INteresting JMI doc
Transcript of INteresting JMI doc
-
8/14/2019 INteresting JMI doc
1/26
Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Security Assessing Java RMI
Adam Boulton
OWASP Contributor
Corsaire
+44 1483 746700
24thSept 2008
-
8/14/2019 INteresting JMI doc
2/26
OWASP 2
Profile
Principal Security Consultant at Corsaire
Anti-Virus Analyst for Sophos Plc
Ministry of Defence (Level 1 Security Clearance)
BSc 1st
Class (Hons) Software Engineering
Big Java Fancheck out OWASP Java Gotchas!
-
8/14/2019 INteresting JMI doc
3/26
OWASP 3
Agenda
What is Remote Method Invocation (RMI)?
RMI Architecture
Attacking an RMI service with RMI Spy
Securing RMI services
-
8/14/2019 INteresting JMI doc
4/26
OWASP 4
What is RMI?
Distributed computing solutionAll about remote objects
Part of core JDK platform since 1.1
java.rmi package
Not familiar? Think.
Microsoft .NET Remoting
RPC
CORBA
-
8/14/2019 INteresting JMI doc
5/26
OWASP
What is RMI?
Communicating between 2 JVMs over a network
Export functionality at the object level
Remote clients deal with objects as if they were local
RMI uses object serialization
Your custom classes must implement the serializable
interface so they can be distributedPrimitives are just sent by value
5
-
8/14/2019 INteresting JMI doc
6/26
OWASP
What is RMI?
Transparent solutionAll underlying network functionality
RMI Specification states:
Make writing reliable distributed applications as simple as
possibleIncreases risk that services are implemented
insecurely
Security through obscurity
6
-
8/14/2019 INteresting JMI doc
7/26
OWASP
RMI Architecture
7
Object
Server (Implementation)Client (Interface)
Object
TCP/IP
JRMP
-
8/14/2019 INteresting JMI doc
8/26
OWASP
RMI Registry
Used for looking up Objects
Servers register their Objects
Clients use to find and obtain remote references
Runs on port 1099 by default
8
-
8/14/2019 INteresting JMI doc
9/26
OWASP
RMI tools
RMIC (rmic.exe)Special compiler that creates stub and skeleton
RegistryCreated by:
Rmiregistry.exe
Or
LocateRegistry.createRegistry(int portNo)
9
-
8/14/2019 INteresting JMI doc
10/26
OWASP
64 bit hash (SHA1)
Method name + method descriptor used asmessage
Example:
void myRemoteMethod(int i, Object o, boolean b)
myRemoteMethod(ILjava/lang/Object;Z)V 0xB7B6B5B4B3B2B1B0
10
The Interface / Method Hash
-
8/14/2019 INteresting JMI doc
11/26
OWASP
Hash weakness
An attacker can pre-calculate hashes if theyknow API details
64-bit
Brute-force
Rainbow tables
Due to the implementation it doesnt evenappear to actually be 64 bits!
Still doing the analysis
11
-
8/14/2019 INteresting JMI doc
12/26
OWASP
RMI server secrets...
An attackers shopping list:Bound object names
Stub name
A static signed 64 bit key(s)
Method prototypes (interface)
The ability to code a client!
12
-
8/14/2019 INteresting JMI doc
13/26
OWASP
Todays RMI service...
Only hosting 3 methods
Lets attack it.... LIVE!
13
-
8/14/2019 INteresting JMI doc
14/26
OWASP 14
Methodology for a 0-day RMI assessment
Step 1Enumerate bound object names
Step 2Determine stub name
Step 3Enumerate method hashes
Step 4Determine method prototypes
Step 5Create stub
-
8/14/2019 INteresting JMI doc
15/26
OWASP
Step 1Enumerate bound objects
Use your own scanning tools to detect an RMIservice
Identify objects which are bound to the port thatwe can talk to
Easily done using the java.rmi package
15
-
8/14/2019 INteresting JMI doc
16/26
OWASP
Step 2Determine stub name
Correct stub name is required so we can talk tothe RMI service
Use RMISpyStubName to establish the correctstub name
Rename the template
16
-
8/14/2019 INteresting JMI doc
17/26
OWASP
Step 3Enumerate key / method hashes
The hashes are calculated by using methoddescriptors
The signed 64-bit value
Remember, only 1 hash for v1.1
Add the hash to the template
Hashes can be pre-calculated
17
-
8/14/2019 INteresting JMI doc
18/26
OWASP
Step 4Determine method prototypes
First establish the parameter typesBit more manual work
Secondly, establish the return type
Object is our friend
Method names are irrelevant
All about the 64-bit signed value
18
-
8/14/2019 INteresting JMI doc
19/26
OWASP
Step 5Creating the stub
Detail has been added at each stage, we nowhave enough for a fully working custom client!
The service is now ready to finger print in moredetail.
By using the business logic layer we can
determine LOTS more detail.Can rely on the Developer getting it wrong to
establish more detail.
19
-
8/14/2019 INteresting JMI doc
20/26
OWASP
Why is RMI insecure?
Building on an insecure foundationSkeleton implementation is flawed
False sense of security
Security through obscurity
Keys are insufficient
Chances are you wont notice an attacker until acorrect client has been constructed
20
-
8/14/2019 INteresting JMI doc
21/26
OWASP 21
Securing an RMI Server
Adapt the RMI server codeStop information leakage
Sun should have read the OWASP top 10!
Modify the method hashes
Java Authentication and Authorization Service (JAAS)
Be careful what you expose!
Just because you dont release a client with thefunctionality doesnt mean attackers cant see it!
Dont expose the server object directly
Dont rely on security through obscurity
-
8/14/2019 INteresting JMI doc
22/26
OWASP
Securing and RMI Server (Cont...)
LoggingInvoke from command line:
java -Djava.rmi.server.logCalls=true YourServerImp
Or enable inside program
RemoteServer.setLog(System.err);
22
-
8/14/2019 INteresting JMI doc
23/26
OWASP 23
Further Developments of RMI Spy
Fully automatedIntegrating the 5 stages into a click and run
GUI
Automated interface and stub creation
Packet Sniffer
RMI Call parser
Pull keys from the wire
Pull objects from the wire and assess
Modify objects on the fly
-
8/14/2019 INteresting JMI doc
24/26
OWASP
Further Developments of RMI Spy (cont...)
Code tidy!
Hash generator
Dynamic Invocation
Fuzzing
Exception handler (what is the server telling us)
Multi-threading
Hash attack (possible C++ and packet)
24
-
8/14/2019 INteresting JMI doc
25/26
OWASP 25
Summary
RMI Architecture
Why RMI is insecureComment in the generated code says do not edit.
We all know differently now.Security is difficult; even Sun dont always get it right!
RMI Spy
Only tool in (known) existence to attack RMI services
How to secure RMI
-
8/14/2019 INteresting JMI doc
26/26
OWASP
Questions
26