Scribd
Upload
78 views

Recent Java Exploitation Techniques RUB

This document discusses recent Java exploitation techniques presented by Matthias Kaiser. It provides an overview of vulnerabilities in the Java sandbox since 2003, including memory corruptions, argument injections, privileged deserialization, and trusted method chaining. It then covers the basics of the Java sandbox security model, including classloaders, the bytecode verifier, security manager, and access controller. Finally, it examines the techniques of trusted method chaining and CVE-2013-1488 exploitation in more detail.

Uploaded by

Juan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
78 views

Recent Java Exploitation Techniques RUB

This document discusses recent Java exploitation techniques presented by Matthias Kaiser. It provides an overview of vulnerabilities in the Java sandbox since 2003, including memory corruptions, argument injections, privileged deserialization, and trusted method chaining. It then covers the basics of the Java sandbox security model, including classloaders, the bytecode verifier, security manager, and access controller. Finally, it examines the techniques of trusted method chaining and CVE-2013-1488 exploitation in more detail.

Uploaded by

Juan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 40

Recent Java Exploitation Techniques

HackPra 19-06-2013
Matthias Kaiser ([email protected])

HackPra - Recent Java Exploitation Techniques

1
Recent Java Exploitation Techniques
about me

Matthias Kaiser
@matthias_kaiser
working as Lead Expert Offensive Security at Daimler TSS in Ulm
enjoying Offensive Security for 4 years now
former Java Dev, System Architect and Security Architect at EADS
doing Penetration Testing and Vulnerability Research
Found vulnerabilities in Oracle Java JRE and SAP

HackPra - Recent Java Exploitation Techniques 2


Recent Java Exploitation Techniques
Agenda

Java Sandbox Vulnerability Overview


Intro to Sandbox Security
Techniques

Trusted Method Chaining


Reflection API Abuse
Click2Play Bypass

HackPra - Recent Java Exploitation Techniques 3


Recent Java Exploitation Techniques
Java Sandbox Vulnerability Overview

2003 - now
Memory Corruptions (e.g. [regenrecht], @aradpop, [Vitaliy Toropov],
@wtfuzz, @jduck)
Argument Injections (e.g. [Tavis Ormandy], [Chris Ries], [me])

2008 - now
Privileged Deserialization (e.g. @samikoivu)
Trusted Method Chaining (e.g. @samikoivu, @mihi42, @tyranido)
2012 - now
Core API abuses (e.g. [Adam Gowdiak], @sagar38, @benmmurphy)
Type Confusions (e.g. @JeroenFrijters)
HackPra - Recent Java Exploitation Techniques 4
Recent Java Exploitation Techniques
Intro to Sandbox Security

Java allows definition of classes and interfaces


Classes and interfaces my have fields and methods
Access scope modifiers define the visibility of classes, fields and methods
public: can be accessed by any class
package private: can be accessed by classes of the same package
protected: can be accessed by subclasses
private: can be accessed only within the same class

HackPra - Recent Java Exploitation Techniques 5


Recent Java Exploitation Techniques
Intro to Sandbox Security

Core security relevant components of the JVM


JVM Runtime
Runtime classes (e.g. rt.jar)
Classloaders

Bytecode Verifier
Security Manager and AccessController
Garbage Collector

HackPra - Recent Java Exploitation Techniques 6


Recent Java Exploitation Techniques
Intro to Sandbox Security

Classloader

Used to load classes into the VM


Inherit from java.lang.Classloader
Are chained in a hierarchy (bootstrapCL->extensionsCL->systemCL-
>AppletCL)
Whenever a class is loaded the chain is followed until the right class
loader is found
defineClass() method can define classes with their permissions
(privileges)
Classes from rt.jar are defined in the bootstrap classloader (=privileged
code)

HackPra - Recent Java Exploitation Techniques 7


Recent Java Exploitation Techniques
Intro to Sandbox Security

Bytecode Verifier
Verifies the byte code in the defineClass()-method
Checks if the bytes form a valid class (conforming the class file
description)
Makes integrity and type safety checks

HackPra - Recent Java Exploitation Techniques 8


Recent Java Exploitation Techniques
Intro to Sandbox Security

Security Manager
Class defined in java.lang.SecurityManager
Instance referenced in java.lang.System (System.getSecurityManager())
Checks and grants access to sensitive operations based on permissions
Forwards permission checks to AccessController

