SlideShare a Scribd company logo
BaRMIe – Poking Java’s Back Door
Nicky Bloor 44CON 2017
whoami
Nicky Bloor
• Managing Security Consultant at NCC Group
• Ex software developer
• Desktop, web, games, industrial control systems
• Problem solver, breaker, builder, hacker
• Hiker and rock climber
• @NickstaDB on the Interwebz
A Story of Pwn
• On-site Java application assessment
• No credentials provided until day 3…
• Supporting infrastructure was in scope
• One network service stood out…
A Story of Pwn
Java Remote Method Invocation???
…gave me the server before I got those credentials.
Too easy! This left me really intrigued!
RMI?
• How common is RMI?
• How often is it so insecure?
• What else can we do with it?
Java Remote Method Invocation
A Brief Introduction to RMI
• Remote Method Invocation
• RPC for Java
• Execute methods within another Java virtual machine (JVM)
• Local or remote
• Simple to implement
• RMI takes care of connection and transport
• Developer does not need to be aware that RMI is in use
• RMI != arbitrary remote code execution
• Only execute methods that are implemented within the other JVM
8
A Brief Introduction to RMI
Client Application
IFoo.Bar()
RMI RMI
Server Application
FooImpl.Bar()
IFoo.Bar();
The RMI Registry Service
• Directory of Java objects
• Maps Java objects to names
• Listens on TCP port 1099 by default
• Interaction via java.rmi.Registry class
• void bind(String name, Remote obj)
• String[] list()
• Remote lookup(String name)
• void rebind(String name, Remote obj)
• void unbind(String name)
The RMI Registry Service
• void rebind(String name, Remote obj)
• Rebind a bound object name to another object
• Potential free man-in-the-middle attack?
• void unbind(String name)
• Unbind an object from the registry
• Potential free denial of service attack?
The RMI Registry Service
• void rebind(String name, Remote obj)
• Rebind a bound object name to another object
• Potential free man-in-the-middle attack?
• void unbind(String name)
• Unbind an object from the registry
• Potential free denial of service attack?
• Cannot bind/rebind/unbind from non-localhost
Implementing RMI
• Very easy – perhaps part of the problem!
• Server-side
• Implement java.rmi.Remote
• Instantiate object
• Bind object to RMI registry
• Client-side
• Lookup object from RMI registry
• Use as normal
What’s the Problem?
• Fairly reasonable looking method
• Authenticate first, then read the file
What’s the Problem?
What if ApplicationObjectFactory returns a remote object?
What’s the Problem?
Client Server
authenticateUser(user,pass)
readFile(filename)
true
file contents
What’s the Problem?
Client Server
readFile(filename)
file contents
RMI Security?
• Authentication?
• No.
• Session management?
• No.
• Encryption?
• No.
• Message integrity checking/anti-tampering?
• No.
• Access controls?
• Yes. Kind of… Fine. No.
RMI Security?
• Encryption
• SSLSocketFactory can be used
• Access controls
• bind/rebind/unbind can only be called from localhost
• Risky code executes BEFORE the localhost check…
• (Pre-Java 6u131, 7u121, 8u112)
RMI Security
RMI Security
• This is a bit unfair
• RMI wasn’t designed to be secure
• RMI was designed to facilitate remote method invocation
• To compare:
• HTTP wasn’t designed to be secure
• HTTP was designed to facilitate the transfer of textual information
RMI Security
• HTTP is far more prevalent
• HTTP has evolved to support security
• Web application frameworks improve security by default
• Authentication, session management, access controls etc…
• Developers don’t need to be particularly security aware
• RMI has none of this!
• Security must be explicitly incorporated in remotely exposed classes
Insecure Use of RMI
Insecure Use of RMI
• RMI not a secure protocol
• Original attack:
• Ignore authenticate method
• Call readFile/writeFile/executeQuery directly
• How often is RMI used this insecurely?
Insecure Use of RMI
• First step: Identify software using RMI
• Little success initially searching Google & Github
• Can I identify RMI software packages remotely?
Insecure Use of RMI
• Recalled an early test program which called Registry.lookup()
• Exception reveals fully-qualified class names
• Often identifies vendor
• Sometimes identifies the application itself
• Can we identify RMI software packages remotely?
• Yes!
• Internet search for fully-qualified class names
Insecure Use of RMI
• So, we can extract fully-qualified class names…
• What else can we learn from RMI network traffic?
• How can we extract this information?
RMI Enumeration
RMI Enumeration
RMI Enumeration
RMI Enumeration
RMI Enumeration
Insecure Use of RMI
• A lot of time was spent in these tools
• Along the way code was produced to parse RMI traffic and extract
useful data…
BaRMIe - Enumeration
BaRMIe - Enumeration
• Proxy-based enumeration of RMI registries
• Start TCP proxy for RMI registry connection
• Request remote objects
• Buffer RMI ‘ReplyData’ packets
• Parse the packet contents to extract useful data
