Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
BaRMIe – Poking Java’s Back Door
Nicky Bloor 44CON 2017
whoami
Nicky Bloor
• Managing Security Consultant at NCC Group
• Ex software developer
• Desktop, web, games, industrial c...
A Story of Pwn
• On-site Java application assessment
• No credentials provided until day 3…
• Supporting infrastructure wa...
A Story of Pwn
Java Remote Method Invocation???
…gave me the server before I got those credentials.
Too easy! This left me...
RMI?
• How common is RMI?
• How often is it so insecure?
• What else can we do with it?
Java Remote Method Invocation
A Brief Introduction to RMI
• Remote Method Invocation
• RPC for Java
• Execute methods within another Java virtual machin...
8
A Brief Introduction to RMI
Client Application
IFoo.Bar()
RMI RMI
Server Application
FooImpl.Bar()
IFoo.Bar();
The RMI Registry Service
• Directory of Java objects
• Maps Java objects to names
• Listens on TCP port 1099 by default
• ...
The RMI Registry Service
• void rebind(String name, Remote obj)
• Rebind a bound object name to another object
• Potential...
The RMI Registry Service
• void rebind(String name, Remote obj)
• Rebind a bound object name to another object
• Potential...
Implementing RMI
• Very easy – perhaps part of the problem!
• Server-side
• Implement java.rmi.Remote
• Instantiate object...
What’s the Problem?
• Fairly reasonable looking method
• Authenticate first, then read the file
What’s the Problem?
What if ApplicationObjectFactory returns a remote object?
What’s the Problem?
Client Server
authenticateUser(user,pass)
readFile(filename)
true
file contents
What’s the Problem?
Client Server
readFile(filename)
file contents
RMI Security?
• Authentication?
• No.
• Session management?
• No.
• Encryption?
• No.
• Message integrity checking/anti-ta...
RMI Security?
• Encryption
• SSLSocketFactory can be used
• Access controls
• bind/rebind/unbind can only be called from l...
RMI Security
RMI Security
• This is a bit unfair
• RMI wasn’t designed to be secure
• RMI was designed to facilitate remote method invo...
RMI Security
• HTTP is far more prevalent
• HTTP has evolved to support security
• Web application frameworks improve secu...
Insecure Use of RMI
Insecure Use of RMI
• RMI not a secure protocol
• Original attack:
• Ignore authenticate method
• Call readFile/writeFile/...
Insecure Use of RMI
• First step: Identify software using RMI
• Little success initially searching Google & Github
• Can I...
Insecure Use of RMI
• Recalled an early test program which called Registry.lookup()
• Exception reveals fully-qualified cl...
Insecure Use of RMI
• So, we can extract fully-qualified class names…
• What else can we learn from RMI network traffic?
•...
RMI Enumeration
RMI Enumeration
RMI Enumeration
RMI Enumeration
RMI Enumeration
Insecure Use of RMI
• A lot of time was spent in these tools
• Along the way code was produced to parse RMI traffic and ex...
BaRMIe - Enumeration
BaRMIe - Enumeration
• Proxy-based enumeration of RMI registries
• Start TCP proxy for RMI registry connection
• Request r...
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exp...
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exp...
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exp...
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exp...
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exp...
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exp...
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exp...
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exp...
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exp...
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exp...
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exp...
Knocking on Java’s Back Door
• Honestly, no idea what any of these do!
• These are just examples of what people expose ove...
Examples of Insecure RMI
Apache JMeter
• org.apache.jmeter.engine.RemoteJMeterEngineImpl_Stub
• Open source!
• Download source and review
• Locate ...
Apache JMeter
Apache JMeter
• Looks like anyone can configure this service!
Temis RemoteAdminServer
• com.temis.admin.remote.RemoteAdminServer_Stub
• Unable to locate source code or client jar
• BaR...
Temis RemoteAdminServer
• Remote methods:
• UserProfile authenticate(String, String)
Temis RemoteAdminServer
• Remote methods:
• UserProfile authenticate(String, String)
Looks like they thought about securit...
Temis RemoteAdminServer
• Remote methods:
• UserProfile authenticate(String, String)
• boolean configure(Properties)
…or n...
Temis RemoteAdminServer
• Remote methods:
• UserProfile authenticate(String, String)
• boolean configure(Properties)
• Str...
