The OWASP Foundation

errorhandleSoftware and s/w Development

Nov 18, 2013 (3 years and 10 months ago)

125 views

Copyright © The OWASP Foundation

Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org


Security Assessing Java RMI

Adam Boulton

OWASP Contributor

Corsaire

Adam.Boulton@corsaire.com

+44 1483 746700

24
th

Sept 2008

OWASP

2

Profile


Principal Security Consultant at Corsaire



Anti
-
Virus Analyst for Sophos Plc



Ministry of Defence (Level 1 Security Clearance)



BSc 1
st

Class (Hons) Software Engineering



Big Java Fan


check out OWASP Java Gotchas!



OWASP

3

Agenda


What is Remote Method Invocation (RMI)?



RMI Architecture



Attacking an RMI service with RMI Spy



Securing RMI services




OWASP

4

What is RMI?


Distributed computing solution


All about remote objects



Part of core JDK platform since 1.1


java.rmi package



Not familiar? Think….


Microsoft .NET Remoting




RPC


CORBA








OWASP

What is RMI?


Communicating between 2 JVMs over a network



Export functionality at the object level


Remote clients deal with objects as if they were local



RMI uses object serialization


Your custom classes must implement the serializable
interface so they can be distributed


Primitives are just sent by value


5

OWASP

What is RMI?


Transparent solution


All underlying network functionality


RMI Specification states:


“Make writing reliable distributed applications as simple as
possible”


Increases risk that services are implemented
insecurely


Security through obscurity




6

OWASP

RMI Architecture

7


Object



Server (Implementation)

Client (Interface)






Object

TCP/IP

JRMP

OWASP

RMI Registry


Used for looking up Objects



Servers register their Objects



Clients use to find and obtain remote references



Runs on port 1099 by default

8

OWASP

RMI tools


RMIC (rmic.exe)


Special compiler that creates stub and skeleton



Registry


Created by:


Rmiregistry.exe <port no>


Or


LocateRegistry.createRegistry(int portNo)

9

OWASP


64 bit hash (SHA1)



Method name + method descriptor used as
message



Example:



void myRemoteMethod(int i, Object o, boolean b)


myRemoteMethod(ILjava/lang/Object;Z)V


0xB7B6B5B4B3B2B1B0


10

The Interface / Method Hash

OWASP

Hash weakness


An attacker can pre
-
calculate hashes if they
know API details



64
-
bit


Brute
-
force


Rainbow tables



Due to the implementation it doesn’t even
appear to actually be 64 bits!


Still doing the analysis

11

OWASP

RMI server secrets...


An attacker’s shopping list:


Bound object names


Stub name


A static signed 64 bit key(s)


Method prototypes (interface)


The ability to code a client!

12

OWASP

Today’s RMI service...


Only hosting 3 methods



Let’s attack it.... LIVE!

13

OWASP

14

Methodology for a 0
-
day RMI assessment


Step 1


Enumerate bound object names



Step 2


Determine stub name



Step 3


Enumerate method hashes



Step 4


Determine method prototypes



Step 5


Create stub





OWASP

Step 1


Enumerate bound objects


Use your own scanning tools to detect an RMI
service



Identify objects which are bound to the port that
we can talk to



Easily done using the java.rmi package


15

OWASP

Step 2


Determine stub name


Correct stub name is required so we can talk to
the RMI service



Use RMISpyStubName to establish the correct
stub name



Rename the template

16

OWASP

Step 3


Enumerate key / method hashes


The hashes are calculated by using method
descriptors


The signed 64
-
bit value



Remember, only 1 hash for v1.1



Add the hash to the template



Hashes can be pre
-
calculated



17

OWASP

Step 4


Determine method prototypes


First establish the parameter types


Bit more manual work



Secondly, establish the return type


Object is our friend



Method names are irrelevant


All about the 64
-
bit signed value





18

OWASP

Step 5


Creating the stub


Detail has been added at each stage, we now
have enough for a fully working custom client!



The service is now ready to finger print in more
detail.



By using the business logic layer we can
determine LOTS more detail.


Can rely on the Developer getting it wrong to
establish more detail.

19

OWASP

Why is RMI insecure?


Building on an insecure foundation


Skeleton implementation is flawed



False sense of security


Security through obscurity



Keys are insufficient



Chances are you won’t notice an attacker until a
correct client has been constructed

20

OWASP

21

Securing an RMI Server


Adapt the RMI server code


Stop information leakage


Sun should have read the OWASP top 10!


Modify the method hashes


Java Authentication and Authorization Service (JAAS)



Be careful what you expose!


Just because you don’t release a client with the
functionality doesn’t mean attackers can’t see it!


Don’t expose the server object directly


Don’t rely on security through obscurity






OWASP

Securing and RMI Server (Cont...)


Logging


Invoke from command line:


java
-
Djava.rmi.server.logCalls=true YourServerImp


Or enable inside program


RemoteServer.setLog(System.err);


22

OWASP

23

Further Developments of RMI Spy


Fully automated


Integrating the 5 stages into a click and run


GUI


Automated interface and stub creation



Packet Sniffer


RMI Call parser


Pull keys from the wire


Pull objects from the wire and assess


Modify objects on the fly






OWASP

Further Developments of RMI Spy (cont...)


Code tidy!



Hash generator



Dynamic Invocation


Fuzzing


Exception handler (what is the server telling us)



Multi
-
threading


Hash attack (possible C++ and packet)





24

OWASP

25

Summary


RMI Architecture



Why RMI is insecure


Comment in the generated code says “do not edit”.
We all know differently now.


Security is difficult; even Sun don’t always get it right!



RMI Spy


Only tool in (known) existence to attack RMI services



How to secure RMI


OWASP

Questions

26