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
• Not all exposed externally
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
• Not all exposed externally
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
• Not all exposed externally
• Many probably shouldn’t be exposed
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
• Not all exposed externally
• Many probably shouldn’t be exposed
DbVehicleSearchService drivingLicenseManagercarUseRecordManager
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
• Not all exposed externally
• Many probably shouldn’t be exposed
DbVehicleSearchService drivingLicenseManagercarUseRecordManager
CameraCapturedImages CCPaymentService superviseOilManager
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
• Not all exposed externally
• Many probably shouldn’t be exposed
DbVehicleSearchService drivingLicenseManagercarUseRecordManager
CameraCapturedImages CCPaymentService superviseOilManager
SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
• Not all exposed externally
• Many probably shouldn’t be exposed
DbVehicleSearchService drivingLicenseManagercarUseRecordManager
CameraCapturedImages CCPaymentService superviseOilManager
SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI
chainGunAPI
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
• Not all exposed externally
• Many probably shouldn’t be exposed
DbVehicleSearchService drivingLicenseManagercarUseRecordManager
CameraCapturedImages CCPaymentService superviseOilManager
SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI
chainGunAPI beerMachineApi
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
• Not all exposed externally
• Many probably shouldn’t be exposed
DbVehicleSearchService drivingLicenseManagercarUseRecordManager
CameraCapturedImages CCPaymentService superviseOilManager
SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI
chainGunAPI beerMachineApi praiseService
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
• Not all exposed externally
• Many probably shouldn’t be exposed
DbVehicleSearchService drivingLicenseManagercarUseRecordManager
CameraCapturedImages CCPaymentService superviseOilManager
SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI
chainGunAPI beerMachineApi praiseService
Knocking on Java’s Back Door
• Honestly, no idea what any of these do!
• These are just examples of what people expose over RMI.
• This is bad if these services are implemented as insecurely as
that first ‘writeFile’ example
Examples of Insecure RMI
Apache JMeter
• org.apache.jmeter.engine.RemoteJMeterEngineImpl_Stub
• Open source!
• Download source and review
• Locate classes that implement java.rmi.Remote
Apache JMeter
Apache JMeter
• Looks like anyone can configure this service!
Temis RemoteAdminServer
• com.temis.admin.remote.RemoteAdminServer_Stub
• Unable to locate source code or client jar
• BaRMIe revealed an interesting annotation…
Temis RemoteAdminServer
• Remote methods:
• UserProfile authenticate(String, String)
Temis RemoteAdminServer
• Remote methods:
• UserProfile authenticate(String, String)
Looks like they thought about security?
(UserProfile – could be a session-like object?)
Temis RemoteAdminServer
• Remote methods:
• UserProfile authenticate(String, String)
• boolean configure(Properties)
…or not!
Temis RemoteAdminServer
• Remote methods:
• UserProfile authenticate(String, String)
• boolean configure(Properties)
• String getAdminKey()
Temis RemoteAdminServer
• Remote methods:
• UserProfile authenticate(String, String)
• boolean configure(Properties)
• String getAdminKey()
• int addUser(String, String, String, String)
Temis RemoteAdminServer
• Account takeover?
• List<UserProfile> getAllUserList()
• int changePassword(UserProfile, String)
Temis RemoteAdminServer
• Account takeover?
• List<UserProfile> getAllUserList()
• int changePassword(UserProfile, String)
• UserProfile methods:
• String getPassword()
Temis RemoteAdminServer
• More remote methods:
• String getDatabaseIP()
• String getDatabasePort()
• String getDatabaseName()
• String getDatabaseType()
Temis RemoteAdminServer
• More remote methods:
• String getDatabaseIP()
• String getDatabasePort()
• String getDatabaseName()
• String getDatabaseType()
• String getUsername()
• String getPassword()
RMI: What’s the Problem?
RMI: What’s the Problem?
It gets worse…
Deserialization
Deserialization
• Process of converting data into runtime objects
• Often implemented/used insecurely
• Deserializing untrusted data is usually bad
• RMI is heavily dependent on Java serialization
Adobe ColdFusion
• Most commonly exposed RMI service in my scans
• coldfusion.flex.rmi.DataServicesCFProxyServer_Stub
• No strikingly interesting remote methods
Adobe ColdFusion
• Most commonly exposed RMI service in my scans
• coldfusion.flex.rmi.DataServicesCFProxyServer_Stub
• No strikingly interesting remote methods
• Except…
Adobe ColdFusion
• Most commonly exposed RMI service in my scans
