Black Hat EU 2010 - Attacking Java Serialized Communication

2,384
-1

Published on

This presentation describes a technique to conduct penetration testing of JAVA applications communicating via serialized objects.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,384
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
43
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Black Hat EU 2010 - Attacking Java Serialized Communication

  1. 1. ATTACK & DEFENSE labs Attacking JAVA Serialized Communication Manish S. Saindane
  2. 2. Who am I ? • Security Researcher – Working as a Lead Application Security Specialist for an international software development and services company – Likes to research on security issues in software – Follow me @ blog.andlabs.org ATTACK & DEFENSE labs Black Hat Europe 2010 2
  3. 3. Agenda • JAVA Object Serialization Basics • The Current Scenario & Challenges Faced • Suggested Solution • Demo ATTACK & DEFENSE labs Black Hat Europe 2010 3
  4. 4. Objectives • Simplify the penetration testing process of thick clients and make it completely seamless • Enable the pentester to edit JAVA objects in the same way that a developer would • Enable all of this using the currently available tools ATTACK & DEFENSE labs Black Hat Europe 2010 4
  5. 5. JAVA Object Serialization Basics ATTACK & DEFENSE labs Black Hat Europe 2010 5
  6. 6. JAVA Object Serialization • Protocol implemented by SUN for converting JAVA objects into a stream of bytes to be – Stored in a file – Transmitted across a network • The serialized form contains sufficient information such that it can be restored to an identical clone of the original JAVA object ATTACK & DEFENSE labs Black Hat Europe 2010 6
  7. 7. JAVA Object Serialization cont’d • Objects can be written using the writeObject() method provided by the ObjectOutput interface • Objects can be retrieved using the readObject() method provided by the ObjectInput interface • The ObjectOutputStream and ObjectInputStream classes implement the above interfaces respectively ATTACK & DEFENSE labs Black Hat Europe 2010 7
  8. 8. JAVA Object Serialization cont’d • JAVA Object Serialized data can be easily identified by the 0xac 0xed stream header (also called as the magic number) ATTACK & DEFENSE labs Black Hat Europe 2010 8
  9. 9. JAVA Object Serialization cont’d • If the object in the stream is a java.lang.String, it is encoded in a modified UTF-8 format and preceded by a 2-byte length information • Make sure you read section 5.6 of the JAVA Object Serialization specification before modifying the objects ATTACK & DEFENSE labs Black Hat Europe 2010 9
  10. 10. The Current Scenario & Challenges Faced ATTACK & DEFENSE labs Black Hat Europe 2010 10
  11. 11. So what do we have ? • Current tools or application interception proxies allow very limited functionality to test such data • Not as easy or straightforward as testing regular web applications sending data in request parameters • Some work has been done in the past to improve the situation. Let’s have a look at some of these methods ATTACK & DEFENSE labs Black Hat Europe 2010 11
  12. 12. Modifying Raw HEX • One of the most basic techniques is to modify the raw HEX data using a HEX editor • This is very limited and can be used to modify simple integers or string values in the raw data • Isn’t really practical to inspect or modify complex objects ATTACK & DEFENSE labs Black Hat Europe 2010 12
  13. 13. Modifying Raw HEX cont’d • Modifying raw data may result in a corrupted Serialized byte stream • Make sure to modify the length information if you edit some string value as discussed earlier • Existing interception proxies usually have very basic HEX editors hence working with them becomes difficult ATTACK & DEFENSE labs Black Hat Europe 2010 13
  14. 14. Decompiling Class Files • This can allow us to carefully study the application logic • Hardcoded values, sensitive functions, crypto algorithms, etc. can be identified and used for attacks • Decompiling may not be straight forward for applications making use of strong obfuscation techniques ATTACK & DEFENSE labs Black Hat Europe 2010 14
