SlideShare ist ein Scribd-Unternehmen logo

Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017

N
Nicky Bloor

Slightly altered slides from my 44CON 2017 talk titled "BaRMIe - Poking Java's Back Door". The talk looks at the security of Java RMI and attacks against software using the Java RMI protocol, including a recently patched unauthenticated remote command execution vulnerability against Adobe ColdFusion (CVE-2017-11283 and CVE-2017-11284).

Technologie
1 von 102
Downloaden Sie, um offline zu lesen
BaRMIe – Poking Java’s Back Door Nicky Bloor 44CON 2017
whoami Nicky Bloor • Managing Security Consultant at NCC Group • Ex software developer • Desktop, web, games, industrial control systems • Problem solver, breaker, builder, hacker • Hiker and rock climber • @NickstaDB on the Interwebz
A Story of Pwn • On-site Java application assessment • No credentials provided until day 3… • Supporting infrastructure was in scope • One network service stood out…
A Story of Pwn Java Remote Method Invocation??? …gave me the server before I got those credentials. Too easy! This left me really intrigued!
RMI? • How common is RMI? • How often is it so insecure? • What else can we do with it?
Java Remote Method Invocation
A Brief Introduction to RMI • Remote Method Invocation • RPC for Java • Execute methods within another Java virtual machine (JVM) • Local or remote • Simple to implement • RMI takes care of connection and transport • Developer does not need to be aware that RMI is in use • RMI != arbitrary remote code execution • Only execute methods that are implemented within the other JVM
8 A Brief Introduction to RMI Client Application IFoo.Bar() RMI RMI Server Application FooImpl.Bar() IFoo.Bar();
The RMI Registry Service • Directory of Java objects • Maps Java objects to names • Listens on TCP port 1099 by default • Interaction via java.rmi.Registry class • void bind(String name, Remote obj) • String[] list() • Remote lookup(String name) • void rebind(String name, Remote obj) • void unbind(String name)
The RMI Registry Service • void rebind(String name, Remote obj) • Rebind a bound object name to another object • Potential free man-in-the-middle attack? • void unbind(String name) • Unbind an object from the registry • Potential free denial of service attack?
The RMI Registry Service • void rebind(String name, Remote obj) • Rebind a bound object name to another object • Potential free man-in-the-middle attack? • void unbind(String name) • Unbind an object from the registry • Potential free denial of service attack? • Cannot bind/rebind/unbind from non-localhost
Implementing RMI • Very easy – perhaps part of the problem! • Server-side • Implement java.rmi.Remote • Instantiate object • Bind object to RMI registry • Client-side • Lookup object from RMI registry • Use as normal
What’s the Problem? • Fairly reasonable looking method • Authenticate first, then read the file
What’s the Problem? What if ApplicationObjectFactory returns a remote object?
What’s the Problem? Client Server authenticateUser(user,pass) readFile(filename) true file contents
What’s the Problem? Client Server readFile(filename) file contents
RMI Security? • Authentication? • No. • Session management? • No. • Encryption? • No. • Message integrity checking/anti-tampering? • No. • Access controls? • Yes. Kind of… Fine. No.
RMI Security? • Encryption • SSLSocketFactory can be used • Access controls • bind/rebind/unbind can only be called from localhost • Risky code executes BEFORE the localhost check… • (Pre-Java 6u131, 7u121, 8u112)
RMI Security
RMI Security • This is a bit unfair • RMI wasn’t designed to be secure • RMI was designed to facilitate remote method invocation • To compare: • HTTP wasn’t designed to be secure • HTTP was designed to facilitate the transfer of textual information
RMI Security • HTTP is far more prevalent • HTTP has evolved to support security • Web application frameworks improve security by default • Authentication, session management, access controls etc… • Developers don’t need to be particularly security aware • RMI has none of this! • Security must be explicitly incorporated in remotely exposed classes
Insecure Use of RMI
Insecure Use of RMI • RMI not a secure protocol • Original attack: • Ignore authenticate method • Call readFile/writeFile/executeQuery directly • How often is RMI used this insecurely?
Insecure Use of RMI • First step: Identify software using RMI • Little success initially searching Google & Github • Can I identify RMI software packages remotely?
Insecure Use of RMI • Recalled an early test program which called Registry.lookup() • Exception reveals fully-qualified class names • Often identifies vendor • Sometimes identifies the application itself • Can we identify RMI software packages remotely? • Yes! • Internet search for fully-qualified class names
Insecure Use of RMI • So, we can extract fully-qualified class names… • What else can we learn from RMI network traffic? • How can we extract this information?
RMI Enumeration
RMI Enumeration
RMI Enumeration
RMI Enumeration
RMI Enumeration
Insecure Use of RMI • A lot of time was spent in these tools • Along the way code was produced to parse RMI traffic and extract useful data…
BaRMIe - Enumeration
BaRMIe - Enumeration • Proxy-based enumeration of RMI registries • Start TCP proxy for RMI registry connection • Request remote objects • Buffer RMI ‘ReplyData’ packets • Parse the packet contents to extract useful data
Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI
Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally
Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally
Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed
Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager
Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager
Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI
Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI chainGunAPI
Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI chainGunAPI beerMachineApi
Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI chainGunAPI beerMachineApi praiseService
Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI chainGunAPI beerMachineApi praiseService
Knocking on Java’s Back Door • Honestly, no idea what any of these do! • These are just examples of what people expose over RMI. • This is bad if these services are implemented as insecurely as that first ‘writeFile’ example
Examples of Insecure RMI
Apache JMeter • org.apache.jmeter.engine.RemoteJMeterEngineImpl_Stub • Open source! • Download source and review • Locate classes that implement java.rmi.Remote