• coldfusion.flex.rmi.DataServicesCFProxyServer_Stub
• No strikingly interesting remote methods
• Except…
Adobe ColdFusion
• Most commonly exposed RMI service in my scans
• coldfusion.flex.rmi.DataServicesCFProxyServer_Stub
• No strikingly interesting remote methods
• Except…
Adobe ColdFusion
• Most commonly exposed RMI service in my scans
• coldfusion.flex.rmi.DataServicesCFProxyServer_Stub
• No strikingly interesting remote methods
• Except…
• Call fill() to deserialize any object…
Demo Time!
• Adobe ColdFusion 2016, fully up-to-date as of 11th September 2017
• Default install except for one setting
• Unauthenticated remote method invocation…
Demo Time!
Deserialization
It’s worse than that…
Java’s Back Door
Java’s Back Door
• Testing some code
• Suddenly realised I’d made a mistake…
• …but the code worked…
Full RMI Proxy
• Successfully proxying RMI registry connections
• RMI registry does not handle method invocations
• Invocation handled by remote objects
• Different port
• Potentially different host
• Built a proxy to MitM method invocations
Proxying RMI
RMI Client
RMI Registry
RMI Object
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
First, we create an RMI registry proxy
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
Which is configured to connect directly to the target RMI registry
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
Our RMI client requests an object via the proxy
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
The object data is intercepted and parsed
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
Object Proxy
3) Creates Object Proxy
The RMI registry proxy then creates an RMI object proxy
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
Object Proxy
3) Creates Object Proxy
Which is configured to connect directly to the RMI object
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
Object Proxy
3) Creates Object Proxy
We modify the object data to point at the new proxy and return it to the client
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
Object Proxy
3) Creates Object Proxy
We can now MitM remote method invocation traffic!
Java’s Back Door
• So, what was that mistake?!
• Experimenting with network-level payload injection and ysoserial
• Called obj.foo(String) in RMI client, rather than obj.foo(Object)
Java’s Back Door
• So, what was that mistake?!
• Experimenting with network-level payload injection and ysoserial
• Called obj.foo(String) in RMI client, rather than obj.foo(Object)
• Proxy replaced the parameter…
Java’s Back Door
• So, what was that mistake?!
• Experimenting with network-level payload injection and ysoserial
• Called obj.foo(String) in RMI client, rather than obj.foo(Object)
• Proxy replaced the parameter…
Poking Java’s Back Door
• Invoking void printString("AAAAAAAAAA") looks like this:
Poking Java’s Back Door
• Invoking void printString("AAAAAAAAAA") looks like this:
• A simple serialized object, new Dummy(), looks like this:
Poking Java’s Back Door
• The proxy did this (with a ysoserial payload):
Poking Java’s Back Door
• The proxy did this (with a ysoserial payload):
• Remotely invoked an illegal method call
Poking Java’s Back Door
• The proxy did this (with a ysoserial payload):
• Remotely invoked an illegal method call
• void printString(new Dummy()):
Poking Java’s Back Door
• The proxy did this (with a ysoserial payload):
• Remotely invoked an illegal method call
• void printString(new Dummy()):
• Server-side exception
• Dummy is not compatible with java.lang.String
Poking Java’s Back Door
• The proxy did this (with a ysoserial payload):
• Remotely invoked an illegal method call
• void printString(new Dummy()):
• Server-side exception
• Dummy is not compatible with java.lang.String
• Payload had already been deserialized
Java’s Back Door
If we invoke a remote method, we can replace parameters with incompatible payloads
Caveat
• Slight caveat, due to Java serialization format/protocol
• Method parameter that we replace must be non-primitive
• int, long, boolean etc cannot be replaced
• Integer, int[], ArrayList, and objects of arbitrary classes can
BaRMIe
BaRMIe
• RMI often exposes legitimate but dangerous methods
• writeFile(), executeQuery()
• Proxy-based attacks can introduce further risk
• Vulnerabilities where there wouldn’t otherwise be a vulnerability
• Requires knowledge of remote classes/method signatures
BaRMIe
• Written a lot of code during this research…
• Enumeration of remote objects (identify classes)
• Attacks for various targets
• Executing legitimate methods
• Deserialization attacks using Object type parameters
• Deserialization attacks through illegal parameter replacement
• BaRMIe is an all-in-one RMI enumeration and attack tool
Conclusion
Conclusion
• RMI lacks maturity
• Often used very insecurely
• Object injection/deserialization attacks are almost always a
possibility
• Old and ‘uninteresting’ technology can be a fun and fruitful
research target!
Questions?
https://nickbloor.co.uk/