  15. 15. Decompiling Class Files cont’d • Popular decompilers like JAD, JD, Jode and DJ Java Decompiler may be used for simple obfuscated classes • Editing signed jars may be difficult ATTACK & DEFENSE labs Black Hat Europe 2010 15
  16. 16. Assessing JAVA Clients with BeanShell • This was a technique developed by Stephen D’ Vires from Corsaire • It made use of the BeanShell scripting language that was plugged into the client • Could be handy in identifying client-side security controls ATTACK & DEFENSE labs Black Hat Europe 2010 16
  17. 17. Assessing JAVA Clients with BeanShell cont’d • The pentester must be comfortable writing JAVA code to use this technique • The scope of this technique is too broad for our use i.e. to tamper the serialized data ATTACK & DEFENSE labs Black Hat Europe 2010 17
  18. 18. Runtime Protocol Analysis (RPA) • This was presented by Shay Chen from Hacktics at an OWASP Israel meet • He spoke about creating a custom runtime protocol analyzer to read data from JAVA serialized objects • The object once read, could then be analyzed and modified ATTACK & DEFENSE labs Black Hat Europe 2010 18
  19. 19. Runtime Protocol Analysis (RPA) cont’d • The way this works is: – Sniff traffic over the network – Split each request/response into individual packets – Modify the destination URL or Host within the packet with a HEX editor to a local server (protocol analyzer) – Send it to the Protocol Analyzer using netcat • The protocol analyzer is customized code written to suit the protocol used to transfer the object ATTACK & DEFENSE labs Black Hat Europe 2010 19
  20. 20. Runtime Protocol Analysis (RPA) cont’d • This only drawback is that it is not completely seamless – Too many steps involved – Takes some time to setup – The protocol analyzer has to be modified and compiled each time for different scenarios • But this is the technique that suffices our needs to a certain extent ATTACK & DEFENSE labs Black Hat Europe 2010 20
  21. 21. Suggested Solution ATTACK & DEFENSE labs Black Hat Europe 2010 21
  22. 22. Solution Thick Client Interception Application Application Proxy Server JRuby Shell ATTACK & DEFENSE labs Black Hat Europe 2010 22
  23. 23. Setup Needed • Tools we need – JRuby version 1.4.0 – BurpSuite version 1.2.x – Buby version 1.8.x – Any text editor ATTACK & DEFENSE labs Black Hat Europe 2010 23
  24. 24. Why JRuby ? • Why not a pure Java plug-in. Why JRuby? – Easier syntax, hence easy to learn – Can call almost all JAVA libraries – Provides an interactive shell (jirb) – Dynamic Type Language ATTACK & DEFENSE labs Black Hat Europe 2010 24
  25. 25. Advantages • Adds the ability of modifying JAVA objects on-the-fly • Ease of use – makes the whole process seamless • Hooks a JAVA development environment in your interception proxy • Can be used for other stuff too ….. Just be a bit creative ;) ATTACK & DEFENSE labs Black Hat Europe 2010 25
  26. 26. Demo ATTACK & DEFENSE labs Black Hat Europe 2010 26
  27. 27. References • Chen, S. (2008). Achilles’ heel – Hacking Through Java Protocols. OWASP Israel. Herzliya. • Monti, E. (n.d.). Buby. Retrieved from http://emonti.github.com/buby/ • Sun Microsystems. (n.d.). Java Object Serialization Specification. Retrieved from sun.com: http://java.sun.com/javase/6/docs/platform/serialization/spec/serialTOC.html • Vries, S. d. (2006, June 15). Assessing JAVA Clients with the BeanShell. Retrieved from Corsaire: http://research.corsaire.com/whitepapers/060816-assessing-java- clients-with-the-beanshell.pdf ATTACK & DEFENSE labs Black Hat Europe 2010 27
  28. 28. Big Thanks To • For the work done that helped me build this: – Shay Chen – Eric Monti • And of course for testing & review: – Lavakumar Kuppan – Luca Carettoni If I have seen further it is only by standing on the shoulders of giants. - Sir Isaac Newton ATTACK & DEFENSE labs Black Hat Europe 2010 28
  29. 29. Questions ?? ATTACK & DEFENSE labs Black Hat Europe 2010 29
  30. 30. Thank You Contact me: manish (-at-) andlabs.org ATTACK & DEFENSE labs Black Hat Europe 2010 30

×