Temis RemoteAdminServer
• Remote methods:
• UserProfile authenticate(String, String)
• boolean configure(Properties)
• Str...
Temis RemoteAdminServer
• Account takeover?
• List<UserProfile> getAllUserList()
• int changePassword(UserProfile, String)
Temis RemoteAdminServer
• Account takeover?
• List<UserProfile> getAllUserList()
• int changePassword(UserProfile, String)...
Temis RemoteAdminServer
• More remote methods:
• String getDatabaseIP()
• String getDatabasePort()
• String getDatabaseNam...
Temis RemoteAdminServer
• More remote methods:
• String getDatabaseIP()
• String getDatabasePort()
• String getDatabaseNam...
RMI: What’s the Problem?
RMI: What’s the Problem?
It gets worse…
Deserialization
Deserialization
• Process of converting data into runtime objects
• Often implemented/used insecurely
• Deserializing untr...
Adobe ColdFusion
• Most commonly exposed RMI service in my scans
• coldfusion.flex.rmi.DataServicesCFProxyServer_Stub
• No...
Adobe ColdFusion
• Most commonly exposed RMI service in my scans
• coldfusion.flex.rmi.DataServicesCFProxyServer_Stub
• No...
Adobe ColdFusion
• Most commonly exposed RMI service in my scans
• coldfusion.flex.rmi.DataServicesCFProxyServer_Stub
• No...
Adobe ColdFusion
• Most commonly exposed RMI service in my scans
• coldfusion.flex.rmi.DataServicesCFProxyServer_Stub
• No...
Adobe ColdFusion
• Most commonly exposed RMI service in my scans
• coldfusion.flex.rmi.DataServicesCFProxyServer_Stub
• No...
Demo Time!
• Adobe ColdFusion 2016, fully up-to-date as of 11th September 2017
• Default install except for one setting
• ...
Demo Time!
Deserialization
It’s worse than that…
Java’s Back Door
Java’s Back Door
• Testing some code
• Suddenly realised I’d made a mistake…
• …but the code worked…
Full RMI Proxy
• Successfully proxying RMI registry connections
• RMI registry does not handle method invocations
• Invoca...
Proxying RMI
RMI Client
RMI Registry
RMI Object
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
First, we create an RMI registry proxy
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
Which is configured to connect directly to the target RMI r...
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
Our RMI client requests an object via the proxy
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
The object data is intercepted and parsed
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
Object Proxy
3) Creates Object Proxy
The RMI registry proxy...
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
Object Proxy
3) Creates Object Proxy
Which is configured to...
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
Object Proxy
3) Creates Object Proxy
We modify the object d...
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
Object Proxy
3) Creates Object Proxy
We can now MitM remote...
Java’s Back Door
• So, what was that mistake?!
• Experimenting with network-level payload injection and ysoserial
• Called...
Java’s Back Door
• So, what was that mistake?!
• Experimenting with network-level payload injection and ysoserial
• Called...
Java’s Back Door
• So, what was that mistake?!
• Experimenting with network-level payload injection and ysoserial
• Called...
Poking Java’s Back Door
• Invoking void printString("AAAAAAAAAA") looks like this:
Poking Java’s Back Door
• Invoking void printString("AAAAAAAAAA") looks like this:
• A simple serialized object, new Dummy...
Poking Java’s Back Door
• The proxy did this (with a ysoserial payload):
Poking Java’s Back Door
• The proxy did this (with a ysoserial payload):
• Remotely invoked an illegal method call
Poking Java’s Back Door
• The proxy did this (with a ysoserial payload):
• Remotely invoked an illegal method call
• void ...
Poking Java’s Back Door
• The proxy did this (with a ysoserial payload):
• Remotely invoked an illegal method call
• void ...
Poking Java’s Back Door
• The proxy did this (with a ysoserial payload):
• Remotely invoked an illegal method call
• void ...
Java’s Back Door
If we invoke a remote method, we can replace parameters with incompatible payloads
Caveat
• Slight caveat, due to Java serialization format/protocol
• Method parameter that we replace must be non-primitive...
BaRMIe
BaRMIe
• RMI often exposes legitimate but dangerous methods
• writeFile(), executeQuery()
• Proxy-based attacks can introd...
