Presentation by Ian de Villiers at ZaCon 2 about exploiting java.
This presentation is about instrumenting java applications. it begins with an explanation of what a jar file is. The difficulties in attacking java, such as signing and obfuscation are discussed. How to overcome these difficulties is also discussed. The presentation ends with a walkthrough example of how to instrument a java application.
Love it or hate it (and a lot of people seem to hate it), Maven is a widely used tool. We can consider that Maven has been the de-facto standard build tool for Java over the last 10 years. Most experienced developers already got their share of Maven headaches. Unfortunately, new developers are going through the same hard learning process, because they don't know how to deal with Maven particularities. "Why is this jar in my build?", "I can’t see my changes!", "The jar is not included in the distribution!", "The artifact was not found!" are common problems. Learn to tame the Maven Beast and be in complete control of your build to save you countless hours of pain and frustration.
Abstract:
A apresentação centra-se na temática de ter forma de controlar, versionar e actualizar toda a parte de Base de Dados de um projecto. Estamos a falar, desde a produção de modelos ER, a versionamento de scripts, passando pelo deploy dos mesmos e terminado na documentação. A apresentação conta ainda com uma breve demonstração do uso da ferramenta Flyway para versionar e controlar a execução de scripts nos diversos ambientes de um projecto.
Sobre o Nuno Alves:
Chamo-me Nuno Alves nascido em Coimbra, Portugal e vivi maioritariamente em Leiria. Licenciado em Engenharia Informática na ESTG-IPLeiria (Escola Superior de Tecnologia e Gestão) onde o gosto por dados e bases de dados se começou a desenvolver. Daí, profissionalmente a minha área de actuação ser em torno de bases de dados e infra-estruturas. Tenho cerca de 10 anos de experiência repartidos pelas áreas Financeira, Seguros, Governo, Militar em tecnologias que vão desde Oracle, PostgreSQL, MSSQLServer a DB2.
Presentation by Ian de Villiers at ZaCon 2 about exploiting java.
This presentation is about instrumenting java applications. it begins with an explanation of what a jar file is. The difficulties in attacking java, such as signing and obfuscation are discussed. How to overcome these difficulties is also discussed. The presentation ends with a walkthrough example of how to instrument a java application.
Love it or hate it (and a lot of people seem to hate it), Maven is a widely used tool. We can consider that Maven has been the de-facto standard build tool for Java over the last 10 years. Most experienced developers already got their share of Maven headaches. Unfortunately, new developers are going through the same hard learning process, because they don't know how to deal with Maven particularities. "Why is this jar in my build?", "I can’t see my changes!", "The jar is not included in the distribution!", "The artifact was not found!" are common problems. Learn to tame the Maven Beast and be in complete control of your build to save you countless hours of pain and frustration.
Abstract:
A apresentação centra-se na temática de ter forma de controlar, versionar e actualizar toda a parte de Base de Dados de um projecto. Estamos a falar, desde a produção de modelos ER, a versionamento de scripts, passando pelo deploy dos mesmos e terminado na documentação. A apresentação conta ainda com uma breve demonstração do uso da ferramenta Flyway para versionar e controlar a execução de scripts nos diversos ambientes de um projecto.
Sobre o Nuno Alves:
Chamo-me Nuno Alves nascido em Coimbra, Portugal e vivi maioritariamente em Leiria. Licenciado em Engenharia Informática na ESTG-IPLeiria (Escola Superior de Tecnologia e Gestão) onde o gosto por dados e bases de dados se começou a desenvolver. Daí, profissionalmente a minha área de actuação ser em torno de bases de dados e infra-estruturas. Tenho cerca de 10 anos de experiência repartidos pelas áreas Financeira, Seguros, Governo, Militar em tecnologias que vão desde Oracle, PostgreSQL, MSSQLServer a DB2.
Hybernat and structs, spring classes in mumbai
best Hybernat and structs, spring classes in mumbai with job assistance.
our features are:
expert guidance by it industry professionals
lowest fees of 5000
practical exposure to handle projects
well equiped lab
after course resume writing guidance
Java is an object-oriented programming language. It is used in a variety of computing platforms, you can see it nearly everywhere nowadays, from embedded devices and mobile phones to enterprise servers and supercomputers.
