The JAR           of JoySensePost - 2010
`whoami`•  SensePost•  ian@sensepost.com  –  Break some stuff  –  Write reports about breaking some stuff  –  Abuse the st...
Why This Talk ?•  import disclaimer;•  Not ground breaking stuff – no 0-day•  Java applications and applets   appear to be...
The JAR File•  Java ARchive•  Used to distribute Java applications /   applets etc.•  ZIP file containing compiled classes...
Attacking Java is fun•  Trivial to reverse engineer•  Compiled applications are vulnerable   to virtually all attacks trad...
Difficulties Attacking Java•  Many classes and libraries in JAR files of   complex applications•  Class files often do not...
Defeating Signing•  Certificate information stored in   META-INF•  MANIFEST.MF contains hashes for   resources•  These fil...
What this Means•  Now possible to modify classes in   JAR file•  Signing normally used specifically for   Java applets  – ...
Obfuscation•  Defeating Java obfuscation is   difficult•  Depends on the obfuscation   mechanism used•  In most cases, vir...
Obfuscation•  A bunch of classes depending on   reflection methods and serialized   objects can not normally be   obfuscat...
Java Quick Kills•  Not necessary to fix all compiler   errors•  Only need to fix specific classes with   functionality you...
Demo and Walkthrough•  Decompile Application and   export sources        SensePost - 2010
Demo and Walkthrough•  Identify key source files and   include in project         SensePost - 2010
Demo and Walkthrough•  Remove compiled class files   from original JAR•  Rebuild JAR file        SensePost - 2010
Demo and Walkthrough•  Link modified JAR file to   compiler CLASSPATH         SensePost - 2010
Demo and Walkthrough•  Modify source code and run…        SensePost - 2010
Demo and Walkthrough•  Repurposing uses the same   technique…•  … but changes the functionality   in order to turn the app...
Newer Attack Methods•  New research and toolsets make   reversing and recompiling   unneccessary… •  Also make it easier ...
BlackHat Europe – 2010•  Manish Saindane    –  Demonstrated attacks against serialized       objects    –  Provided Burp p...
Demo – Serialized Objects         SensePost - 2010
BlackHat Las Vegas – 2010 •  Arshan Dabirsiaghi     –  JavaSnoop : How to Hack Anything Written in        Java •  Stephen ...
Demo – JavaSnoop  SensePost - 2010
In Summary•  Java reversing is fun•  Java reversing can be easy•  Newer attack methodologies no   longer require attackers...
Ta Muchly•  ZaCon folkses             SensePost - 2010
Questions ?ian@sensepost.com  SensePost - 2010
Upcoming SlideShare
Loading in …5
×

The jar of joy

922
-1

Published on

Presentation by Ian de Villiers at ZaCon 2 about exploiting java.

This presentation is about instrumenting java applications. it begins with an explanation of what a jar file is. The difficulties in attacking java, such as signing and obfuscation are discussed. How to overcome these difficulties is also discussed. The presentation ends with a walkthrough example of how to instrument a java application.

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
922
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The jar of joy

  1. 1. The JAR of JoySensePost - 2010
  2. 2. `whoami`•  SensePost•  ian@sensepost.com –  Break some stuff –  Write reports about breaking some stuff –  Abuse the staff SensePost - 2010
  3. 3. Why This Talk ?•  import disclaimer;•  Not ground breaking stuff – no 0-day•  Java applications and applets appear to be popular again•  Reversing Java applications can be difficult•  Tips for reversing Java in less time (in my experience in any case)… SensePost - 2010
  4. 4. The JAR File•  Java ARchive•  Used to distribute Java applications / applets etc.•  ZIP file containing compiled classes, libraries, settings, certificates, *•  Trivial to extract•  Normally disclose a vast amount of information SensePost - 2010
  5. 5. Attacking Java is fun•  Trivial to reverse engineer•  Compiled applications are vulnerable to virtually all attacks traditional web apps are vulnerable to…•  …but all wrapped up in increased sense of developer smugness•  Repurposed Java applications make *awesome* attack tools SensePost - 2010
  6. 6. Difficulties Attacking Java•  Many classes and libraries in JAR files of complex applications•  Class files often do not decompile cleanly•  Impossible to fix all java sources in large application•  Applets and applications are frequently signed•  Obfuscated Code•  Frequently have to rely on other tools too… SensePost - 2010
  7. 7. Defeating Signing•  Certificate information stored in META-INF•  MANIFEST.MF contains hashes for resources•  These files can easily be deleted… SensePost - 2010
  8. 8. What this Means•  Now possible to modify classes in JAR file•  Signing normally used specifically for Java applets –  Allow applets to access network resources –  Allow applets to read / write files•  However, the applet runs on *my* machine –  Can specify own security model… SensePost - 2010
  9. 9. Obfuscation•  Defeating Java obfuscation is difficult•  Depends on the obfuscation mechanism used•  In most cases, virtually impossible…•  … however, the newer attack methodologies outlined later will help …but wait – there is more… SensePost - 2010
  10. 10. Obfuscation•  A bunch of classes depending on reflection methods and serialized objects can not normally be obfuscated…•  … in obfuscated applications this provides us with a nice area to attack  SensePost - 2010
  11. 11. Java Quick Kills•  Not necessary to fix all compiler errors•  Only need to fix specific classes with functionality you need –  Sanitisation libraries –  Network Stream libraries•  Updated classes can be recompiled with the original JAR file to satisfy dependancies SensePost - 2010
  12. 12. Demo and Walkthrough•  Decompile Application and export sources SensePost - 2010
  13. 13. Demo and Walkthrough•  Identify key source files and include in project SensePost - 2010
  14. 14. Demo and Walkthrough•  Remove compiled class files from original JAR•  Rebuild JAR file SensePost - 2010
  15. 15. Demo and Walkthrough•  Link modified JAR file to compiler CLASSPATH SensePost - 2010
  16. 16. Demo and Walkthrough•  Modify source code and run… SensePost - 2010
  17. 17. Demo and Walkthrough•  Repurposing uses the same technique…•  … but changes the functionality in order to turn the application into an attack tool SensePost - 2010
  18. 18. Newer Attack Methods•  New research and toolsets make reversing and recompiling unneccessary… •  Also make it easier to attack obfuscated applications•  Cannot always be used for repurposing  SensePost - 2010
  19. 19. BlackHat Europe – 2010•  Manish Saindane –  Demonstrated attacks against serialized objects –  Provided Burp plug-in to view and modify serialized objectshttp://www.blackhat.com/html/bh-eu-10/bh-eu-10-archives.html SensePost - 2010
  20. 20. Demo – Serialized Objects SensePost - 2010
  21. 21. BlackHat Las Vegas – 2010 •  Arshan Dabirsiaghi –  JavaSnoop : How to Hack Anything Written in Java •  Stephen de Vries –  Hacking Java Clients •  Both talks outlined new methods for attacking Java Applications http://www.blackhat.com/html/bh-us-10/bh-us-10-archives.html SensePost - 2010
  22. 22. Demo – JavaSnoop SensePost - 2010
  23. 23. In Summary•  Java reversing is fun•  Java reversing can be easy•  Newer attack methodologies no longer require attackers to reverse the application•  Traditional reversing techniques still normally apply for repurposing applications SensePost - 2010
  24. 24. Ta Muchly•  ZaCon folkses  SensePost - 2010
  25. 25. Questions ?ian@sensepost.com SensePost - 2010

×