More Related Content

What's hot

Clean architecture
Clean architectureClean architecture
Clean architecture
Lieven Doclo
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Codemotion
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
CODE WHITE GmbH
 
Spring Security
Spring SecuritySpring Security
Spring Security
Knoldus Inc.
 
Introduction to kotlin coroutines
Introduction to kotlin coroutinesIntroduction to kotlin coroutines
Introduction to kotlin coroutines
NAVER Engineering
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
Sunny Neo
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
Frans Rosén
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Frans Rosén
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
Red Hat Developers
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
Prabath Siriwardena
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Jwt Security
Jwt SecurityJwt Security
Jwt Security
Seid Yassin
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
OWASP Ottawa
 

What's hot (20)

Clean architecture
Clean architectureClean architecture
Clean architecture
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
Why Rust? - Matthias Endler - Codemotion Amsterdam 2016
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in Java
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Introduction to kotlin coroutines
Introduction to kotlin coroutinesIntroduction to kotlin coroutines
Introduction to kotlin coroutines
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
OAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App DevelopersOAuth 2.0 for Web and Native (Mobile) App Developers
OAuth 2.0 for Web and Native (Mobile) App Developers
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Jwt Security
Jwt SecurityJwt Security
Jwt Security
 
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
Security Code Review for .NET - Sherif Koussa (OWASP Ottawa)
 

Similar to Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017

Introduction to Remote Method Invocation (RMI)
Introduction to Remote Method Invocation (RMI)Introduction to Remote Method Invocation (RMI)
Introduction to Remote Method Invocation (RMI)
eLink Business Innovations
 
Remote Method Invocation, Advanced programming
Remote Method Invocation, Advanced programmingRemote Method Invocation, Advanced programming
Remote Method Invocation, Advanced programming
Gera Paulos
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
c0c0n - International Cyber Security and Policing Conference
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
Guy Podjarny
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays
 
Rmi
RmiRmi
Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?
Guy Podjarny
 
[Wroclaw #8] IPMI appsec - an express train to hell
[Wroclaw #8] IPMI appsec - an express train to hell[Wroclaw #8] IPMI appsec - an express train to hell
[Wroclaw #8] IPMI appsec - an express train to hell
OWASP
 
DS
DSDS
Your internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableYour internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerable
IIMBNSRCEL
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
Volkan Özçelik
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
Volkan Özçelik
 
Security at Greenhouse
Security at GreenhouseSecurity at Greenhouse
Security at Greenhouse
Michael O'Neil
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
Volkan Özçelik
 
PHP framework difference
PHP framework differencePHP framework difference
PHP framework difference
iScripts
 
Introduction to hacking
Introduction to hackingIntroduction to hacking
Introduction to hacking
nitish mehta
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)
Greg Patton
 
Don't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev DoesDon't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev Does
Liam O'Saurus
 
Kuby, ActiveDeployment for Rails Apps
Kuby, ActiveDeployment for Rails AppsKuby, ActiveDeployment for Rails Apps
Kuby, ActiveDeployment for Rails Apps
Cameron Dutro
 
API Hijacking.pdf
API Hijacking.pdfAPI Hijacking.pdf
API Hijacking.pdf
VishwasN6
 

Similar to Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017 (20)

Introduction to Remote Method Invocation (RMI)
Introduction to Remote Method Invocation (RMI)Introduction to Remote Method Invocation (RMI)
Introduction to Remote Method Invocation (RMI)
 
Remote Method Invocation, Advanced programming
Remote Method Invocation, Advanced programmingRemote Method Invocation, Advanced programming
Remote Method Invocation, Advanced programming
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...
 