BaRMIe
• Written a lot of code during this research…
• Enumeration of remote objects (identify classes)
• Attacks for vari...
Conclusion
Conclusion
• RMI lacks maturity
• Often used very insecurely
• Object injection/deserialization attacks are almost always ...
Questions?
https://nickbloor.co.uk/
Upcoming SlideShare
Loading in …5
×

Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017

2,662 views

Published on

Slightly altered slides from my 44CON 2017 talk titled "BaRMIe - Poking Java's Back Door". The talk looks at the security of Java RMI and attacks against software using the Java RMI protocol, including a recently patched unauthenticated remote command execution vulnerability against Adobe ColdFusion (CVE-2017-11283 and CVE-2017-11284).

Published in: Technology

Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017

  1. 1. BaRMIe – Poking Java’s Back Door Nicky Bloor 44CON 2017
  2. 2. whoami Nicky Bloor • Managing Security Consultant at NCC Group • Ex software developer • Desktop, web, games, industrial control systems • Problem solver, breaker, builder, hacker • Hiker and rock climber • @NickstaDB on the Interwebz
  3. 3. A Story of Pwn • On-site Java application assessment • No credentials provided until day 3… • Supporting infrastructure was in scope • One network service stood out…
  4. 4. A Story of Pwn Java Remote Method Invocation??? …gave me the server before I got those credentials. Too easy! This left me really intrigued!
  5. 5. RMI? • How common is RMI? • How often is it so insecure? • What else can we do with it?
  6. 6. Java Remote Method Invocation
  7. 7. A Brief Introduction to RMI • Remote Method Invocation • RPC for Java • Execute methods within another Java virtual machine (JVM) • Local or remote • Simple to implement • RMI takes care of connection and transport • Developer does not need to be aware that RMI is in use • RMI != arbitrary remote code execution • Only execute methods that are implemented within the other JVM
  8. 8. 8 A Brief Introduction to RMI Client Application IFoo.Bar() RMI RMI Server Application FooImpl.Bar() IFoo.Bar();
  9. 9. The RMI Registry Service • Directory of Java objects • Maps Java objects to names • Listens on TCP port 1099 by default • Interaction via java.rmi.Registry class • void bind(String name, Remote obj) • String[] list() • Remote lookup(String name) • void rebind(String name, Remote obj) • void unbind(String name)
  10. 10. The RMI Registry Service • void rebind(String name, Remote obj) • Rebind a bound object name to another object • Potential free man-in-the-middle attack? • void unbind(String name) • Unbind an object from the registry • Potential free denial of service attack?
  11. 11. The RMI Registry Service • void rebind(String name, Remote obj) • Rebind a bound object name to another object • Potential free man-in-the-middle attack? • void unbind(String name) • Unbind an object from the registry • Potential free denial of service attack? • Cannot bind/rebind/unbind from non-localhost
  12. 12. Implementing RMI • Very easy – perhaps part of the problem! • Server-side • Implement java.rmi.Remote • Instantiate object • Bind object to RMI registry • Client-side • Lookup object from RMI registry • Use as normal
  13. 13. What’s the Problem? • Fairly reasonable looking method • Authenticate first, then read the file
  14. 14. What’s the Problem? What if ApplicationObjectFactory returns a remote object?
  15. 15. What’s the Problem? Client Server authenticateUser(user,pass) readFile(filename) true file contents
  16. 16. What’s the Problem? Client Server readFile(filename) file contents
  17. 17. RMI Security? • Authentication? • No. • Session management? • No. • Encryption? • No. • Message integrity checking/anti-tampering? • No. • Access controls? • Yes. Kind of… Fine. No.
  18. 18. RMI Security? • Encryption • SSLSocketFactory can be used • Access controls • bind/rebind/unbind can only be called from localhost • Risky code executes BEFORE the localhost check… • (Pre-Java 6u131, 7u121, 8u112)
  19. 19. RMI Security
  20. 20. RMI Security • This is a bit unfair • RMI wasn’t designed to be secure • RMI was designed to facilitate remote method invocation • To compare: • HTTP wasn’t designed to be secure • HTTP was designed to facilitate the transfer of textual information
  21. 21. RMI Security • HTTP is far more prevalent • HTTP has evolved to support security • Web application frameworks improve security by default • Authentication, session management, access controls etc… • Developers don’t need to be particularly security aware • RMI has none of this! • Security must be explicitly incorporated in remotely exposed classes
  22. 22. Insecure Use of RMI
  23. 23. Insecure Use of RMI • RMI not a secure protocol • Original attack: • Ignore authenticate method • Call readFile/writeFile/executeQuery directly • How often is RMI used this insecurely?