Apache JMeter
Apache JMeter • Looks like anyone can configure this service!
Temis RemoteAdminServer • com.temis.admin.remote.RemoteAdminServer_Stub • Unable to locate source code or client jar • BaRMIe revealed an interesting annotation…
Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String)
Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String) Looks like they thought about security? (UserProfile – could be a session-like object?)
Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String) • boolean configure(Properties) …or not!
Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String) • boolean configure(Properties) • String getAdminKey()
Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String) • boolean configure(Properties) • String getAdminKey() • int addUser(String, String, String, String)
Temis RemoteAdminServer • Account takeover? • List<UserProfile> getAllUserList() • int changePassword(UserProfile, String)
Temis RemoteAdminServer • Account takeover? • List<UserProfile> getAllUserList() • int changePassword(UserProfile, String) • UserProfile methods: • String getPassword()
Temis RemoteAdminServer • More remote methods: • String getDatabaseIP() • String getDatabasePort() • String getDatabaseName() • String getDatabaseType()
Temis RemoteAdminServer • More remote methods: • String getDatabaseIP() • String getDatabasePort() • String getDatabaseName() • String getDatabaseType() • String getUsername() • String getPassword()
RMI: What’s the Problem?
RMI: What’s the Problem? It gets worse…
Deserialization
Deserialization • Process of converting data into runtime objects • Often implemented/used insecurely • Deserializing untrusted data is usually bad • RMI is heavily dependent on Java serialization
Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods
Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods • Except…
Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods • Except…
Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods • Except…
Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods • Except… • Call fill() to deserialize any object…
Demo Time! • Adobe ColdFusion 2016, fully up-to-date as of 11th September 2017 • Default install except for one setting • Unauthenticated remote method invocation…
Demo Time!
Deserialization It’s worse than that…
Java’s Back Door
Java’s Back Door • Testing some code • Suddenly realised I’d made a mistake… • …but the code worked…
Full RMI Proxy • Successfully proxying RMI registry connections • RMI registry does not handle method invocations • Invocation handled by remote objects • Different port • Potentially different host • Built a proxy to MitM method invocations
Proxying RMI RMI Client RMI Registry RMI Object
Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy First, we create an RMI registry proxy
Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Which is configured to connect directly to the target RMI registry
Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Our RMI client requests an object via the proxy
Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy The object data is intercepted and parsed
Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Object Proxy 3) Creates Object Proxy The RMI registry proxy then creates an RMI object proxy
Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Object Proxy 3) Creates Object Proxy Which is configured to connect directly to the RMI object
Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Object Proxy 3) Creates Object Proxy We modify the object data to point at the new proxy and return it to the client
Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Object Proxy 3) Creates Object Proxy We can now MitM remote method invocation traffic!
Java’s Back Door • So, what was that mistake?! • Experimenting with network-level payload injection and ysoserial • Called obj.foo(String) in RMI client, rather than obj.foo(Object)
Java’s Back Door • So, what was that mistake?! • Experimenting with network-level payload injection and ysoserial • Called obj.foo(String) in RMI client, rather than obj.foo(Object) • Proxy replaced the parameter…
Java’s Back Door • So, what was that mistake?! • Experimenting with network-level payload injection and ysoserial • Called obj.foo(String) in RMI client, rather than obj.foo(Object) • Proxy replaced the parameter…
Poking Java’s Back Door • Invoking void printString("AAAAAAAAAA") looks like this:
Poking Java’s Back Door • Invoking void printString("AAAAAAAAAA") looks like this: • A simple serialized object, new Dummy(), looks like this:
Poking Java’s Back Door • The proxy did this (with a ysoserial payload):
Poking Java’s Back Door • The proxy did this (with a ysoserial payload): • Remotely invoked an illegal method call
Poking Java’s Back Door • The proxy did this (with a ysoserial payload): • Remotely invoked an illegal method call • void printString(new Dummy()):
Poking Java’s Back Door • The proxy did this (with a ysoserial payload): • Remotely invoked an illegal method call • void printString(new Dummy()): • Server-side exception • Dummy is not compatible with java.lang.String
Poking Java’s Back Door • The proxy did this (with a ysoserial payload): • Remotely invoked an illegal method call • void printString(new Dummy()): • Server-side exception • Dummy is not compatible with java.lang.String • Payload had already been deserialized
Java’s Back Door If we invoke a remote method, we can replace parameters with incompatible payloads
Caveat • Slight caveat, due to Java serialization format/protocol • Method parameter that we replace must be non-primitive • int, long, boolean etc cannot be replaced • Integer, int[], ArrayList, and objects of arbitrary classes can
BaRMIe
BaRMIe • RMI often exposes legitimate but dangerous methods • writeFile(), executeQuery() • Proxy-based attacks can introduce further risk • Vulnerabilities where there wouldn’t otherwise be a vulnerability • Requires knowledge of remote classes/method signatures
BaRMIe • Written a lot of code during this research… • Enumeration of remote objects (identify classes) • Attacks for various targets • Executing legitimate methods • Deserialization attacks using Object type parameters • Deserialization attacks through illegal parameter replacement • BaRMIe is an all-in-one RMI enumeration and attack tool
Conclusion
Conclusion • RMI lacks maturity • Often used very insecurely • Object injection/deserialization attacks are almost always a possibility • Old and ‘uninteresting’ technology can be a fun and fruitful research target!
Questions? https://nickbloor.co.uk/