HackPra - Recent Java Exploitation Techniques 9


Recent Java Exploitation Techniques
Intro to Sandbox Security

Access Controller
Checks for permissions against the current AccessControlContext
Checks all frames on the stack
If on stack misses a permission an exception is thrown
doPrivileged() used to enter and privileged code block

Source: http://docs.oracle.com/javase/6/docs/api/java/security/AccessController.html

HackPra - Recent Java Exploitation Techniques 10


Recent Java Exploitation Techniques
Intro to Sandbox Security

Access Controller
Checks for permissions against the current AccessControlContext
The following algorithm is applied (m is last call on the stack)

Source: http://docs.oracle.com/javase/6/docs/api/java/security/AccessController.html

HackPra - Recent Java Exploitation Techniques 11


Recent Java Exploitation Techniques
Intro to Sandbox Security

Access Control Example:

Source: http://www.oracle.com/technetwork/java/seccodeguide-139067.html

HackPra - Recent Java Exploitation Techniques 12


Recent Java Exploitation Techniques
Intro to Sandbox Security

Access Control Example:

Source: http://www.oracle.com/technetwork/java/seccodeguide-139067.html

HackPra - Recent Java Exploitation Techniques 13


Recent Java Exploitation Techniques
Intro to Sandbox Security

Access Control Example:

Source: http://www.oracle.com/technetwork/java/seccodeguide-139067.html

HackPra - Recent Java Exploitation Techniques 14


Recent Java Exploitation Techniques
Techniques

HackPra - Recent Java Exploitation Techniques 15


Recent Java Exploitation Techniques
Techniques

HackPra - Recent Java Exploitation Techniques 16


Recent Java Exploitation Techniques
Trusted Method Chaining

A specific vulnerability class


Discovered by the famous Sami Koivu
Java Trusted Method Chaining (CVE-2010-0840) was the first public
vulnerability (found by Sami, affected java 1.4.2-1.6)
Sami got a pwnie for CVE-2010-0840
Michael Schierl found another great Trusted Method Chaining Vulnerability,
the well-known Rhino vulnerability (CVE-2011-3544)
At Pwn2Own 2013 James Forshaw pwned Java 7 using one 0-day to
circumvent the fix for CVE-2011-3544

HackPra - Recent Java Exploitation Techniques 17


Recent Java Exploitation Techniques
Trusted Method Chaining

Samis discovery:
In a case when an unprivileged class inherits from a privileged one and the
class does not overload the method that is to be called and that is pushed
onto the call stack, this will be the privileged class that will be the subject
of a permission check, not the untrusted class (*)

(*) Source: http://www.security-explorations.com/materials/se-2012-01-report.pdf

HackPra - Recent Java Exploitation Techniques 18


Recent Java Exploitation Techniques
Trusted Method Chaining

How it works:
A untrusted subclass can inherit trusted methods from superclass, if the
method is not overwritten
By finding interfaces methods with the same name as the inherited
methods a trusted chain can be constructed (e.g. toString combined with a
Set class)
Goal: Construct a chain of method calls originating from privileged classes
(e.g. built in classes from rt.jar)
As long as privileged code is on the stack all privileges are granted

HackPra - Recent Java Exploitation Techniques 19


Recent Java Exploitation Techniques
Techniques

HackPra - Recent Java Exploitation Techniques 20


Recent Java Exploitation Techniques
CVE-2013-1488

Overview:
James exploited this vulnerability in two steps during Pwn2Own
With the first step, he was able load and initiate classes under a privileged
context using a trusted chain
With the second step he was able to create a trusted method chain using
the same exploitation technique as in Michael Schierls Rhino exploit

HackPra - Recent Java Exploitation Techniques 21


Recent Java Exploitation Techniques
CVE-2013-1488

HackPra - Recent Java Exploitation Techniques 22


Recent Java Exploitation Techniques
CVE-2013-1488

Summary:
For loading the JDBC drivers the ServiceLoader framework is used
Loading of JDBC drivers is done in a doPrivileged() block, thus running
under elevated privileges
ServiceLoader loads classes based on Manifest entry
James tricked the ServiceLoader to load and create an object of
com.sun.script.javascript.RhinoScriptEngine under a privileged context
By creating a trusted chain as in Michael Schierls Rhino exploit the
Sandbox escape can be accomplished

HackPra - Recent Java Exploitation Techniques 23


Recent Java Exploitation Techniques
CVE-2013-1488

Details Step #1:


