Recommended
More Related Content
What's hot
What's hot (20)
Similar to Black Hat EU 2010 - Attacking Java Serialized Communication
Similar to Black Hat EU 2010 - Attacking Java Serialized Communication (20)
Recently uploaded
Recently uploaded (20)
Black Hat EU 2010 - Attacking Java Serialized Communication
- 1. ATTACK & DEFENSE labs Attacking JAVA Serialized Communication Manish S. Saindane
- 2. Who am I ? • Security Researcher – Working as a Lead Application Security Specialist for an international software development and services company – Likes to research on security issues in software – Follow me @ blog.andlabs.org ATTACK & DEFENSE labs Black Hat Europe 2010 2
- 3. Agenda • JAVA Object Serialization Basics • The Current Scenario & Challenges Faced • Suggested Solution • Demo ATTACK & DEFENSE labs Black Hat Europe 2010 3
- 4. Objectives • Simplify the penetration testing process of thick clients and make it completely seamless • Enable the pentester to edit JAVA objects in the same way that a developer would • Enable all of this using the currently available tools ATTACK & DEFENSE labs Black Hat Europe 2010 4
- 5. JAVA Object Serialization Basics ATTACK & DEFENSE labs Black Hat Europe 2010 5
- 6. JAVA Object Serialization • Protocol implemented by SUN for converting JAVA objects into a stream of bytes to be – Stored in a file – Transmitted across a network • The serialized form contains sufficient information such that it can be restored to an identical clone of the original JAVA object ATTACK & DEFENSE labs Black Hat Europe 2010 6
- 7. JAVA Object Serialization cont’d • Objects can be written using the writeObject() method provided by the ObjectOutput interface • Objects can be retrieved using the readObject() method provided by the ObjectInput interface • The ObjectOutputStream and ObjectInputStream classes implement the above interfaces respectively ATTACK & DEFENSE labs Black Hat Europe 2010 7
- 8. JAVA Object Serialization cont’d • JAVA Object Serialized data can be easily identified by the 0xac 0xed stream header (also called as the magic number) ATTACK & DEFENSE labs Black Hat Europe 2010 8
- 9. JAVA Object Serialization cont’d • If the object in the stream is a java.lang.String, it is encoded in a modified UTF-8 format and preceded by a 2-byte length information • Make sure you read section 5.6 of the JAVA Object Serialization specification before modifying the objects ATTACK & DEFENSE labs Black Hat Europe 2010 9
- 10. The Current Scenario & Challenges Faced ATTACK & DEFENSE labs Black Hat Europe 2010 10
- 11. So what do we have ? • Current tools or application interception proxies allow very limited functionality to test such data • Not as easy or straightforward as testing regular web applications sending data in request parameters • Some work has been done in the past to improve the situation. Let’s have a look at some of these methods ATTACK & DEFENSE labs Black Hat Europe 2010 11
- 12. Modifying Raw HEX • One of the most basic techniques is to modify the raw HEX data using a HEX editor • This is very limited and can be used to modify simple integers or string values in the raw data • Isn’t really practical to inspect or modify complex objects ATTACK & DEFENSE labs Black Hat Europe 2010 12
- 13. Modifying Raw HEX cont’d • Modifying raw data may result in a corrupted Serialized byte stream • Make sure to modify the length information if you edit some string value as discussed earlier • Existing interception proxies usually have very basic HEX editors hence working with them becomes difficult ATTACK & DEFENSE labs Black Hat Europe 2010 13
- 14. Decompiling Class Files • This can allow us to carefully study the application logic • Hardcoded values, sensitive functions, crypto algorithms, etc. can be identified and used for attacks • Decompiling may not be straight forward for applications making use of strong obfuscation techniques ATTACK & DEFENSE labs Black Hat Europe 2010 14
