Security Assessing Java RMI

OWASP

Adam Boulton
OWASP Contributor
Corsaire
[email protected]
+44 1483 746700

24th Sept 2008

Copyright The OWASP Foundation
Permission is granted to copy, distribute and/or modify this
document under the terms of the OWASP License.

The OWASP
http://www.owasp.org
Foundation

Profile
Principal Security Consultant at Corsaire
Anti-Virus Analyst for Sophos Plc
Ministry of Defence (Level 1 Security
Clearance)
BSc 1st Class (Hons) Software Engineering
Big Java Fan check out OWASP Java Gotchas!
OWASP

Agenda
What is Remote Method Invocation (RMI)?
RMI Architecture
Attacking an RMI service with RMI Spy
Securing RMI services

OWASP

What is RMI?
Distributed computing solution
All about remote objects

Part of core JDK platform since 1.1

java.rmi package

Not familiar? Think.

Microsoft .NET Remoting
RPC
CORBA
OWASP

What is RMI?
Communicating between 2 JVMs over a
network
Export functionality at the object level
Remote clients deal with objects as if they were
local

RMI uses object serialization

Your custom classes must implement the
serializable interface so they can be distributed
Primitives are just sent by value
OWASP

What is RMI?
Transparent solution
All underlying network functionality
RMI Specification states:
Make writing reliable distributed applications as
simple as possible

Increases risk that services are implemented

insecurely
Security through obscurity

OWASP

RMI Architecture
Client (Interface)

Server (Implementation)

JRMP
TCP/IP
OWASP

RMI Registry
Used for looking up Objects
Servers register their Objects
Clients use to find and obtain remote
references
Runs on port 1099 by default

OWASP

RMI tools
RMIC (rmic.exe)
Special compiler that creates stub and skeleton

Registry
Created by:
Rmiregistry.exe <port no>
Or

LocateRegistry.createRegistry(int portNo)

OWASP

The Interface / Method Hash

64 bit hash (SHA1)
Method name + method descriptor used
as message
Example:
void myRemoteMethod(int i, Object o, boolean
b)
myRemoteMethod(ILjava/lang/Object;Z)V
0xB7B6B5B4B3B2B1B0
OWASP

10

Hash weakness
An attacker can pre-calculate hashes if
they know API details
64-bit
Brute-force
Rainbow tables

Due to the implementation it doesnt even

appear to actually be 64 bits!
Still doing the analysis
OWASP

11

RMI server secrets...

An attackers shopping list:
Bound object names
Stub name
A static signed 64 bit key(s)
Method prototypes (interface)
The ability to code a client!

OWASP

12

Todays RMI service...

Only hosting 3 methods
Lets attack it.... LIVE!

OWASP

13

Methodology for a 0-day RMI

assessment
Step 1 Enumerate bound object names
Step 2 Determine stub name
Step 3 Enumerate method hashes
Step 4 Determine method prototypes
Step 5 Create stub
OWASP

14

Step 1 Enumerate bound objects

Use your own scanning tools to detect an
RMI service
Identify objects which are bound to the
port that we can talk to
Easily done using the java.rmi package

OWASP

15

Step 2 Determine stub name

Correct stub name is required so we can
talk to the RMI service
Use RMISpyStubName to establish the
correct stub name
Rename the template

OWASP

16

Step 3 Enumerate key / method

hashes
The hashes are calculated by using
method descriptors
The signed 64-bit value

Remember, only 1 hash for v1.1

Add the hash to the template
Hashes can be pre-calculated
OWASP

17

Step 4 Determine method prototypes

First establish the parameter types
Bit more manual work

Secondly, establish the return type

Object is our friend

Method names are irrelevant

All about the 64-bit signed value

OWASP

18

Step 5 Creating the stub

Detail has been added at each stage, we now
have enough for a fully working custom
client!
The service is now ready to finger print in
more detail.
By using the business logic layer we can
determine LOTS more detail.
Can rely on the Developer getting it wrong to
establish more detail.
OWASP

19

Why is RMI insecure?

Building on an insecure foundation
Skeleton implementation is flawed

False sense of security

Security through obscurity

Keys are insufficient

Chances are you wont notice an attacker
until a correct client has been constructed
OWASP

20

Securing an RMI Server

Adapt the RMI server code
Stop information leakage
Sun should have read the OWASP top 10!

Modify the method hashes

Java Authentication and Authorization Service
(JAAS)

Be careful what you expose!

Just because you dont release a client with the
functionality doesnt mean attackers cant see it!
Dont expose the server object directly
Dont rely on security through obscurity
OWASP

21

Securing and RMI Server (Cont...)

Logging
Invoke from command line:
java -Djava.rmi.server.logCalls=true YourServerImp

Or enable inside program

RemoteServer.setLog(System.err);

OWASP

22

Further Developments of RMI Spy

Fully automated
Integrating the 5 stages into a click and run
GUI
Automated interface and stub creation

Packet Sniffer
RMI Call parser
Pull keys from the wire
Pull objects from the wire and assess
Modify objects on the fly

OWASP

23

Further Developments of RMI Spy

(cont...)
Code tidy!
Hash generator
Dynamic Invocation
Fuzzing
Exception handler (what is the server telling us)

Multi-threading
Hash attack (possible C++ and packet)
OWASP

24

Summary
RMI Architecture
Why RMI is insecure
Comment in the generated code says do not edit.
We all know differently now.
Security is difficult; even Sun dont always get it
right!

RMI Spy
Only tool in (known) existence to attack RMI services

How to secure RMI

OWASP

25

Questions

OWASP

26