Two members from the hacking community of Detectify, Ai Ho and Bao Bui discovered a vulnerability in the Adobe Experience Manager, Adobe’s content management tool used in websites, forms, and mobile apps building. The issue was serious and Adobe provided patches for it in May. If left uncovered, the weakness, Adobe Zero-Day Exploit, could have led to threat actors further bypassing the authentication steps and taking advantage of the CRX Package Manager that could eventually cause a REC (Remote Code Execution) attack.
How Adobe Zero-Day Exploit Works
As Threatpost mentions, the Adobe Zero-Day Exploit functions as below:
- The endpoints “/crx/packmgr/” and “/crx/packmgr/groups.jsp” in the CRX Package could be home for the Adobe Zero-Day Exploit;
- Hackers go then to Dispatcher, the load-balancing tool, and the Cache and skip the authentication steps.
- They can do it by adding some special characters to the request %0a;.”, as the Dispatcher has the role to verify a page access permissions before the cached page is delivered.
- Then they have access to CRX Package Manager and gain full control.
Detectify is a Sweden-based startup in the domain of cybersecurity that provided an automated website vulnerability scanner to check web applications and subdomains. They put the vulnerability to the test with the help of the ethical hacking community.
Who Was Targeted?
The above-mentioned Crowdsource members of Detectify firstly discovered the Adobe Zero-Day Exploit in December 2020 by using AEM in a project that involved Sony Interactive Entertainment’s PlayStation division.
They continued the investigation and discovered other subdomains from Mastercard containing this vulnerability three months later. After validating the issue, on the 27th March they notified Adobe and the company patched the vulnerability on the 6th of May. It is said that Adobe Zero-Day Exploit affected Linkedin customers too.
Packages enable the importing and exporting of repository content, and the Package Manager can be used for configuring, building, downloading, installing and deleting packages on local AEM installations.
Further Measures Implemented
After the patch for the Adobe Zero-Day Exploit was released, the analysts from Detectify also provided some threat prevention measures. Companies that use Adobe Experience Manager can check if their system was affected by the bug using the test module Detectify provided. 30 instances of this exploit have been identified by now in the customers’ web applications with the help of the provided tool.
Another way would be to block public access to the CRX console in order to fight against this vulnerability.
A Detectify spokesperson has also stated the gravity of the Adobe Zero-Day Exploit:
With access to the CRX Package Manager, an attacker could upload a malicious package in Adobe Experience Manager to leverage it to an RCE and gain full control of the application,” said a Detectify spokesperson.