Empfohlen

(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using sshmorisson
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Primeiros passos com a API do Zabbix - 3º Zabbix Meetup do Interior
Primeiros passos com a API do Zabbix - 3º Zabbix Meetup do InteriorPrimeiros passos com a API do Zabbix - 3º Zabbix Meetup do Interior
Primeiros passos com a API do Zabbix - 3º Zabbix Meetup do InteriorZabbix BR
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Understanding docker networking
Understanding docker networkingUnderstanding docker networking
Understanding docker networkingLorenzo Fontana
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 

Empfohlen

(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using sshmorisson
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 
Primeiros passos com a API do Zabbix - 3º Zabbix Meetup do Interior
Primeiros passos com a API do Zabbix - 3º Zabbix Meetup do InteriorPrimeiros passos com a API do Zabbix - 3º Zabbix Meetup do Interior
Primeiros passos com a API do Zabbix - 3º Zabbix Meetup do InteriorZabbix BR
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Understanding docker networking
Understanding docker networkingUnderstanding docker networking
Understanding docker networkingLorenzo Fontana
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP
 
Sqlmap
SqlmapSqlmap
SqlmapRushikesh Kulkarni
 
The RED Method: How to monitoring your microservices.
The RED Method: How to monitoring your microservices.The RED Method: How to monitoring your microservices.
The RED Method: How to monitoring your microservices.Grafana Labs
 
Docker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutesDocker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutesLuciano Fiandesio
 
