Java Client Side

8/2/2019 Java Client Side

1/11

About Foundstone Professional Services

Foundstone Professional Services, a division of McAfee. Inc., offers expert services and education to help organizations continuously andmeasurably protect their most important assets from the most critical threats. Through a strategic approach to security, Foundstone identifies

and implements the right balance of technology, people, and process to manage digital risk and leverage security investments more effectively.The companys professional services team consists of recognized security experts and authors with broad security experience with multinationalcorporations, the public sector, and the US military.

Java Client Side Appl icat ion Basics:

Decompiling, Recompiling and Signing

Written By:Brad Antoniewicz

[email protected]


2/11




Introduction ............................................................................................................................................. 3Java Web Start and JNLP .................................................................................................................... 3Java Archives and META-INF ............................................................................................................... 4

Getting Started ......................................................................................................................................... 4JDK Quick Install ....................................................................................................................................... 5Downloading and Extracting....................................................................................................................... 5Dealing with Signed JARs........................................................................................................................... 6Decompiling ............................................................................................................................................. 7Recompiling and Re-JARing ....................................................................................................................... 7Signing the JAR ........................................................................................................................................ 8Making it work .......................................................................................................................................... 9Enabling Verbose logging within Java ......................................................................................................... 9

Conclusion .............................................................................................................................................. 11More Information .................................................................................................................................... 11


3/11




Introduction

One of the major rules of security is Never trust client side security. Somehow this rule is oftenforgotten, especially when companies deploy client side Java applications. They can try their best to

obfuscate every part of code, but in the end, its all run on the client side, which means the user has theability to control everything. This brief document will teach you the first steps of picking apart the contents ofa client side Java application, and hopefully lead you on your way to some great findings.

Java Web Start and JNLP

Java Web Start is a mechanism for program delivery through a web server. These programs areinitiated by the clients web browser, deployed, and ultimately executed independently on the system. Sincethey run outside of the browser, security may appear to be an initial concern, however the application runswithin a restricted container (called a sandbox), which sits atop of the Java 2 platforms security architecture.This provides a couple nice layers of security between the application and the local machine.

The Java Network Launch Protocol (JNLP) is an XML-based technology for launching Java executables.The .JNLP file is basically the Table of Contents for the Java application; most importantly, for our use, itdefines the location of application resources. This file is what were usually directed to when accessing a Java

Web Start application.

Example JNLP: j ava_app.jnlp

Super ClientSide APP v1.0

Not Real INC


4/11




Java Archives and META-INF

A Java Archive (JAR) is a file format based on the popular ZIP file format. In its most basic form, it is acompressed archive containing all of the Java class files (which we will decompile) of the application. It also

contains one very important directory: META-INF. At a minimum, this directory contains the MANIFEST.MF.

The JARs manifest contains package and extension related data. An important thing to remember is that

when the JAR is signed, MANIFEST.MF will also contains SHA1 hashes of every file within itself. This means

if we ever want to modify a class within the archive and maintain valid signatures, well have to completely

recompile the JAR and resign it rather than just updating it. Also inside the META-INF folder of signed

archives is a signature file (.SF) and its corresponding block file (.DSA). When we recompile our JAR, well

remove the META-INF folder entirely so that there is little to no trace of the initial company who signed it.

Getting Started

Since the JNLP is simply a XML file, we can download this file to get a list of all the JARs which

comprise the application. Using the above java_app.jnlp example, we can see that this application is

comprised of two JARs: app-core.jar and app-gui.jar. These two files will be extracted, and their

contents decompiled so that we can further understand the way they work.

Two important things well need to install to accomplish our mission will be the Java Development Kit(JDK), and the Java Decompiler (JAD). They can be found using the below links:

JDK http://java.sun.com

JAD http://www.kpdus.com/jad.html

Installation for both is relatively simple. Follow their instructions and it should be a snap. These canboth be set up on Windows, but it is highly recommended to do this on a Linux box somewhere. Dependingon the way application was written, it is possible to have multiple classes within the JAR whose filenames are

case sensitive. For example, take a look at these two filenames: aA.class and Aa.class. Since Windows

does not consider case in the filenames, it will overwrite aA.class with Aa.class, which can completely

destroy our application. Linux, however does take the case of filenames into consideration, so that is why it isheavily recommended. All commands given below will be specifically for use under Linux; however it ispossible they may work on Windows as well.


5/11




JDK Quick Install

Once you have downloaded the JDK, installation is relatively painless. Follow the below installationprocedure. Weve snipped the majority of the output, but most of it is not really important anyway.Nonetheless this should give you enough information.

I nstalling the Java Development Kit

root@jdkdemo:/home/user# ./jdk-1_5_0_10-linux-i586.bin

Sun Microsystems, Inc. Binary Code License Agreement

for the JAVA 2 PLATFORM STANDARD EDITION DEVELOPMENT KIT 5.0

SUN MICROSYSTEMS, INC. ("SUN") IS WILLING TO LICENSE THE

SOFTWARE IDENTIFIED BELOW TO YOU ONLY UPON THE CONDITION

.

. --- SNIPED --

.

