Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The jar of joy


Published on

Presentation by Ian de Villiers at ZaCon 2 about exploiting java.

This presentation is about instrumenting java applications. it begins with an explanation of what a jar file is. The difficulties in attacking java, such as signing and obfuscation are discussed. How to overcome these difficulties is also discussed. The presentation ends with a walkthrough example of how to instrument a java application.

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

The jar of joy

  1. 1. The JAR of JoySensePost - 2010
  2. 2. `whoami`•  SensePost• –  Break some stuff –  Write reports about breaking some stuff –  Abuse the staff SensePost - 2010
  3. 3. Why This Talk ?•  import disclaimer;•  Not ground breaking stuff – no 0-day•  Java applications and applets appear to be popular again•  Reversing Java applications can be difficult•  Tips for reversing Java in less time (in my experience in any case)… SensePost - 2010
  4. 4. The JAR File•  Java ARchive•  Used to distribute Java applications / applets etc.•  ZIP file containing compiled classes, libraries, settings, certificates, *•  Trivial to extract•  Normally disclose a vast amount of information SensePost - 2010
  5. 5. Attacking Java is fun•  Trivial to reverse engineer•  Compiled applications are vulnerable to virtually all attacks traditional web apps are vulnerable to…•  …but all wrapped up in increased sense of developer smugness•  Repurposed Java applications make *awesome* attack tools SensePost - 2010
  6. 6. Difficulties Attacking Java•  Many classes and libraries in JAR files of complex applications•  Class files often do not decompile cleanly•  Impossible to fix all java sources in large application•  Applets and applications are frequently signed•  Obfuscated Code•  Frequently have to rely on other tools too… SensePost - 2010
  7. 7. Defeating Signing•  Certificate information stored in META-INF•  MANIFEST.MF contains hashes for resources•  These files can easily be deleted… SensePost - 2010
  8. 8. What this Means•  Now possible to modify classes in JAR file•  Signing normally used specifically for Java applets –  Allow applets to access network resources –  Allow applets to read / write files•  However, the applet runs on *my* machine –  Can specify own security model… SensePost - 2010
  9. 9. Obfuscation•  Defeating Java obfuscation is difficult•  Depends on the obfuscation mechanism used•  In most cases, virtually impossible…•  … however, the newer attack methodologies outlined later will help …but wait – there is more… SensePost - 2010
  10. 10. Obfuscation•  A bunch of classes depending on reflection methods and serialized objects can not normally be obfuscated…•  … in obfuscated applications this provides us with a nice area to attack  SensePost - 2010
  11. 11. Java Quick Kills•  Not necessary to fix all compiler errors•  Only need to fix specific classes with functionality you need –  Sanitisation libraries –  Network Stream libraries•  Updated classes can be recompiled with the original JAR file to satisfy dependancies SensePost - 2010
  12. 12. Demo and Walkthrough•  Decompile Application and export sources SensePost - 2010
  13. 13. Demo and Walkthrough•  Identify key source files and include in project SensePost - 2010
  14. 14. Demo and Walkthrough•  Remove compiled class files from original JAR•  Rebuild JAR file SensePost - 2010
  15. 15. Demo and Walkthrough•  Link modified JAR file to compiler CLASSPATH SensePost - 2010
  16. 16. Demo and Walkthrough•  Modify source code and run… SensePost - 2010
  17. 17. Demo and Walkthrough•  Repurposing uses the same technique…•  … but changes the functionality in order to turn the application into an attack tool SensePost - 2010
  18. 18. Newer Attack Methods•  New research and toolsets make reversing and recompiling unneccessary… •  Also make it easier to attack obfuscated applications•  Cannot always be used for repurposing  SensePost - 2010
  19. 19. BlackHat Europe – 2010•  Manish Saindane –  Demonstrated attacks against serialized objects –  Provided Burp plug-in to view and modify serialized objects SensePost - 2010
  20. 20. Demo – Serialized Objects SensePost - 2010
  21. 21. BlackHat Las Vegas – 2010 •  Arshan Dabirsiaghi –  JavaSnoop : How to Hack Anything Written in Java •  Stephen de Vries –  Hacking Java Clients •  Both talks outlined new methods for attacking Java Applications SensePost - 2010
  22. 22. Demo – JavaSnoop SensePost - 2010
  23. 23. In Summary•  Java reversing is fun•  Java reversing can be easy•  Newer attack methodologies no longer require attackers to reverse the application•  Traditional reversing techniques still normally apply for repurposing applications SensePost - 2010
  24. 24. Ta Muchly•  ZaCon folkses  SensePost - 2010
  25. 25. Questions ? SensePost - 2010