INteresting JMI doc

8/14/2019 INteresting JMI doc

1/26

Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

Security Assessing Java RMI

Adam Boulton

OWASP Contributor

Corsaire

[email protected]

+44 1483 746700

24thSept 2008


2/26

OWASP 2

Profile

Principal Security Consultant at Corsaire

Anti-Virus Analyst for Sophos Plc

Ministry of Defence (Level 1 Security Clearance)

BSc 1st

Class (Hons) Software Engineering

Big Java Fancheck out OWASP Java Gotchas!


3/26

OWASP 3

Agenda

What is Remote Method Invocation (RMI)?

RMI Architecture

Attacking an RMI service with RMI Spy

Securing RMI services


4/26

OWASP 4

What is RMI?

Distributed computing solutionAll about remote objects

Part of core JDK platform since 1.1

java.rmi package

Not familiar? Think.

Microsoft .NET Remoting

RPC

CORBA


5/26

OWASP

What is RMI?

Communicating between 2 JVMs over a network

Export functionality at the object level

Remote clients deal with objects as if they were local

RMI uses object serialization

Your custom classes must implement the serializable

interface so they can be distributedPrimitives are just sent by value

5


6/26

OWASP

What is RMI?

Transparent solutionAll underlying network functionality

RMI Specification states:

Make writing reliable distributed applications as simple as

possibleIncreases risk that services are implemented

insecurely

Security through obscurity

6


7/26

OWASP

RMI Architecture

7

Object

Server (Implementation)Client (Interface)

Object

TCP/IP

JRMP


8/26

OWASP

RMI Registry

Used for looking up Objects

Servers register their Objects

Clients use to find and obtain remote references

Runs on port 1099 by default

8


9/26

OWASP

RMI tools

RMIC (rmic.exe)Special compiler that creates stub and skeleton

RegistryCreated by:

Rmiregistry.exe

Or

LocateRegistry.createRegistry(int portNo)

9


10/26

OWASP

64 bit hash (SHA1)

Method name + method descriptor used asmessage

Example:

void myRemoteMethod(int i, Object o, boolean b)

myRemoteMethod(ILjava/lang/Object;Z)V 0xB7B6B5B4B3B2B1B0

10

The Interface / Method Hash


11/26

OWASP

Hash weakness

An attacker can pre-calculate hashes if theyknow API details

64-bit

Brute-force

Rainbow tables

Due to the implementation it doesnt evenappear to actually be 64 bits!

Still doing the analysis

11


12/26

OWASP

RMI server secrets...

An attackers shopping list:Bound object names

Stub name

A static signed 64 bit key(s)

Method prototypes (interface)

The ability to code a client!

12


13/26

OWASP

Todays RMI service...

Only hosting 3 methods

Lets attack it.... LIVE!

13


14/26

OWASP 14

Methodology for a 0-day RMI assessment

Step 1Enumerate bound object names

Step 2Determine stub name

Step 3Enumerate method hashes

Step 4Determine method prototypes

Step 5Create stub


15/26

OWASP

Step 1Enumerate bound objects

Use your own scanning tools to detect an RMIservice

Identify objects which are bound to the port thatwe can talk to

Easily done using the java.rmi package

15


16/26

OWASP

Step 2Determine stub name

Correct stub name is required so we can talk tothe RMI service

Use RMISpyStubName to establish the correctstub name

Rename the template

16


17/26

OWASP

Step 3Enumerate key / method hashes

The hashes are calculated by using methoddescriptors

The signed 64-bit value

Remember, only 1 hash for v1.1

Add the hash to the template

Hashes can be pre-calculated

17


18/26

OWASP

Step 4Determine method prototypes

First establish the parameter typesBit more manual work

Secondly, establish the return type

Object is our friend

Method names are irrelevant

All about the 64-bit signed value

18


19/26

OWASP

Step 5Creating the stub

Detail has been added at each stage, we nowhave enough for a fully working custom client!

The service is now ready to finger print in moredetail.

By using the business logic layer we can

determine LOTS more detail.Can rely on the Developer getting it wrong to

establish more detail.

19


20/26

OWASP

Why is RMI insecure?

Building on an insecure foundationSkeleton implementation is flawed

False sense of security

Security through obscurity

Keys are insufficient

Chances are you wont notice an attacker until acorrect client has been constructed

20


21/26

OWASP 21

Securing an RMI Server

Adapt the RMI server codeStop information leakage

Sun should have read the OWASP top 10!

Modify the method hashes

Java Authentication and Authorization Service (JAAS)

Be careful what you expose!

Just because you dont release a client with thefunctionality doesnt mean attackers cant see it!

Dont expose the server object directly

Dont rely on security through obscurity


22/26

OWASP

Securing and RMI Server (Cont...)

LoggingInvoke from command line:

java -Djava.rmi.server.logCalls=true YourServerImp

Or enable inside program

RemoteServer.setLog(System.err);

22


23/26

OWASP 23

Further Developments of RMI Spy

Fully automatedIntegrating the 5 stages into a click and run

GUI

Automated interface and stub creation

Packet Sniffer

RMI Call parser

Pull keys from the wire

Pull objects from the wire and assess

Modify objects on the fly


24/26

OWASP

Further Developments of RMI Spy (cont...)

Code tidy!

Hash generator

Dynamic Invocation

Fuzzing

Exception handler (what is the server telling us)

Multi-threading

Hash attack (possible C++ and packet)

24


25/26

OWASP 25

Summary

RMI Architecture

Why RMI is insecureComment in the generated code says do not edit.

We all know differently now.Security is difficult; even Sun dont always get it right!

RMI Spy

Only tool in (known) existence to attack RMI services

How to secure RMI


26/26

OWASP

Questions

26

Documents

INteresting JMI doc