Creating jdk1.5.0_10/jre/lib/charsets.jar

Creating jdk1.5.0_10/jre/lib/ext/localedata.jar

Creating jdk1.5.0_10/jre/lib/plugin.jar

Creating jdk1.5.0_10/jre/lib/javaws.jar

Creating jdk1.5.0_10/jre/lib/deploy.jar

Done.

root@jdkdemo:/home/user# mv jdk1.5.0_10/ /usr/local

root@jdkdemo:/usr/local# cd /usr/local

root@jdkdemo:/usr/local# ln -s jdk1.5.0_10/ jdkroot@jdkdemo:/usr/local# export PATH=$PATH:/usr/local/jdk/bin

Downloading and Extracting

Weve identified which JARs make up the application using the JNLP file, and now well need todownload and extract them. Following our example, well execute the following commands to download ourJARs:

Down loading t he JARs

root@jdkdemo:/home/user# wget http://www.fakecompany.com/inc/app-core.jar

root@jdkdemo:/home/user# wget http://www.fakecompany.com/inc/app-gui.jar


6/11




Now youll have the two JARs in your current directory, and theyll need to be extracted.

Ext racti ng t he JARs

root@jdkdemo:/home/user# mkdir app-gui

root@jdkdemo:/home/user# cp app-gui.jar app-gui

root@jdkdemo:/home/user# cd app-gui

root@jdkdemo:/home/user/app-gui# jar xf app-gui.jar

root@jdkdemo:/home/user/app-gui# rm app-gui.jar

root@jdkdemo:/home/user/app-gui# cd ..

root@jdkdemo:/home/user# mkdir app-core

root@jdkdemo:/home/user# cp app-core.jar app-core

root@jdkdemo:/home/user# cd app-coreroot@jdkdemo:/home/user/app-core# jar xf app-core.jar

root@jdkdemo:/home/user/app-core# rm app-core.jar

root@jdkdemo:/home/user/app-core# cd ..

Obviously, the only command that needs to be executed is the jar xf jarfile.jar, but I added all the

extra commands so we can have a nice neat directory structure.

Dealing with Signed JARs

Now well need to determine if our JARs are signed or not. We can do that in one of two ways. The easiestway at this point is to just check within the decompiled JAR and see if there is a .SF in the META-INF

directory. If there is, then the JAR is signed, and well need to resign. Alternately you can do the following:

I dentify if t he JAR w as signed

root@jdkdemo:/home/user/app-gui# jarsigner verbose certs verify app-gui.jar

root@jdkdemo:/home/user/app-core# jarsigner verbose certs verify app-core.jar

This will give you a good amount of information if the JAR is actually signed. If it does not, then most likely theJAR is not signed and it will state that clearly near the bottom of the command output. As mentioned above, it

is important to determine if the JAR was signed because with a signed JAR, the MANIFEST.MF will contain a

SHA1 digest of each file within itself. If we update a particular file, the digest will not match the one in theMANIFEST.MF, and the application may fail to run (again, this is only if the JAR was signed). Also if we re-

compile and re-sign any one particular JAR, we are required to recompile and resign every other JAR that isspecified within the same JNLP. Finally, it is not uncommon for the Java application to require complete access

to the local system through the security directive. If this directive is set, the JAR must

be signed.


7/11




Decompiling

Now that we have extracted the JAR and identified if it has been signed, our next step is to decompilewhichever classe(s) wed like to investigate. This is where JAD comes in. JADs usage is very simple andstraightforward. You can decompile everything within a certain directory, source tree, or an individual file.JAD does not decompile JAR files directly so you need to extract the JAR first as detailed above. We wouldrecommend dissecting everything for your investigation. Later on, if you plan on modifying somethingspecifically, re-extract the JAR and only decompile that particular class as it makes things less complicatedwith the recompile. You can also avoid these complications by decompiling to completely different directory.

Decompiling I ndividual fi les

root@jdkdemo:/home/user/app-gui/classes# jad classfile.class

Decompiling All fi les w ithin Directory

root@jdkdemo:/home/user/app-gui/classes# jad *.class

Decompile all class files w ithin a source tree t o a different directory, renaming t hem t o .java files

root@jdkdemo:/home/user/app-gui/classes# jad r sjava d/home/user/app-gui/src /home/user/app-

gui/classes/*.class

By default JAD will output a .jad file for the source code that can be read or modified. JAD can also decompile

directly to .java files by using the s option. The destination for source files can be set with d, and the

package directory structure is restored with r. Other JAD options can be displayed by calling jad with no

arguments.

The applications source is now available for you to dissect and investigate. If there is a particularfunction that is getting in your way by making some obscure check, why not take it out! The power is yours! Itmay be a good idea to make a minor change in the logging portion of the application, and you can verify thatits working through the Java logging console. One quick note, if youre making any changes, remove theoriginal .class and leave the .java in the same directory. If you decompiled to a different directory, after youmodify it, copy the .java over to the compile directory when ready to recompile. It will make the recompileprocess smoother.