  24. 24. Insecure Use of RMI • First step: Identify software using RMI • Little success initially searching Google & Github • Can I identify RMI software packages remotely?
  25. 25. Insecure Use of RMI • Recalled an early test program which called Registry.lookup() • Exception reveals fully-qualified class names • Often identifies vendor • Sometimes identifies the application itself • Can we identify RMI software packages remotely? • Yes! • Internet search for fully-qualified class names
  26. 26. Insecure Use of RMI • So, we can extract fully-qualified class names… • What else can we learn from RMI network traffic? • How can we extract this information?
  27. 27. RMI Enumeration
  28. 28. RMI Enumeration
  29. 29. RMI Enumeration
  30. 30. RMI Enumeration
  31. 31. RMI Enumeration
  32. 32. Insecure Use of RMI • A lot of time was spent in these tools • Along the way code was produced to parse RMI traffic and extract useful data…
  33. 33. BaRMIe - Enumeration
  34. 34. BaRMIe - Enumeration • Proxy-based enumeration of RMI registries • Start TCP proxy for RMI registry connection • Request remote objects • Buffer RMI ‘ReplyData’ packets • Parse the packet contents to extract useful data
  35. 35. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI
  36. 36. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally
  37. 37. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally
  38. 38. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed
  39. 39. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager
  40. 40. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager
  41. 41. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI
  42. 42. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI chainGunAPI
  43. 43. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI chainGunAPI beerMachineApi
  44. 44. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI chainGunAPI beerMachineApi praiseService
  45. 45. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI chainGunAPI beerMachineApi praiseService
  46. 46. Knocking on Java’s Back Door • Honestly, no idea what any of these do! • These are just examples of what people expose over RMI. • This is bad if these services are implemented as insecurely as that first ‘writeFile’ example
  47. 47. Examples of Insecure RMI
  48. 48. Apache JMeter • org.apache.jmeter.engine.RemoteJMeterEngineImpl_Stub • Open source! • Download source and review • Locate classes that implement java.rmi.Remote
  49. 49. Apache JMeter
  50. 50. Apache JMeter • Looks like anyone can configure this service!
  51. 51. Temis RemoteAdminServer • com.temis.admin.remote.RemoteAdminServer_Stub • Unable to locate source code or client jar • BaRMIe revealed an interesting annotation…
  52. 52. Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String)
  53. 53. Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String) Looks like they thought about security? (UserProfile – could be a session-like object?)
  54. 54. Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String) • boolean configure(Properties) …or not!
  55. 55. Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String) • boolean configure(Properties) • String getAdminKey()
  56. 56. Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String) • boolean configure(Properties) • String getAdminKey() • int addUser(String, String, String, String)
  57. 57. Temis RemoteAdminServer • Account takeover? • List<UserProfile> getAllUserList() • int changePassword(UserProfile, String)
  58. 58. Temis RemoteAdminServer • Account takeover? • List<UserProfile> getAllUserList() • int changePassword(UserProfile, String) • UserProfile methods: • String getPassword()
  59. 59. Temis RemoteAdminServer • More remote methods: • String getDatabaseIP() • String getDatabasePort() • String getDatabaseName() • String getDatabaseType()
  60. 60. Temis RemoteAdminServer • More remote methods: • String getDatabaseIP() • String getDatabasePort() • String getDatabaseName() • String getDatabaseType() • String getUsername() • String getPassword()
  61. 61. RMI: What’s the Problem?
  62. 62. RMI: What’s the Problem? It gets worse…
  63. 63. Deserialization
  64. 64. Deserialization • Process of converting data into runtime objects • Often implemented/used insecurely • Deserializing untrusted data is usually bad • RMI is heavily dependent on Java serialization
  65. 65. Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods
  66. 66. Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods • Except…
  67. 67. Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods • Except…
  68. 68. Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods • Except…
  69. 69. Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods • Except… • Call fill() to deserialize any object…
  70. 70. Demo Time! • Adobe ColdFusion 2016, fully up-to-date as of 11th September 2017 • Default install except for one setting • Unauthenticated remote method invocation…
  71. 71. Demo Time!
