0% found this document useful (0 votes)
171 views26 pages

Adam Boulton Security Assessing Java RMI - OWASP NYC

Java RMI Exploits

Uploaded by

n0d
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
171 views26 pages

Adam Boulton Security Assessing Java RMI - OWASP NYC

Java RMI Exploits

Uploaded by

n0d
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 26

Security Assessing Java RMI

OWASP

Adam Boulton
OWASP Contributor
Corsaire
[email protected]
+44 1483 746700

24th Sept 2008


Copyright The OWASP Foundation
Permission is granted to copy, distribute and/or modify this
document under the terms of the OWASP License.

The OWASP
http://www.owasp.org
Foundation

Profile
Principal Security Consultant at Corsaire
Anti-Virus Analyst for Sophos Plc
Ministry of Defence (Level 1 Security
Clearance)
BSc 1st Class (Hons) Software Engineering
Big Java Fan check out OWASP Java Gotchas!
OWASP

Agenda
What is Remote Method Invocation (RMI)?
RMI Architecture
Attacking an RMI service with RMI Spy
Securing RMI services

OWASP

What is RMI?
Distributed computing solution
All about remote objects

Part of core JDK platform since 1.1


java.rmi package

Not familiar? Think.


Microsoft .NET Remoting
RPC
CORBA
OWASP

What is RMI?
Communicating between 2 JVMs over a
network
Export functionality at the object level
Remote clients deal with objects as if they were
local

RMI uses object serialization


Your custom classes must implement the
serializable interface so they can be distributed
Primitives are just sent by value
OWASP

What is RMI?
Transparent solution
All underlying network functionality
RMI Specification states:
Make writing reliable distributed applications as
simple as possible

Increases risk that services are implemented


insecurely
Security through obscurity

OWASP

RMI Architecture
Client (Interface)

Server (Implementation)

JRMP
TCP/IP
OWASP

RMI Registry
Used for looking up Objects
Servers register their Objects
Clients use to find and obtain remote
references
Runs on port 1099 by default

OWASP

RMI tools
RMIC (rmic.exe)
Special compiler that creates stub and skeleton

Registry
Created by:
Rmiregistry.exe <port no>
Or

LocateRegistry.createRegistry(int portNo)

OWASP

The Interface / Method Hash


64 bit hash (SHA1)
Method name + method descriptor used
as message
Example:
void myRemoteMethod(int i, Object o, boolean
b)
myRemoteMethod(ILjava/lang/Object;Z)V
0xB7B6B5B4B3B2B1B0
OWASP

10

Hash weakness
An attacker can pre-calculate hashes if
they know API details
64-bit
Brute-force
Rainbow tables

Due to the implementation it doesnt even


appear to actually be 64 bits!
Still doing the analysis
OWASP

11

RMI server secrets...


An attackers shopping list:
Bound object names
Stub name
A static signed 64 bit key(s)
Method prototypes (interface)
The ability to code a client!

OWASP

12

Todays RMI service...


Only hosting 3 methods
Lets attack it.... LIVE!

OWASP

13

Methodology for a 0-day RMI


assessment
Step 1 Enumerate bound object names
Step 2 Determine stub name
Step 3 Enumerate method hashes
Step 4 Determine method prototypes
Step 5 Create stub
OWASP

14

Step 1 Enumerate bound objects


Use your own scanning tools to detect an
RMI service
Identify objects which are bound to the
port that we can talk to
Easily done using the java.rmi package

OWASP

15

Step 2 Determine stub name


Correct stub name is required so we can
talk to the RMI service
Use RMISpyStubName to establish the
correct stub name
Rename the template

OWASP

16

Step 3 Enumerate key / method


hashes
The hashes are calculated by using
method descriptors
The signed 64-bit value

Remember, only 1 hash for v1.1


Add the hash to the template
Hashes can be pre-calculated
OWASP

17

Step 4 Determine method prototypes


First establish the parameter types
Bit more manual work

Secondly, establish the return type


Object is our friend

Method names are irrelevant


All about the 64-bit signed value

OWASP

18

Step 5 Creating the stub


Detail has been added at each stage, we now
have enough for a fully working custom
client!
The service is now ready to finger print in
more detail.
By using the business logic layer we can
determine LOTS more detail.
Can rely on the Developer getting it wrong to
establish more detail.
OWASP

19

Why is RMI insecure?


Building on an insecure foundation
Skeleton implementation is flawed

False sense of security


Security through obscurity

Keys are insufficient


Chances are you wont notice an attacker
until a correct client has been constructed
OWASP

20

Securing an RMI Server


Adapt the RMI server code
Stop information leakage
Sun should have read the OWASP top 10!

Modify the method hashes


Java Authentication and Authorization Service
(JAAS)

Be careful what you expose!


Just because you dont release a client with the
functionality doesnt mean attackers cant see it!
Dont expose the server object directly
Dont rely on security through obscurity
OWASP

21

Securing and RMI Server (Cont...)


Logging
Invoke from command line:
java -Djava.rmi.server.logCalls=true YourServerImp

Or enable inside program


RemoteServer.setLog(System.err);

OWASP

22

Further Developments of RMI Spy


Fully automated
Integrating the 5 stages into a click and run
GUI
Automated interface and stub creation

Packet Sniffer
RMI Call parser
Pull keys from the wire
Pull objects from the wire and assess
Modify objects on the fly

OWASP

23

Further Developments of RMI Spy


(cont...)
Code tidy!
Hash generator
Dynamic Invocation
Fuzzing
Exception handler (what is the server telling us)

Multi-threading
Hash attack (possible C++ and packet)
OWASP

24

Summary
RMI Architecture
Why RMI is insecure
Comment in the generated code says do not edit.
We all know differently now.
Security is difficult; even Sun dont always get it
right!

RMI Spy
Only tool in (known) existence to attack RMI services

How to secure RMI


OWASP

25

Questions

OWASP

26

You might also like