Rmi
RmiRmi
Rmi
 
Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?
 
[Wroclaw #8] IPMI appsec - an express train to hell
[Wroclaw #8] IPMI appsec - an express train to hell[Wroclaw #8] IPMI appsec - an express train to hell
[Wroclaw #8] IPMI appsec - an express train to hell
 
DS
DSDS
DS
 
Your internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableYour internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerable
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
 
Security at Greenhouse
Security at GreenhouseSecurity at Greenhouse
Security at Greenhouse
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
PHP framework difference
PHP framework differencePHP framework difference
PHP framework difference
 
Introduction to hacking
Introduction to hackingIntroduction to hacking
Introduction to hacking
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)
 
Don't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev DoesDon't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev Does
 
Kuby, ActiveDeployment for Rails Apps
Kuby, ActiveDeployment for Rails AppsKuby, ActiveDeployment for Rails Apps
Kuby, ActiveDeployment for Rails Apps
 
API Hijacking.pdf
API Hijacking.pdfAPI Hijacking.pdf
API Hijacking.pdf
 

Recently uploaded

Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
marufrahmanstratejm
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 

Recently uploaded (20)

Public CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptxPublic CyberSecurity Awareness Presentation 2024.pptx
Public CyberSecurity Awareness Presentation 2024.pptx
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 

Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017

  • 1. BaRMIe – Poking Java’s Back Door Nicky Bloor 44CON 2017
  • 2. whoami Nicky Bloor • Managing Security Consultant at NCC Group • Ex software developer • Desktop, web, games, industrial control systems • Problem solver, breaker, builder, hacker • Hiker and rock climber • @NickstaDB on the Interwebz
  • 3. A Story of Pwn • On-site Java application assessment • No credentials provided until day 3… • Supporting infrastructure was in scope • One network service stood out…
  • 4. A Story of Pwn Java Remote Method Invocation??? …gave me the server before I got those credentials. Too easy! This left me really intrigued!
  • 5. RMI? • How common is RMI? • How often is it so insecure? • What else can we do with it?
  • 6. Java Remote Method Invocation
  • 7. A Brief Introduction to RMI • Remote Method Invocation • RPC for Java • Execute methods within another Java virtual machine (JVM) • Local or remote • Simple to implement • RMI takes care of connection and transport • Developer does not need to be aware that RMI is in use • RMI != arbitrary remote code execution • Only execute methods that are implemented within the other JVM
  • 8. 8 A Brief Introduction to RMI Client Application IFoo.Bar() RMI RMI Server Application FooImpl.Bar() IFoo.Bar();
  • 9. The RMI Registry Service • Directory of Java objects • Maps Java objects to names • Listens on TCP port 1099 by default • Interaction via java.rmi.Registry class • void bind(String name, Remote obj) • String[] list() • Remote lookup(String name) • void rebind(String name, Remote obj) • void unbind(String name)
  • 10. The RMI Registry Service • void rebind(String name, Remote obj) • Rebind a bound object name to another object • Potential free man-in-the-middle attack? • void unbind(String name) • Unbind an object from the registry • Potential free denial of service attack?
  • 11. The RMI Registry Service • void rebind(String name, Remote obj) • Rebind a bound object name to another object • Potential free man-in-the-middle attack? • void unbind(String name) • Unbind an object from the registry • Potential free denial of service attack? • Cannot bind/rebind/unbind from non-localhost
  • 12. Implementing RMI • Very easy – perhaps part of the problem! • Server-side • Implement java.rmi.Remote • Instantiate object • Bind object to RMI registry • Client-side • Lookup object from RMI registry • Use as normal
  • 13. What’s the Problem? • Fairly reasonable looking method • Authenticate first, then read the file
  • 14. What’s the Problem? What if ApplicationObjectFactory returns a remote object?
  • 15. What’s the Problem? Client Server authenticateUser(user,pass) readFile(filename) true file contents
  • 16. What’s the Problem? Client Server readFile(filename) file contents
  • 17. RMI Security? • Authentication? • No. • Session management? • No. • Encryption? • No. • Message integrity checking/anti-tampering? • No. • Access controls? • Yes. Kind of… Fine. No.
  • 18. RMI Security? • Encryption • SSLSocketFactory can be used • Access controls • bind/rebind/unbind can only be called from localhost • Risky code executes BEFORE the localhost check… • (Pre-Java 6u131, 7u121, 8u112)
  • 20. RMI Security • This is a bit unfair • RMI wasn’t designed to be secure • RMI was designed to facilitate remote method invocation • To compare: • HTTP wasn’t designed to be secure • HTTP was designed to facilitate the transfer of textual information
  • 21. RMI Security • HTTP is far more prevalent • HTTP has evolved to support security • Web application frameworks improve security by default • Authentication, session management, access controls etc… • Developers don’t need to be particularly security aware • RMI has none of this! • Security must be explicitly incorporated in remotely exposed classes
  • 23. Insecure Use of RMI • RMI not a secure protocol • Original attack: • Ignore authenticate method • Call readFile/writeFile/executeQuery directly • How often is RMI used this insecurely?
  • 24. Insecure Use of RMI • First step: Identify software using RMI • Little success initially searching Google & Github • Can I identify RMI software packages remotely?
  • 25. Insecure Use of RMI • Recalled an early test program which called Registry.lookup() • Exception reveals fully-qualified class names • Often identifies vendor • Sometimes identifies the application itself • Can we identify RMI software packages remotely? • Yes! • Internet search for fully-qualified class names
  • 26. Insecure Use of RMI • So, we can extract fully-qualified class names… • What else can we learn from RMI network traffic? • How can we extract this information?
  • 32. Insecure Use of RMI • A lot of time was spent in these tools • Along the way code was produced to parse RMI traffic and extract useful data…
  • 34. BaRMIe - Enumeration • Proxy-based enumeration of RMI registries • Start TCP proxy for RMI registry connection • Request remote objects • Buffer RMI ‘ReplyData’ packets • Parse the packet contents to extract useful data
  • 35. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI
  • 36. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally
  • 37. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally
  • 38. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed
  • 39. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager
  • 40. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager
  • 41. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI
  • 42. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI chainGunAPI
  • 43. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI chainGunAPI beerMachineApi
  • 44. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI chainGunAPI beerMachineApi praiseService
  • 45. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI chainGunAPI beerMachineApi praiseService
  • 46. Knocking on Java’s Back Door • Honestly, no idea what any of these do! • These are just examples of what people expose over RMI. • This is bad if these services are implemented as insecurely as that first ‘writeFile’ example
  • 48. Apache JMeter • org.apache.jmeter.engine.RemoteJMeterEngineImpl_Stub • Open source! • Download source and review • Locate classes that implement java.rmi.Remote
  • 50. Apache JMeter • Looks like anyone can configure this service!
  • 51. Temis RemoteAdminServer • com.temis.admin.remote.RemoteAdminServer_Stub • Unable to locate source code or client jar • BaRMIe revealed an interesting annotation…
