Black Hat EU 2010 - Attacking Java Serialized Communication
Upcoming SlideShare
Loading in...5
×
 

Black Hat EU 2010 - Attacking Java Serialized Communication

on

  • 3,067 views

This presentation describes a technique to conduct penetration testing of JAVA applications communicating via serialized objects.

This presentation describes a technique to conduct penetration testing of JAVA applications communicating via serialized objects.

Statistics

Views

Total Views
3,067
Views on SlideShare
3,027
Embed Views
40

Actions

Likes
1
Downloads
31
Comments
0

5 Embeds 40

http://www.slideshare.net 24
https://twitter.com 6
http://www.linkedin.com 4
https://www.linkedin.com 4
http://www.lmodules.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Black Hat EU 2010 - Attacking Java Serialized Communication Black Hat EU 2010 - Attacking Java Serialized Communication Presentation Transcript

  • ATTACK & DEFENSE labs Attacking JAVA Serialized Communication Manish S. Saindane
  • Who am I ? • Security Researcher – Working as a Lead Application Security Specialist for an international software development and services company – Likes to research on security issues in software – Follow me @ blog.andlabs.org ATTACK & DEFENSE labs Black Hat Europe 2010 2
  • Agenda • JAVA Object Serialization Basics • The Current Scenario & Challenges Faced • Suggested Solution • Demo ATTACK & DEFENSE labs Black Hat Europe 2010 3
  • Objectives • Simplify the penetration testing process of thick clients and make it completely seamless • Enable the pentester to edit JAVA objects in the same way that a developer would • Enable all of this using the currently available tools ATTACK & DEFENSE labs Black Hat Europe 2010 4
  • JAVA Object Serialization Basics ATTACK & DEFENSE labs Black Hat Europe 2010 5
  • JAVA Object Serialization • Protocol implemented by SUN for converting JAVA objects into a stream of bytes to be – Stored in a file – Transmitted across a network • The serialized form contains sufficient information such that it can be restored to an identical clone of the original JAVA object ATTACK & DEFENSE labs Black Hat Europe 2010 6
  • JAVA Object Serialization cont’d • Objects can be written using the writeObject() method provided by the ObjectOutput interface • Objects can be retrieved using the readObject() method provided by the ObjectInput interface • The ObjectOutputStream and ObjectInputStream classes implement the above interfaces respectively ATTACK & DEFENSE labs Black Hat Europe 2010 7
  • JAVA Object Serialization cont’d • JAVA Object Serialized data can be easily identified by the 0xac 0xed stream header (also called as the magic number) ATTACK & DEFENSE labs Black Hat Europe 2010 8
  • JAVA Object Serialization cont’d • If the object in the stream is a java.lang.String, it is encoded in a modified UTF-8 format and preceded by a 2-byte length information • Make sure you read section 5.6 of the JAVA Object Serialization specification before modifying the objects ATTACK & DEFENSE labs Black Hat Europe 2010 9
  • The Current Scenario & Challenges Faced ATTACK & DEFENSE labs Black Hat Europe 2010 10
  • So what do we have ? • Current tools or application interception proxies allow very limited functionality to test such data • Not as easy or straightforward as testing regular web applications sending data in request parameters • Some work has been done in the past to improve the situation. Let’s have a look at some of these methods ATTACK & DEFENSE labs Black Hat Europe 2010 11
  • Modifying Raw HEX • One of the most basic techniques is to modify the raw HEX data using a HEX editor • This is very limited and can be used to modify simple integers or string values in the raw data • Isn’t really practical to inspect or modify complex objects ATTACK & DEFENSE labs Black Hat Europe 2010 12
  • Modifying Raw HEX cont’d • Modifying raw data may result in a corrupted Serialized byte stream • Make sure to modify the length information if you edit some string value as discussed earlier • Existing interception proxies usually have very basic HEX editors hence working with them becomes difficult ATTACK & DEFENSE labs Black Hat Europe 2010 13