- 15. Decompiling Class Files cont’d • Popular decompilers like JAD, JD, Jode and DJ Java Decompiler may be used for simple obfuscated classes • Editing signed jars may be difficult ATTACK & DEFENSE labs Black Hat Europe 2010 15
- 16. Assessing JAVA Clients with BeanShell • This was a technique developed by Stephen D’ Vires from Corsaire • It made use of the BeanShell scripting language that was plugged into the client • Could be handy in identifying client-side security controls ATTACK & DEFENSE labs Black Hat Europe 2010 16
- 17. Assessing JAVA Clients with BeanShell cont’d • The pentester must be comfortable writing JAVA code to use this technique • The scope of this technique is too broad for our use i.e. to tamper the serialized data ATTACK & DEFENSE labs Black Hat Europe 2010 17
- 18. Runtime Protocol Analysis (RPA) • This was presented by Shay Chen from Hacktics at an OWASP Israel meet • He spoke about creating a custom runtime protocol analyzer to read data from JAVA serialized objects • The object once read, could then be analyzed and modified ATTACK & DEFENSE labs Black Hat Europe 2010 18
- 19. Runtime Protocol Analysis (RPA) cont’d • The way this works is: – Sniff traffic over the network – Split each request/response into individual packets – Modify the destination URL or Host within the packet with a HEX editor to a local server (protocol analyzer) – Send it to the Protocol Analyzer using netcat • The protocol analyzer is customized code written to suit the protocol used to transfer the object ATTACK & DEFENSE labs Black Hat Europe 2010 19
- 20. Runtime Protocol Analysis (RPA) cont’d • This only drawback is that it is not completely seamless – Too many steps involved – Takes some time to setup – The protocol analyzer has to be modified and compiled each time for different scenarios • But this is the technique that suffices our needs to a certain extent ATTACK & DEFENSE labs Black Hat Europe 2010 20
- 21. Suggested Solution ATTACK & DEFENSE labs Black Hat Europe 2010 21
- 22. Solution Thick Client Interception Application Application Proxy Server JRuby Shell ATTACK & DEFENSE labs Black Hat Europe 2010 22
- 23. Setup Needed • Tools we need – JRuby version 1.4.0 – BurpSuite version 1.2.x – Buby version 1.8.x – Any text editor ATTACK & DEFENSE labs Black Hat Europe 2010 23
- 24. Why JRuby ? • Why not a pure Java plug-in. Why JRuby? – Easier syntax, hence easy to learn – Can call almost all JAVA libraries – Provides an interactive shell (jirb) – Dynamic Type Language ATTACK & DEFENSE labs Black Hat Europe 2010 24
- 25. Advantages • Adds the ability of modifying JAVA objects on-the-fly • Ease of use – makes the whole process seamless • Hooks a JAVA development environment in your interception proxy • Can be used for other stuff too ….. Just be a bit creative ;) ATTACK & DEFENSE labs Black Hat Europe 2010 25
- 26. Demo ATTACK & DEFENSE labs Black Hat Europe 2010 26
- 27. References • Chen, S. (2008). Achilles’ heel – Hacking Through Java Protocols. OWASP Israel. Herzliya. • Monti, E. (n.d.). Buby. Retrieved from http://emonti.github.com/buby/ • Sun Microsystems. (n.d.). Java Object Serialization Specification. Retrieved from sun.com: http://java.sun.com/javase/6/docs/platform/serialization/spec/serialTOC.html • Vries, S. d. (2006, June 15). Assessing JAVA Clients with the BeanShell. Retrieved from Corsaire: http://research.corsaire.com/whitepapers/060816-assessing-java- clients-with-the-beanshell.pdf ATTACK & DEFENSE labs Black Hat Europe 2010 27
- 28. Big Thanks To • For the work done that helped me build this: – Shay Chen – Eric Monti • And of course for testing & review: – Lavakumar Kuppan – Luca Carettoni If I have seen further it is only by standing on the shoulders of giants. - Sir Isaac Newton ATTACK & DEFENSE labs Black Hat Europe 2010 28
- 29. Questions ?? ATTACK & DEFENSE labs Black Hat Europe 2010 29
- 30. Thank You Contact me: manish (-at-) andlabs.org ATTACK & DEFENSE labs Black Hat Europe 2010 30