ReST API Security
ReST API SecurityReST API Security
ReST API SecurityYounes Jaaidi
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege EscalationSunny Neo
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessLeon Teale
 
Golang Project Layout and Practice
Golang Project Layout and PracticeGolang Project Layout and Practice
Golang Project Layout and PracticeBo-Yi Wu
 
FreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8sFreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8sChien Cheng Wu
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
Arp spoofing
Arp spoofingArp spoofing
Arp spoofingLuthfi Widyanto
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0Will Schroeder
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
 
Introduction to Remote Method Invocation (RMI)
Introduction to Remote Method Invocation (RMI)Introduction to Remote Method Invocation (RMI)
Introduction to Remote Method Invocation (RMI)eLink Business Innovations
 
Remote Method Invocation, Advanced programming
Remote Method Invocation, Advanced programmingRemote Method Invocation, Advanced programming
Remote Method Invocation, Advanced programmingGera Paulos
 

Weitere ähnliche Inhalte

Was ist angesagt?

Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP
 
The RED Method: How to monitoring your microservices.
The RED Method: How to monitoring your microservices.The RED Method: How to monitoring your microservices.
The RED Method: How to monitoring your microservices.Grafana Labs
 
Docker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutesDocker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutesLuciano Fiandesio
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege EscalationSunny Neo
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessLeon Teale
 
Golang Project Layout and Practice
Golang Project Layout and PracticeGolang Project Layout and Practice
Golang Project Layout and PracticeBo-Yi Wu
 
FreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8sFreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8sChien Cheng Wu
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesMatt Tesauro
 

Was ist angesagt? (20)

Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
The RED Method: How to monitoring your microservices.
The RED Method: How to monitoring your microservices.The RED Method: How to monitoring your microservices.
The RED Method: How to monitoring your microservices.
 
Docker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutesDocker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutes
 
ReST API Security
ReST API SecurityReST API Security
ReST API Security
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware Behavior
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
 
Golang Project Layout and Practice
Golang Project Layout and PracticeGolang Project Layout and Practice
Golang Project Layout and Practice
 
FreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8sFreeSWITCH Cluster by K8s
FreeSWITCH Cluster by K8s
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
Arp spoofing
Arp spoofingArp spoofing
Arp spoofing
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
 

Ähnlich wie Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017

Introduction to Remote Method Invocation (RMI)
Introduction to Remote Method Invocation (RMI)Introduction to Remote Method Invocation (RMI)
Introduction to Remote Method Invocation (RMI)eLink Business Innovations
 
Remote Method Invocation, Advanced programming
Remote Method Invocation, Advanced programmingRemote Method Invocation, Advanced programming
Remote Method Invocation, Advanced programmingGera Paulos
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To ProtectGuy Podjarny
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...apidays
 
Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?Guy Podjarny
 
[Wroclaw #8] IPMI appsec - an express train to hell
[Wroclaw #8] IPMI appsec - an express train to hell[Wroclaw #8] IPMI appsec - an express train to hell
[Wroclaw #8] IPMI appsec - an express train to hellOWASP
 
Your internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableYour internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableIIMBNSRCEL
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Volkan Özçelik
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesVolkan Özçelik
 
Security at Greenhouse
Security at GreenhouseSecurity at Greenhouse
Security at GreenhouseMichael O'Neil
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) Volkan Özçelik
 
PHP framework difference
PHP framework differencePHP framework difference
PHP framework differenceiScripts
 
Introduction to hacking
Introduction to hackingIntroduction to hacking
Introduction to hackingnitish mehta
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)Greg Patton
 
Don't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev DoesDon't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev DoesLiam O'Saurus
 
Kuby, ActiveDeployment for Rails Apps
Kuby, ActiveDeployment for Rails AppsKuby, ActiveDeployment for Rails Apps
Kuby, ActiveDeployment for Rails AppsCameron Dutro
 
API Hijacking.pdf
API Hijacking.pdfAPI Hijacking.pdf
API Hijacking.pdfVishwasN6
 

Ähnlich wie Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017 (20)

Introduction to Remote Method Invocation (RMI)
Introduction to Remote Method Invocation (RMI)Introduction to Remote Method Invocation (RMI)
Introduction to Remote Method Invocation (RMI)
 
Remote Method Invocation, Advanced programming
Remote Method Invocation, Advanced programmingRemote Method Invocation, Advanced programming
Remote Method Invocation, Advanced programming
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...
 