  • Decompiling Class Files • This can allow us to carefully study the application logic • Hardcoded values, sensitive functions, crypto algorithms, etc. can be identified and used for attacks • Decompiling may not be straight forward for applications making use of strong obfuscation techniques ATTACK & DEFENSE labs Black Hat Europe 2010 14
  • Decompiling Class Files cont’d • Popular decompilers like JAD, JD, Jode and DJ Java Decompiler may be used for simple obfuscated classes • Editing signed jars may be difficult ATTACK & DEFENSE labs Black Hat Europe 2010 15
  • Assessing JAVA Clients with BeanShell • This was a technique developed by Stephen D’ Vires from Corsaire • It made use of the BeanShell scripting language that was plugged into the client • Could be handy in identifying client-side security controls ATTACK & DEFENSE labs Black Hat Europe 2010 16
  • Assessing JAVA Clients with BeanShell cont’d • The pentester must be comfortable writing JAVA code to use this technique • The scope of this technique is too broad for our use i.e. to tamper the serialized data ATTACK & DEFENSE labs Black Hat Europe 2010 17
  • Runtime Protocol Analysis (RPA) • This was presented by Shay Chen from Hacktics at an OWASP Israel meet • He spoke about creating a custom runtime protocol analyzer to read data from JAVA serialized objects • The object once read, could then be analyzed and modified ATTACK & DEFENSE labs Black Hat Europe 2010 18
  • Runtime Protocol Analysis (RPA) cont’d • The way this works is: – Sniff traffic over the network – Split each request/response into individual packets – Modify the destination URL or Host within the packet with a HEX editor to a local server (protocol analyzer) – Send it to the Protocol Analyzer using netcat • The protocol analyzer is customized code written to suit the protocol used to transfer the object ATTACK & DEFENSE labs Black Hat Europe 2010 19
  • Runtime Protocol Analysis (RPA) cont’d • This only drawback is that it is not completely seamless – Too many steps involved – Takes some time to setup – The protocol analyzer has to be modified and compiled each time for different scenarios • But this is the technique that suffices our needs to a certain extent ATTACK & DEFENSE labs Black Hat Europe 2010 20
  • Suggested Solution ATTACK & DEFENSE labs Black Hat Europe 2010 21
  • Solution Thick Client Interception Application Application Proxy Server JRuby Shell ATTACK & DEFENSE labs Black Hat Europe 2010 22
  • Setup Needed • Tools we need – JRuby version 1.4.0 – BurpSuite version 1.2.x – Buby version 1.8.x – Any text editor ATTACK & DEFENSE labs Black Hat Europe 2010 23
  • Why JRuby ? • Why not a pure Java plug-in. Why JRuby? – Easier syntax, hence easy to learn – Can call almost all JAVA libraries – Provides an interactive shell (jirb) – Dynamic Type Language ATTACK & DEFENSE labs Black Hat Europe 2010 24
  • Advantages • Adds the ability of modifying JAVA objects on-the-fly • Ease of use – makes the whole process seamless • Hooks a JAVA development environment in your interception proxy • Can be used for other stuff too ….. Just be a bit creative ;) ATTACK & DEFENSE labs Black Hat Europe 2010 25
  • Demo ATTACK & DEFENSE labs Black Hat Europe 2010 26
  • References • Chen, S. (2008). Achilles’ heel – Hacking Through Java Protocols. OWASP Israel. Herzliya. • Monti, E. (n.d.). Buby. Retrieved from http://emonti.github.com/buby/ • Sun Microsystems. (n.d.). Java Object Serialization Specification. Retrieved from sun.com: http://java.sun.com/javase/6/docs/platform/serialization/spec/serialTOC.html • Vries, S. d. (2006, June 15). Assessing JAVA Clients with the BeanShell. Retrieved from Corsaire: http://research.corsaire.com/whitepapers/060816-assessing-java- clients-with-the-beanshell.pdf ATTACK & DEFENSE labs Black Hat Europe 2010 27
  • Big Thanks To • For the work done that helped me build this: – Shay Chen – Eric Monti • And of course for testing & review: – Lavakumar Kuppan – Luca Carettoni If I have seen further it is only by standing on the shoulders of giants. - Sir Isaac Newton ATTACK & DEFENSE labs Black Hat Europe 2010 28
  • Questions ?? ATTACK & DEFENSE labs Black Hat Europe 2010 29
  • Thank You Contact me: manish (-at-) andlabs.org ATTACK & DEFENSE labs Black Hat Europe 2010 30