  72. 72. Deserialization It’s worse than that…
  73. 73. Java’s Back Door
  74. 74. Java’s Back Door • Testing some code • Suddenly realised I’d made a mistake… • …but the code worked…
  75. 75. Full RMI Proxy • Successfully proxying RMI registry connections • RMI registry does not handle method invocations • Invocation handled by remote objects • Different port • Potentially different host • Built a proxy to MitM method invocations
  76. 76. Proxying RMI RMI Client RMI Registry RMI Object
  77. 77. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy First, we create an RMI registry proxy
  78. 78. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Which is configured to connect directly to the target RMI registry
  79. 79. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Our RMI client requests an object via the proxy
  80. 80. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy The object data is intercepted and parsed
  81. 81. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Object Proxy 3) Creates Object Proxy The RMI registry proxy then creates an RMI object proxy
  82. 82. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Object Proxy 3) Creates Object Proxy Which is configured to connect directly to the RMI object
  83. 83. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Object Proxy 3) Creates Object Proxy We modify the object data to point at the new proxy and return it to the client
  84. 84. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Object Proxy 3) Creates Object Proxy We can now MitM remote method invocation traffic!
  85. 85. Java’s Back Door • So, what was that mistake?! • Experimenting with network-level payload injection and ysoserial • Called obj.foo(String) in RMI client, rather than obj.foo(Object)
  86. 86. Java’s Back Door • So, what was that mistake?! • Experimenting with network-level payload injection and ysoserial • Called obj.foo(String) in RMI client, rather than obj.foo(Object) • Proxy replaced the parameter…
  87. 87. Java’s Back Door • So, what was that mistake?! • Experimenting with network-level payload injection and ysoserial • Called obj.foo(String) in RMI client, rather than obj.foo(Object) • Proxy replaced the parameter…
  88. 88. Poking Java’s Back Door • Invoking void printString("AAAAAAAAAA") looks like this:
  89. 89. Poking Java’s Back Door • Invoking void printString("AAAAAAAAAA") looks like this: • A simple serialized object, new Dummy(), looks like this:
  90. 90. Poking Java’s Back Door • The proxy did this (with a ysoserial payload):
  91. 91. Poking Java’s Back Door • The proxy did this (with a ysoserial payload): • Remotely invoked an illegal method call
  92. 92. Poking Java’s Back Door • The proxy did this (with a ysoserial payload): • Remotely invoked an illegal method call • void printString(new Dummy()):
  93. 93. Poking Java’s Back Door • The proxy did this (with a ysoserial payload): • Remotely invoked an illegal method call • void printString(new Dummy()): • Server-side exception • Dummy is not compatible with java.lang.String
  94. 94. Poking Java’s Back Door • The proxy did this (with a ysoserial payload): • Remotely invoked an illegal method call • void printString(new Dummy()): • Server-side exception • Dummy is not compatible with java.lang.String • Payload had already been deserialized
  95. 95. Java’s Back Door If we invoke a remote method, we can replace parameters with incompatible payloads
  96. 96. Caveat • Slight caveat, due to Java serialization format/protocol • Method parameter that we replace must be non-primitive • int, long, boolean etc cannot be replaced • Integer, int[], ArrayList, and objects of arbitrary classes can
  97. 97. BaRMIe
  98. 98. BaRMIe • RMI often exposes legitimate but dangerous methods • writeFile(), executeQuery() • Proxy-based attacks can introduce further risk • Vulnerabilities where there wouldn’t otherwise be a vulnerability • Requires knowledge of remote classes/method signatures
  99. 99. BaRMIe • Written a lot of code during this research… • Enumeration of remote objects (identify classes) • Attacks for various targets • Executing legitimate methods • Deserialization attacks using Object type parameters • Deserialization attacks through illegal parameter replacement • BaRMIe is an all-in-one RMI enumeration and attack tool
  100. 100. Conclusion
  101. 101. Conclusion • RMI lacks maturity • Often used very insecurely • Object injection/deserialization attacks are almost always a possibility • Old and ‘uninteresting’ technology can be a fun and fruitful research target!
  102. 102. Questions? https://nickbloor.co.uk/

×