Rmi
RmiRmi
Rmi
 
Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?
 
[Wroclaw #8] IPMI appsec - an express train to hell
[Wroclaw #8] IPMI appsec - an express train to hell[Wroclaw #8] IPMI appsec - an express train to hell
[Wroclaw #8] IPMI appsec - an express train to hell
 
DS
DSDS
DS
 
Your internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableYour internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerable
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
 
Security at Greenhouse
Security at GreenhouseSecurity at Greenhouse
Security at Greenhouse
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
PHP framework difference
PHP framework differencePHP framework difference
PHP framework difference
 
Introduction to hacking
Introduction to hackingIntroduction to hacking
Introduction to hacking
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)
 
Don't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev DoesDon't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev Does
 
Kuby, ActiveDeployment for Rails Apps
Kuby, ActiveDeployment for Rails AppsKuby, ActiveDeployment for Rails Apps
Kuby, ActiveDeployment for Rails Apps
 
API Hijacking.pdf
API Hijacking.pdfAPI Hijacking.pdf
API Hijacking.pdf
 

Kürzlich hochgeladen

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Kürzlich hochgeladen (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017

  • 1. BaRMIe – Poking Java’s Back Door Nicky Bloor 44CON 2017
  • 2. whoami Nicky Bloor • Managing Security Consultant at NCC Group • Ex software developer • Desktop, web, games, industrial control systems • Problem solver, breaker, builder, hacker • Hiker and rock climber • @NickstaDB on the Interwebz
  • 3. A Story of Pwn • On-site Java application assessment • No credentials provided until day 3… • Supporting infrastructure was in scope • One network service stood out…
  • 4. A Story of Pwn Java Remote Method Invocation??? …gave me the server before I got those credentials. Too easy! This left me really intrigued!
  • 5. RMI? • How common is RMI? • How often is it so insecure? • What else can we do with it?
  • 6. Java Remote Method Invocation
  • 7. A Brief Introduction to RMI • Remote Method Invocation • RPC for Java • Execute methods within another Java virtual machine (JVM) • Local or remote • Simple to implement • RMI takes care of connection and transport • Developer does not need to be aware that RMI is in use • RMI != arbitrary remote code execution • Only execute methods that are implemented within the other JVM
  • 8. 8 A Brief Introduction to RMI Client Application IFoo.Bar() RMI RMI Server Application FooImpl.Bar() IFoo.Bar();
  • 9. The RMI Registry Service • Directory of Java objects • Maps Java objects to names • Listens on TCP port 1099 by default • Interaction via java.rmi.Registry class • void bind(String name, Remote obj) • String[] list() • Remote lookup(String name) • void rebind(String name, Remote obj) • void unbind(String name)
  • 10. The RMI Registry Service • void rebind(String name, Remote obj) • Rebind a bound object name to another object • Potential free man-in-the-middle attack? • void unbind(String name) • Unbind an object from the registry • Potential free denial of service attack?
  • 11. The RMI Registry Service • void rebind(String name, Remote obj) • Rebind a bound object name to another object • Potential free man-in-the-middle attack? • void unbind(String name) • Unbind an object from the registry • Potential free denial of service attack? • Cannot bind/rebind/unbind from non-localhost
  • 12. Implementing RMI • Very easy – perhaps part of the problem! • Server-side • Implement java.rmi.Remote • Instantiate object • Bind object to RMI registry • Client-side • Lookup object from RMI registry • Use as normal
  • 13. What’s the Problem? • Fairly reasonable looking method • Authenticate first, then read the file
  • 14. What’s the Problem? What if ApplicationObjectFactory returns a remote object?
  • 15. What’s the Problem? Client Server authenticateUser(user,pass) readFile(filename) true file contents
  • 16. What’s the Problem? Client Server readFile(filename) file contents
  • 17. RMI Security? • Authentication? • No. • Session management? • No. • Encryption? • No. • Message integrity checking/anti-tampering? • No. • Access controls? • Yes. Kind of… Fine. No.
  • 18. RMI Security? • Encryption • SSLSocketFactory can be used • Access controls • bind/rebind/unbind can only be called from localhost • Risky code executes BEFORE the localhost check… • (Pre-Java 6u131, 7u121, 8u112)
  • 20. RMI Security • This is a bit unfair • RMI wasn’t designed to be secure • RMI was designed to facilitate remote method invocation • To compare: • HTTP wasn’t designed to be secure • HTTP was designed to facilitate the transfer of textual information