  • 52. Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String)
  • 53. Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String) Looks like they thought about security? (UserProfile – could be a session-like object?)
  • 54. Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String) • boolean configure(Properties) …or not!
  • 55. Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String) • boolean configure(Properties) • String getAdminKey()
  • 56. Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String) • boolean configure(Properties) • String getAdminKey() • int addUser(String, String, String, String)
  • 57. Temis RemoteAdminServer • Account takeover? • List<UserProfile> getAllUserList() • int changePassword(UserProfile, String)
  • 58. Temis RemoteAdminServer • Account takeover? • List<UserProfile> getAllUserList() • int changePassword(UserProfile, String) • UserProfile methods: • String getPassword()
  • 59. Temis RemoteAdminServer • More remote methods: • String getDatabaseIP() • String getDatabasePort() • String getDatabaseName() • String getDatabaseType()
  • 60. Temis RemoteAdminServer • More remote methods: • String getDatabaseIP() • String getDatabasePort() • String getDatabaseName() • String getDatabaseType() • String getUsername() • String getPassword()
  • 61. RMI: What’s the Problem?
  • 62. RMI: What’s the Problem? It gets worse…
  • 64. Deserialization • Process of converting data into runtime objects • Often implemented/used insecurely • Deserializing untrusted data is usually bad • RMI is heavily dependent on Java serialization
  • 65. Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods
  • 66. Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods • Except…
  • 67. Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods • Except…
  • 68. Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods • Except…
  • 69. Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods • Except… • Call fill() to deserialize any object…
  • 70. Demo Time! • Adobe ColdFusion 2016, fully up-to-date as of 11th September 2017 • Default install except for one setting • Unauthenticated remote method invocation…
  • 74. Java’s Back Door • Testing some code • Suddenly realised I’d made a mistake… • …but the code worked…
  • 75. Full RMI Proxy • Successfully proxying RMI registry connections • RMI registry does not handle method invocations • Invocation handled by remote objects • Different port • Potentially different host • Built a proxy to MitM method invocations
  • 76. Proxying RMI RMI Client RMI Registry RMI Object
  • 77. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy First, we create an RMI registry proxy
  • 78. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Which is configured to connect directly to the target RMI registry
  • 79. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Our RMI client requests an object via the proxy
  • 80. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy The object data is intercepted and parsed
  • 81. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Object Proxy 3) Creates Object Proxy The RMI registry proxy then creates an RMI object proxy
  • 82. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Object Proxy 3) Creates Object Proxy Which is configured to connect directly to the RMI object
  • 83. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Object Proxy 3) Creates Object Proxy We modify the object data to point at the new proxy and return it to the client
  • 84. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Object Proxy 3) Creates Object Proxy We can now MitM remote method invocation traffic!
  • 85. Java’s Back Door • So, what was that mistake?! • Experimenting with network-level payload injection and ysoserial • Called obj.foo(String) in RMI client, rather than obj.foo(Object)
  • 86. Java’s Back Door • So, what was that mistake?! • Experimenting with network-level payload injection and ysoserial • Called obj.foo(String) in RMI client, rather than obj.foo(Object) • Proxy replaced the parameter…
  • 87. Java’s Back Door • So, what was that mistake?! • Experimenting with network-level payload injection and ysoserial • Called obj.foo(String) in RMI client, rather than obj.foo(Object) • Proxy replaced the parameter…
  • 88. Poking Java’s Back Door • Invoking void printString("AAAAAAAAAA") looks like this:
  • 89. Poking Java’s Back Door • Invoking void printString("AAAAAAAAAA") looks like this: • A simple serialized object, new Dummy(), looks like this:
  • 90. Poking Java’s Back Door • The proxy did this (with a ysoserial payload):
  • 91. Poking Java’s Back Door • The proxy did this (with a ysoserial payload): • Remotely invoked an illegal method call
  • 92. Poking Java’s Back Door • The proxy did this (with a ysoserial payload): • Remotely invoked an illegal method call • void printString(new Dummy()):
  • 93. Poking Java’s Back Door • The proxy did this (with a ysoserial payload): • Remotely invoked an illegal method call • void printString(new Dummy()): • Server-side exception • Dummy is not compatible with java.lang.String
  • 94. Poking Java’s Back Door • The proxy did this (with a ysoserial payload): • Remotely invoked an illegal method call • void printString(new Dummy()): • Server-side exception • Dummy is not compatible with java.lang.String • Payload had already been deserialized
  • 95. Java’s Back Door If we invoke a remote method, we can replace parameters with incompatible payloads
  • 96. Caveat • Slight caveat, due to Java serialization format/protocol • Method parameter that we replace must be non-primitive • int, long, boolean etc cannot be replaced • Integer, int[], ArrayList, and objects of arbitrary classes can
  • 98. BaRMIe • RMI often exposes legitimate but dangerous methods • writeFile(), executeQuery() • Proxy-based attacks can introduce further risk • Vulnerabilities where there wouldn’t otherwise be a vulnerability • Requires knowledge of remote classes/method signatures
  • 99. BaRMIe • Written a lot of code during this research… • Enumeration of remote objects (identify classes) • Attacks for various targets • Executing legitimate methods • Deserialization attacks using Object type parameters • Deserialization attacks through illegal parameter replacement • BaRMIe is an all-in-one RMI enumeration and attack tool
  • 101. Conclusion • RMI lacks maturity • Often used very insecurely • Object injection/deserialization attacks are almost always a possibility • Old and ‘uninteresting’ technology can be a fun and fruitful research target!