14 DAY TRIAL // Security researcher Peter Adkins has managed to gain access to one of Microsoft's servers after using a security flaw he discovered in Adobe AEM in late 2015.
Adkins' story stands proof once again that, in most cases and especially in the real world, attackers tend to combine flaws in multiple projects to gain access to a company's servers.
During his work as a professional bug bounty hunter, the researcher discovered a vulnerability in Adobe Experience Manager (formerly known as CQ5 or Communique5), a Java-based CMS that the company bought in 2010.
CVE-2016-0957 - URL filter bypass in Adobe AEM
The flaw, CVE-2016-0957, resides in the Dispatcher component included in the Adobe AEM CMS that allows an attacker to bypass URL filters, meant to restrict someone's access to a particular section of the CMS.
As chance had it, and not actively searching for bugs, some time after discovering the AEM issue, the researcher just logged out from Microsoft account, being redirected to a placeholder page at signout.live.com.
Since he was already accustomed to Adobe AEM pages, he quickly noticed that Microsoft was using this CMS this portion of its service. Naturally, he tested his URL filter bypass on Microsoft's servers.
His exploit worked, and he was immediately asked to log in via a popup, a sign that he managed to bypass URL filters and was allowed to access a restricted portion of the CMS.
Microsoft AEM admin account password: "admin"
Here is where things stop being security vulnerabilities and pass into disbelief. Adkins was able to log into one of Microsoft's Adobe AEM installations with its default credentials: admin/admin.
In the backend, he had access to the entire CMS, and he was able to load his own AEM modules that would have run on Microsoft's websites.
The researcher worked with both Adobe and Microsoft to have these issues corrected. Adobe released an update to AEM in February while Microsoft patched AEM later in May. Unfortunately for Adkins, the signout.live.com domain is not included in Microsoft's bug bounty program, and Adobe does not run a bug bounty program, so his work went unrewarded.
