of the website. Usually, these can be conveniently found in the administrative dashboard or SQL client. The unauthorized admin account is a loophole outside of the website and in the directory of the webserver. This knowledge is critical since owners of a compromised website will also forget the index. However, the exclusion of suspected users from the database of the website does not entail the removal of any potential backdoors. 

A SQL trigger is an automatically stored process that runs when certain database modifications are introduced. While there have been several useful implementations, that bad actors use SQL triggers to retain unwanted access after a compromise. To achieve this, attackers are placing a SQL trigger in a compromised website database and malicious activity is performed if specific conditions have been reached or an incident happens.

If attackers breach a site, they will bet on any database passwords that are stored in wp-config or other CMS configuration files — and once the hacker has obtained the data at any post-infection period, it can be extremely hard to identify if the hacker has harvested any valuable information. Users must change passwords, including the databases if a breach occurs. Failure to pursue this post-hack phase will allow an attacker to enter and change the website even after the user has assumed the infection was removed.