  • 21. RMI Security • HTTP is far more prevalent • HTTP has evolved to support security • Web application frameworks improve security by default • Authentication, session management, access controls etc… • Developers don’t need to be particularly security aware • RMI has none of this! • Security must be explicitly incorporated in remotely exposed classes
  • 23. Insecure Use of RMI • RMI not a secure protocol • Original attack: • Ignore authenticate method • Call readFile/writeFile/executeQuery directly • How often is RMI used this insecurely?
  • 24. Insecure Use of RMI • First step: Identify software using RMI • Little success initially searching Google & Github • Can I identify RMI software packages remotely?
  • 25. Insecure Use of RMI • Recalled an early test program which called Registry.lookup() • Exception reveals fully-qualified class names • Often identifies vendor • Sometimes identifies the application itself • Can we identify RMI software packages remotely? • Yes! • Internet search for fully-qualified class names
  • 26. Insecure Use of RMI • So, we can extract fully-qualified class names… • What else can we learn from RMI network traffic? • How can we extract this information?
  • 32. Insecure Use of RMI • A lot of time was spent in these tools • Along the way code was produced to parse RMI traffic and extract useful data…
  • 34. BaRMIe - Enumeration • Proxy-based enumeration of RMI registries • Start TCP proxy for RMI registry connection • Request remote objects • Buffer RMI ‘ReplyData’ packets • Parse the packet contents to extract useful data
  • 35. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI
  • 36. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally
  • 37. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally
  • 38. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed
  • 39. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager
  • 40. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager
  • 41. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI
  • 42. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI chainGunAPI
  • 43. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI chainGunAPI beerMachineApi
  • 44. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI chainGunAPI beerMachineApi praiseService
  • 45. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI chainGunAPI beerMachineApi praiseService
  • 46. Knocking on Java’s Back Door • Honestly, no idea what any of these do! • These are just examples of what people expose over RMI. • This is bad if these services are implemented as insecurely as that first ‘writeFile’ example
  • 48. Apache JMeter • org.apache.jmeter.engine.RemoteJMeterEngineImpl_Stub • Open source! • Download source and review • Locate classes that implement java.rmi.Remote
  • 50. Apache JMeter • Looks like anyone can configure this service!
  • 51. Temis RemoteAdminServer • com.temis.admin.remote.RemoteAdminServer_Stub • Unable to locate source code or client jar • BaRMIe revealed an interesting annotation…
  • 52. Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String)
  • 53. Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String) Looks like they thought about security? (UserProfile – could be a session-like object?)
  • 54. Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String) • boolean configure(Properties) …or not!
  • 55. Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String) • boolean configure(Properties) • String getAdminKey()
  • 56. Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String) • boolean configure(Properties) • String getAdminKey() • int addUser(String, String, String, String)
  • 57. Temis RemoteAdminServer • Account takeover? • List<UserProfile> getAllUserList() • int changePassword(UserProfile, String)
  • 58. Temis RemoteAdminServer • Account takeover? • List<UserProfile> getAllUserList() • int changePassword(UserProfile, String) • UserProfile methods: • String getPassword()
  • 59. Temis RemoteAdminServer • More remote methods: • String getDatabaseIP() • String getDatabasePort() • String getDatabaseName() • String getDatabaseType()
  • 60. Temis RemoteAdminServer • More remote methods: • String getDatabaseIP() • String getDatabasePort() • String getDatabaseName() • String getDatabaseType() • String getUsername() • String getPassword()
  • 61. RMI: What’s the Problem?
  • 62. RMI: What’s the Problem? It gets worse…
  • 64. Deserialization • Process of converting data into runtime objects • Often implemented/used insecurely • Deserializing untrusted data is usually bad • RMI is heavily dependent on Java serialization
  • 65. Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods
  • 66. Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods • Except…