James implemented two drivers
FakeDriver loads com.sun.script.javascript.RhinoScriptEngine my using a
trusted chain

Source: http://www.contextis.com/research/blog/java-pwn2own/

HackPra - Recent Java Exploitation Techniques 24


Recent Java Exploitation Techniques
CVE-2013-1488

Details Step #2:


Using a second driver the Rhino exploitation technique was used

HackPra - Recent Java Exploitation Techniques 25


Recent Java Exploitation Techniques
CVE-2013-1488

Details Step #2:


The Rhino exploitation technique uses the scripting capabilities of the JRE
With Rhino you can call Javascript from Java and visa versa
How it works (2):

Source: http://schierlm.users.sourceforge.net/CVE-2011-3544.html

HackPra - Recent Java Exploitation Techniques 26


Recent Java Exploitation Techniques
Techniques

HackPra - Recent Java Exploitation Techniques 27


Recent Java Exploitation Techniques
Reflection API Abuse

Reflection is the preferred way of:


loading classes dynamically
Invoking methods dynamically
Manipulating fields dynamically
Inspecting object and classes dynamically
Etc.

HackPra - Recent Java Exploitation Techniques 28


Recent Java Exploitation Techniques
Reflection API Abuse

Various APIs
Core API
Mostly java.lang.Class and java.lang.reflect.*

New API
Since Java 7
Implemented in java.lang.invoke.*

HackPra - Recent Java Exploitation Techniques 29


Recent Java Exploitation Techniques
Techniques

HackPra - Recent Java Exploitation Techniques 30


Recent Java Exploitation Techniques
CVE-2012-5088

Overview:
Vulnerability was discovered by Security Explorations
< Java 7 update 7
Exploits a vulnerability in the MethodHandle class of the new Reflection API

HackPra - Recent Java Exploitation Techniques 31


Recent Java Exploitation Techniques
CVE-2012-5088

Intro to MethodHandle:

HackPra - Recent Java Exploitation Techniques 32


Recent Java Exploitation Techniques
CVE-2012-5088

The vulnerability:

Source: http://www.security-explorations.com/materials/se-2012-01-report.pdf

HackPra - Recent Java Exploitation Techniques 33


Recent Java Exploitation Techniques
CVE-2012-5088

Vulnerability details:
MethodHandle.invokeWithArguments() is calling
MethodHandle.invokeExact()
invokeExact() is just checking the immediate caller
If the immediate caller is a trusted class (e.g. from rt.jar), arbitrary methods
of arbitrary classes can be called!

HackPra - Recent Java Exploitation Techniques 34


Recent Java Exploitation Techniques
CVE-2012-5088

Exploitation:
Easy!

Source: http://www.security-explorations.com/materials/se-2012-01-report.pdf

HackPra - Recent Java Exploitation Techniques 35


Recent Java Exploitation Techniques
Techniques

HackPra - Recent Java Exploitation Techniques 36


Recent Java Exploitation Techniques
Click2Play Bypass

Overview:
With Java 7 update 11 Click-2-Play was introduced
For Java Applets Java is asking now Do you want to run this Application?
One way getting around this Prompt was found immediately using a
serialized applet (1):
<embed object="object.ser" type="application/x-java-applet;version=1.6">

Was fixed immediately

Source: http://immunityproducts.blogspot.com.ar/2013/02/keep-calm-and-run-this-applet.html

HackPra - Recent Java Exploitation Techniques 37


Recent Java Exploitation Techniques
Click2Play Bypass

Overview:
The newest vector is to start an Java Applet using JavaWebStart

Source: http://immunityproducts.blogspot.de/2013/04/yet-another-java-security-warning-bypass.html

HackPra - Recent Java Exploitation Techniques 38


Recent Java Exploitation Techniques

HackPra - Recent Java Exploitation Techniques 39


Thank you!

Daimler TSS GmbH


Wilhelm-Runge-Strae 11
89081 Ulm, Germany
Phone +49 731 505-06
Fax +49 731 505-65 99
[email protected]
Internet: www.daimler-tss.com
Intranet: intra.corpintra.net/intra-itc/tss
Intranet-Portal-Code: @TSS

Daimler TSS GmbH


Domicile and Court of Registry: Ulm, Commercial Register No.: 3844
Management: Dr. Stefan Eberhardt

HackPra - Recent Java Exploitation Techniques 40

You might also like