Resource Plugin Vulnerability




Lightning Talk 
[GUM] groovy.mn
April 8th 2014

@ColinHarrington

CVE-2014-0053

INFORMATION DISCLOSURE 

IN GRAILS APPLICATIONS

What?


Resources Plugin 1.0.0 -- 1.2.5

Grails 2.0.0 -- 2.3.6

When?



Feb 16th 2014

Feb 19th 2014

CVE-2014-0053 published



Feb 20th 2014

Mailing List Announcement
Vulnerability disclosures


Default Config.groovy fixed:
https://github.com/grails/grails-core/commit/2d5d2a8b3e40111412051dbbeb32eae005fdcf35

How?


/static/WEB-INF/... 

Anything in these directories (within your WAR)

imagination.use {
    //Sensitive Information
    //Entire Codebase
    yourBase.all.belongsTo(us)
}

http://grails.org/static/WEB-INF/classes/UrlMappings.class

Reproduce (prior to Grails 2.3.6)

$ gvm use grails 2.3.5

$ grails create-app vuln

$ cd vuln

$ grails compile

$ grails run-war 

curl http://localhost:8080/vuln/static/WEB-INF/classes/UrlMappings.class

Why?



Configurable Pipeline 


Redirect ad-hoc resources to 
/static/...   ('static' is configurable)

oversight

Now what?



Upgrade resources 1.2.6+

runtime ":resources:1.2.7" 




Ditch Resources
-- 
Go Asset Pipeline

Mitigation



Filter at proxy/balancer level


Prevent access to resources under /WEB-INF and /META-INF in the reverse proxy (if one is used)


Configure Resources


includes/excludes

  • grails.resources.adhoc.includes = ['/images/**', '/css/**', '/js/**', '/plugins/**']
    
    
    grails.resources.adhoc.excludes = ['**/WEB-INF/**','**/META-INF/**'] 

Security


Configure security mechanisms to secure unknown entities.


grails.plugin.springsecurity.rejectIfNoRule = true



Guilty until proven innocent.

Container



Tomcat Valves 
4 example




@See StandardContextValve

FIN










@ColinHarrington
colin.harrington@objectpartners.com
Made with Slides.com