  • 67. Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods • Except…
  • 68. Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods • Except…
  • 69. Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods • Except… • Call fill() to deserialize any object…
  • 70. Demo Time! • Adobe ColdFusion 2016, fully up-to-date as of 11th September 2017 • Default install except for one setting • Unauthenticated remote method invocation…
  • 74. Java’s Back Door • Testing some code • Suddenly realised I’d made a mistake… • …but the code worked…
  • 75. Full RMI Proxy • Successfully proxying RMI registry connections • RMI registry does not handle method invocations • Invocation handled by remote objects • Different port • Potentially different host • Built a proxy to MitM method invocations
  • 76. Proxying RMI RMI Client RMI Registry RMI Object
  • 77. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy First, we create an RMI registry proxy
  • 78. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Which is configured to connect directly to the target RMI registry
  • 79. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Our RMI client requests an object via the proxy
  • 80. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy The object data is intercepted and parsed
  • 81. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Object Proxy 3) Creates Object Proxy The RMI registry proxy then creates an RMI object proxy
  • 82. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Object Proxy 3) Creates Object Proxy Which is configured to connect directly to the RMI object
  • 83. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Object Proxy 3) Creates Object Proxy We modify the object data to point at the new proxy and return it to the client
  • 84. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Object Proxy 3) Creates Object Proxy We can now MitM remote method invocation traffic!
  • 85. Java’s Back Door • So, what was that mistake?! • Experimenting with network-level payload injection and ysoserial • Called obj.foo(String) in RMI client, rather than obj.foo(Object)
  • 86. Java’s Back Door • So, what was that mistake?! • Experimenting with network-level payload injection and ysoserial • Called obj.foo(String) in RMI client, rather than obj.foo(Object) • Proxy replaced the parameter…
  • 87. Java’s Back Door • So, what was that mistake?! • Experimenting with network-level payload injection and ysoserial • Called obj.foo(String) in RMI client, rather than obj.foo(Object) • Proxy replaced the parameter…
  • 88. Poking Java’s Back Door • Invoking void printString("AAAAAAAAAA") looks like this:
  • 89. Poking Java’s Back Door • Invoking void printString("AAAAAAAAAA") looks like this: • A simple serialized object, new Dummy(), looks like this:
  • 90. Poking Java’s Back Door • The proxy did this (with a ysoserial payload):
  • 91. Poking Java’s Back Door • The proxy did this (with a ysoserial payload): • Remotely invoked an illegal method call
  • 92. Poking Java’s Back Door • The proxy did this (with a ysoserial payload): • Remotely invoked an illegal method call • void printString(new Dummy()):
  • 93. Poking Java’s Back Door • The proxy did this (with a ysoserial payload): • Remotely invoked an illegal method call • void printString(new Dummy()): • Server-side exception • Dummy is not compatible with java.lang.String
  • 94. Poking Java’s Back Door • The proxy did this (with a ysoserial payload): • Remotely invoked an illegal method call • void printString(new Dummy()): • Server-side exception • Dummy is not compatible with java.lang.String • Payload had already been deserialized
  • 95. Java’s Back Door If we invoke a remote method, we can replace parameters with incompatible payloads
  • 96. Caveat • Slight caveat, due to Java serialization format/protocol • Method parameter that we replace must be non-primitive • int, long, boolean etc cannot be replaced • Integer, int[], ArrayList, and objects of arbitrary classes can
  • 98. BaRMIe • RMI often exposes legitimate but dangerous methods • writeFile(), executeQuery() • Proxy-based attacks can introduce further risk • Vulnerabilities where there wouldn’t otherwise be a vulnerability • Requires knowledge of remote classes/method signatures
  • 99. BaRMIe • Written a lot of code during this research… • Enumeration of remote objects (identify classes) • Attacks for various targets • Executing legitimate methods • Deserialization attacks using Object type parameters • Deserialization attacks through illegal parameter replacement • BaRMIe is an all-in-one RMI enumeration and attack tool
  • 101. Conclusion • RMI lacks maturity • Often used very insecurely • Object injection/deserialization attacks are almost always a possibility • Old and ‘uninteresting’ technology can be a fun and fruitful research target!