Adam Boulton Security Assessing Java RMI - OWASP NYC
Adam Boulton Security Assessing Java RMI - OWASP NYC
OWASP
Adam Boulton
OWASP Contributor
Corsaire
[email protected]
+44 1483 746700
The OWASP
http://www.owasp.org
Foundation
Profile
Principal Security Consultant at Corsaire
Anti-Virus Analyst for Sophos Plc
Ministry of Defence (Level 1 Security
Clearance)
BSc 1st Class (Hons) Software Engineering
Big Java Fan check out OWASP Java Gotchas!
OWASP
Agenda
What is Remote Method Invocation (RMI)?
RMI Architecture
Attacking an RMI service with RMI Spy
Securing RMI services
OWASP
What is RMI?
Distributed computing solution
All about remote objects
What is RMI?
Communicating between 2 JVMs over a
network
Export functionality at the object level
Remote clients deal with objects as if they were
local
What is RMI?
Transparent solution
All underlying network functionality
RMI Specification states:
Make writing reliable distributed applications as
simple as possible
OWASP
RMI Architecture
Client (Interface)
Server (Implementation)
JRMP
TCP/IP
OWASP
RMI Registry
Used for looking up Objects
Servers register their Objects
Clients use to find and obtain remote
references
Runs on port 1099 by default
OWASP
RMI tools
RMIC (rmic.exe)
Special compiler that creates stub and skeleton
Registry
Created by:
Rmiregistry.exe <port no>
Or
LocateRegistry.createRegistry(int portNo)
OWASP
10
Hash weakness
An attacker can pre-calculate hashes if
they know API details
64-bit
Brute-force
Rainbow tables
11
OWASP
12
OWASP
13
14
OWASP
15
OWASP
16
17
OWASP
18
19
20
21
OWASP
22
Packet Sniffer
RMI Call parser
Pull keys from the wire
Pull objects from the wire and assess
Modify objects on the fly
OWASP
23
Multi-threading
Hash attack (possible C++ and packet)
OWASP
24
Summary
RMI Architecture
Why RMI is insecure
Comment in the generated code says do not edit.
We all know differently now.
Security is difficult; even Sun dont always get it
right!
RMI Spy
Only tool in (known) existence to attack RMI services
25
Questions
OWASP
26