Recompiling and Re-JARing

The task of recompiling is nearly as simple as that of decompiling; however well need to make an

important change: removing the META-INF. As mentioned above, the META-INF directory contains a couple


8/11




goodies that are particular to the JAR. Since were recompiling the entire archive, we can take it out, as it willbe added automatically when we recompile. Here are our steps for recompiling and reJARing. We took a

hypothetical file, classfile.java (was decompiled with JAD) within the gui/ and core/ directories,

respectively.

Recompili ng and r eJARing

root@jdkdemo:/home/user# cd app-gui/

root@jdkdemo:/home/user/app-gui# rm classes/classfile.class

root@jdkdemo:/home/user/app-gui# javac cp . classes/classfile.java

root@jdkdemo:/home/user/app-gui# rm rf META-INF

root@jdkdemo:/home/user/app-gui# jar cvf app-gui.jar .

root@jdkdemo:/home/user/app-gui# cd ../app-core/root@jdkdemo:/home/user/app-core# rm classes/classfile.class

root@jdkdemo:/home/user/app-core# javac cp . clasees/classfile.java

root@jdkdemo:/home/user/app-core# rm rf META-INF

root@jdkdemo:/home/user/app-core# jar cvf app-gui.jar

We removed the preexisting class files as a matter of organization, and so we can verify they were createdafter the recompiling process.

Great! So now we modified our class, recompiled it, and re-JARed it. Depending on how the application wasinitially set up, you could be done! Just give it a run and see if it worked out! However, its more likely that itwas signed, so lets get to the annoying part.

Signing the JAR

I F YOUR JAD WAS NOT SI GNED TO BEGIN WI TH THI S STEP MAY BE SKIPPED!

This is the most annoying part of the whole process. Since we obviously cannot resign the JAR usingwith the originally owners key, well have to make our own and then sign it ourselves. The first thing well haveto do is make a keystore using keytool:

Creatin g a Keystor e And Public/ Private Key Pair

keytool -genkey -keystore myKeyStore -alias myAlias

Enter keystore password:

What is your first and last name?

[Unknown]:

What is the name of your organizational unit?

[Unknown]:

What is the name of your organization?

[Unknown]:

What is the name of your City or Locality?

[Unknown]:

What is the name of your State or Province?

[Unknown]:


9/11




What is the two-letter country code for this unit?

[Unknown]:

Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown,

ST=Unknown, C=Unknown correct? [no]: yes

Enter key password for

(RETURN if same as keystore password):[Press Enter button]

Your keystore has now been created. Look for the file myKeyStore in your current directory. Now we can

sign the JAR (assuming myKeyStore is in the same directory you started in)!

Sign the JAR

cd app-core/

jarsigner -keystore ../myKeyStore -storepass app-core.jar myAlias

cd ../app-gui

jarsigner -keystore ../myKeyStore -storepass app-gui.jar myAlias

Just verify using the jarsigner tool mentioned above and youre ready to put it all into action.

Making it workYou can go back to your Windows box and do some basic tests to figure out where the application is

saving itself once it downloads to your machine. You can use Filemon (www.sysinternals.com) or just simply

search for the .jar on your machine (usually in c:\documents and settings\\application

data\ ). Once you figure this out, simply replace those with your repacked and resigned JARs. Double click the

JNLP to launch the application, and hopefully your modification will work! You may see a Java warning messagecomplaining that the application is signed by an unknown authority, but you can safely ignore that, as yourethat unknown authority!

Enabling Verbose logging within Java

If you made the recommended logging change in the application or youre just curious to investigatethe logs of the application, you can make Java display more verbose logging within the Java Control Panel.

Enabling Java Logging

Within the Windows Control Panel,click the Java icon to display the


10/11




following window.

Navigate to the Advanced Tab

Expand the Trees under Debuggingand Java Console.

Under Debugging, mark the EnableTracing, Enable Logging, and

Show applet lifecycle exceptionscheckboxes.

Under Java console mark the Showconsole radio button.

Hit OK


11/11



and implements the right balance of technology people and process to manage digital risk and leverage security investments more effectivelyTh f i l i t i t f i d it t d th ith b d it i ith lti ti l

Conclusion

Excellent job! You have successfully decompiled your JAR, figured out how to recompile it, and learnedhow to resign it if necessary. Now its up to you to closely analyze the application and figure out what you canto with the decompiled JAR to identify vulnerabilities in the application. The important thing to remember hereis that because this is client side, all the power is now in your hands. For example, if the application waits for aserver response to validate authentication, try to change that check to automatically return true. This way youcan see the application functionality without actually logging in. Thats just one very simple idea - go ahead,play around, and most importantly, HAVE FUN!

More Information

If youre new to Java or would like to get more oriented with Java development, check out the following links:

The Java Tutori alshttp://java.sun.com/docs/books/tutorial/

OWASP Guide - General Web Appli cati on Testinghttp://www.owasp.org/index.php/OWASP_Guide_Project

Java Programmi ng Resourceshttp://www.apl.jhu.edu/~hall/java/

Learn MoreFor additional information about Foundstone consulting, please contact your local sales representative:Phone: 1.877.91.FOUNDEmail: Consultin @foundstone.com

Documents

Java Client Side