Java is a programming language invented by James Gosling and others in 1994.
originally named Oak ,was developed as a part of the Green project at the Sun Company.
Java 7 is latest stable release
Alfresco Share provides a rich platform for further development, allowing you to tweak and customize to your heart’s content, using only lightweight scripting and templating. But with great power, comes great responsibility, as they say. So this session looks at what it means to customize Share, before discussing how best to go about it, with tips and tricks based on real-world examples.
3. Why This Talk ?
• import disclaimer;
• Not ground breaking stuff – no 0-day
• Java applications and applets
appear to be popular again
• Reversing Java applications can be
difficult
• Tips for reversing Java in less time
(in my experience in any case)…
SensePost - 2010
4. The JAR File
• Java ARchive
• Used to distribute Java applications /
applets etc.
• ZIP file containing compiled classes,
libraries, settings, certificates, *
• Trivial to extract
• Normally disclose a vast amount of
information
SensePost - 2010
5. Attacking Java is fun
• Trivial to reverse engineer
• Compiled applications are vulnerable
to virtually all attacks traditional web
apps are vulnerable to…
• …but all wrapped up in increased
sense of developer smugness
• Repurposed Java applications make
*awesome* attack tools
SensePost - 2010
6. Difficulties Attacking Java
• Many classes and libraries in JAR files of
complex applications
• Class files often do not decompile cleanly
• Impossible to fix all java sources in large
application
• Applets and applications are frequently
signed
• Obfuscated Code
• Frequently have to rely on other tools
too…
SensePost - 2010
7. • Certificate information stored in
META-INF
• MANIFEST.MF contains hashes for
resources
• These files can easily be deleted…
Defeating Signing
SensePost - 2010
8. • Now possible to modify classes in
JAR file
• Signing normally used specifically for
Java applets
– Allow applets to access network
resources
– Allow applets to read / write files
• However, the applet runs on *my*
machine
– Can specify own security model…
What this Means
SensePost - 2010
9. Obfuscation
• Defeating Java obfuscation is
difficult
• Depends on the obfuscation
mechanism used
• In most cases, virtually impossible…
• … however, the newer attack
methodologies outlined later will help
…but wait – there is more…
SensePost - 2010
10. Obfuscation
• A bunch of classes depending on
reflection methods and serialized
objects can not normally be
obfuscated…
• … in obfuscated applications this
provides us with a nice area to
attack
SensePost - 2010
11. Java Quick Kills
• Not necessary to fix all compiler
errors
• Only need to fix specific classes with
functionality you need
– Sanitisation libraries
– Network Stream libraries
• Updated classes can be recompiled
with the original JAR file to satisfy
dependancies
SensePost - 2010
17. Demo and Walkthrough
SensePost - 2010
• Repurposing uses the same
technique…
• … but changes the functionality
in order to turn the application
into an attack tool
18. Newer Attack Methods
• New research and toolsets make
reversing and recompiling
unneccessary…
• Also make it easier to attack obfuscated
applications
• Cannot always be used for repurposing
SensePost - 2010
19. BlackHat Europe – 2010
• Manish Saindane
– Demonstrated attacks against serialized
objects
– Provided Burp plug-in to view and modify
serialized objects
http://www.blackhat.com/html/bh-eu-10/bh-eu-10-archives.html
SensePost - 2010
21. BlackHat Las Vegas – 2010
• Arshan Dabirsiaghi
– JavaSnoop : How to Hack Anything Written in
Java
• Stephen de Vries
– Hacking Java Clients
• Both talks outlined new methods for
attacking Java Applications
http://www.blackhat.com/html/bh-us-10/bh-us-10-archives.html
SensePost - 2010
23. In Summary
• Java reversing is fun
• Java reversing can be easy
• Newer attack methodologies no
longer require attackers to reverse
the application
• Traditional reversing techniques still
normally apply for repurposing
applications
SensePost - 2010
