Investigation Reveals SSTI Vulnerabilities in FreeMarker Engine
/ 3 min read
Quick take - Sayaan Alam, a member of the Synack Red Team, investigated Server-Side Template Injection (SSTI) vulnerabilities in the FreeMarker template engine, revealing significant security risks associated with user input rendering and demonstrating the potential for arbitrary code execution through creative bypass techniques.
Fast Facts
- Sayaan Alam from the Synack Red Team investigated Server-Side Template Injection (SSTI) vulnerabilities in the FreeMarker template engine, commonly used in Java applications.
- The research revealed risks associated with directly rendering user inputs in templates, leading to potential arbitrary code execution and unauthorized access.
- During retesting of an application with known Persistent XSS vulnerabilities, Alam identified pre-defined placeholders that indicated SSTI risks.
- By leveraging the ?lower_abc function in FreeMarker, Alam successfully bypassed validation filters, allowing for the execution of Remote Code Execution (RCE) payloads.
- The findings stress the importance of understanding template engine documentation, employing creative bypass techniques, and the necessity of retesting to uncover overlooked vulnerabilities.
Sayaan Alam Explores SSTI Vulnerabilities in FreeMarker
Sayaan Alam, a member of the Synack Red Team, has recently conducted an exploration into Server-Side Template Injection (SSTI) vulnerabilities within the FreeMarker template engine. FreeMarker is widely used in Java applications for dynamic content rendering. The investigation highlights potential security risks associated with FreeMarker, particularly when user inputs are rendered directly within templates. This practice can lead to SSTI, where unsafe embedding of user input allows malicious code injection. Such vulnerabilities can result in arbitrary code execution, unauthorized access to sensitive data, and even remote control of the server.
Investigation and Findings
Alam was tasked with retesting a previously assessed application that featured an email template functionality for admin users. This application had already been flagged for Persistent Cross-Site Scripting (XSS) vulnerabilities. During the retesting phase, Alam decided to investigate the presence of pre-defined placeholders within the rich-text editor, which suggested a risk for SSTI.
Initial attempts to exploit SSTI with a simple payload (${7*7}) were unsuccessful, prompting further investigation into the application’s functionality. Alam discovered a log that detailed all emails sent from the application, which included executed SSTI payloads. Notably, one payload designed for Remote Code Execution (RCE) did not appear in the target analytics, indicating a potential oversight in monitoring.
Upon confirming that the application utilized the FreeMarker engine, Alam conducted multiple tests with various payloads. Payloads such as ${“Hello ” + “World”} and ${[“one”, “two”, “three”][1]} produced expected outputs. However, initial attempts to execute an RCE payload were blocked by validation errors.
Bypassing Security Filters
This led Alam to research the ?lower_abc function within FreeMarker, which permits controlled encoding of restricted characters. By leveraging the ?lower_abc function, Alam successfully bypassed the validation filters, enabling the storage and execution of an RCE payload. Subsequent tests of system commands, including ‘whoami’ and ‘pwd’, confirmed the exploit’s effectiveness, demonstrating the ability to execute arbitrary commands on the server.
The vulnerability was subsequently reported to Synack, validated, and accepted for remediation. Key takeaways from Alam’s findings emphasize the importance of thoroughly reading template engine documentation to uncover hidden functions that aid in bypassing security filters. The article underscores the necessity of employing creative bypass techniques when straightforward payloads are obstructed and highlights the significance of testing for SSTI in template editing functions, especially within administrative roles.
Conclusion
The critical nature of retesting to identify vulnerabilities that may have been overlooked or newly introduced is also emphasized. For further questions or assistance regarding these findings, Alam invites readers to connect via Twitter or LinkedIn. Additional information can be found on their personal website.
Original Source: Read the Full Article Here
