Tobias Neitzel, profile picture
Uploaded byTobias Neitzel
PDF, PPTX2,435 views

remote-method-guesser - BHUSA2021 Arsenal

This document discusses the Java RMI vulnerability scanner named remote-method-guesser, created by Tobias Neitzel, who is a penetration tester and security researcher. It covers topics including the motivation behind the project, Java RMI vulnerabilities, and specific attack vectors such as remote binding and codebase attacks, as well as how to detect these vulnerabilities. The document includes technical details, examples, and references to further resources related to the vulnerabilities explored.

Software
Related topics:
Information Security

Embed presentation

Download as PDF, PPTX
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de
remote-method-guesser A Java RMI Vulnerability Scanner #BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de $ whoami Tobias Neitzel • Penetration tester and security researcher at • Former physicist in the field of Lattice QCD • Interested in RPC technologieslike Java RMI, .NET Remoting, WCF, Windows RPC, DCOM, …
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de What I'm Going to Talk About • Motivation and Etymology • Java RMI in a Nutshell • Java RMI Vulnerabilities • Application Level Attacks  RMI Codebase Attacks  Remote Binding (Localhost Bypass - CVE-2019-2684)  JEP 290 and the Activation System  JEP 290 Bypasses  Remote Method Guessing and Method Invocation  Application Level Deserialization Attacks … and how to detect them with remote-method-guesser
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Motivation and Etymology • Project started with the only purpose of guessing remote methods  remote-method-guesser • Learned a lot about RMI internals during implementation. Noticed that several vulnerabilities are missing tool support. • Idea: Turn remote-method-guesser into a Java RMI vulnerability scanner Fig 1 - nmap scan identifying Java RMI endpoints
#BHUSA @BLACKHATEVENTS Java RMI in a Nutshell Tobias Neitzel @qtc_de
#BHUSA @BLACKHATEVENTS Java RMI in a Nutshell Tobias Neitzel @qtc_de Server
#BHUSA @BLACKHATEVENTS Java RMI in a Nutshell Tobias Neitzel @qtc_de Fig 2 – Example RMI implementation Server
#BHUSA @BLACKHATEVENTS Java RMI in a Nutshell Tobias Neitzel @qtc_de Instance RemoteMath new RemoteMath() Listen: 0.0.0.0:4444 ObjID: 1234567890 Server Fig 2 – Example RMI implementation exportObject(instance, 4444)
#BHUSA @BLACKHATEVENTS Java RMI in a Nutshell Tobias Neitzel @qtc_de Client ??? Server Instance RemoteMath Listen: 0.0.0.0:4444 ObjID: 1234567890
#BHUSA @BLACKHATEVENTS Java RMI in a Nutshell Tobias Neitzel @qtc_de magic version protocol opType objid opNum methodHash methodArgs RMIMessage Structure: Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client
#BHUSA @BLACKHATEVENTS Java RMI in a Nutshell Tobias Neitzel @qtc_de RMIMessage Structure: Legacy (nowadaysalways -1) Constants Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client version protocol opType objid opNum methodHash methodArgs magic
#BHUSA @BLACKHATEVENTS Java RMI in a Nutshell Tobias Neitzel @qtc_de sha(add(II)I) (int)1 (int)2 RMIMessage Structure: Legacy (nowadaysalways -1) Constants Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client ArgumentTypes: int, int Return Type:int magic version protocol opType objid opNum methodHash methodArgs
#BHUSA @BLACKHATEVENTS Java RMI in a Nutshell Tobias Neitzel @qtc_de WhyObjIDs? Instance RemoteControl Listen: 0.0.0.0:4444 ObjID: 0987654321 Allowsmultipleremote objects to listen on the same port RMIMessage Structure: Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client version protocol opType objid opNum methodHash methodArgs magic
#BHUSA @BLACKHATEVENTS Java RMI in a Nutshell Tobias Neitzel @qtc_de RMIMessage Structure: Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server version protocol opType objid opNum methodHash methodArgs magic
#BHUSA @BLACKHATEVENTS Java RMI in a Nutshell Tobias Neitzel @qtc_de Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 RMIMessage Structure: Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server version protocol opType objid opNum methodHash methodArgs magic
#BHUSA @BLACKHATEVENTS Java RMI in a Nutshell Tobias Neitzel @qtc_de HashMap<String,RemoteObj> RMIMessage Structure: Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server version protocol opType objid opNum methodHash methodArgs magic
#BHUSA @BLACKHATEVENTS Java RMI in a Nutshell Tobias Neitzel @qtc_de IMath 0.0.0.0:4444:ObjID math bind("math", instance) RMIMessage Structure: HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server version protocol opType objid opNum methodHash methodArgs magic
#BHUSA @BLACKHATEVENTS Java RMI in a Nutshell Tobias Neitzel @qtc_de IMath 0.0.0.0:4444:ObjID RMIMessage Structure: IMath 0.0.0.0:4444:ObjID HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server bind("math", instance) math IMath stub = lookup("math") version protocol opType objid opNum methodHash methodArgs magic
#BHUSA @BLACKHATEVENTS Java RMI in a Nutshell Tobias Neitzel @qtc_de stub.add(1,1) 2 Fig 3 – Full RMI call example RMIMessage Structure: IMath 0.0.0.0:4444:ObjID HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server bind("math", instance) math IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID version protocol opType objid opNum methodHash methodArgs magic
#BHUSA @BLACKHATEVENTS Java RMI Vulnerabilities Tobias Neitzel @qtc_de
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities Fig 4 – Example run of remote-method-guesser • Example run of remote-method-guesser • Docker images of vulnerable example servers can be found here: https://github.com/qtc-de/remote-method-guesser/packages/414459
#BHUSA @BLACKHATEVENTS Codebase Attacks Tobias Neitzel @qtc_de Java RMI Vulnerabilities
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server Java RMI Vulnerabilities Codebase Attacks bind("math", instance) math IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID IMath 0.0.0.0:4444:ObjID
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server Java RMI Vulnerabilities Codebase Attacks I don'tknow IMath :( bind("math", instance) math IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID IMath 0.0.0.0:4444:ObjID
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities Codebase Attacks Fig 5 – Server side codebase illustration Source: https://docs.oracle.com/javase/7/docs/technotes/guides/rmi/codebase.html
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities Codebase Attacks Fig 6 – Codebase detection of remote-method-guesser
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server Java RMI Vulnerabilities Codebase Attacks SupportedMethods: INumber add(INumber arg1, INumber arg2) bind("math", instance) math IMath 0.0.0.0:4444:ObjID IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server Java RMI Vulnerabilities Codebase Attacks SupportedMethods: stub.add( (MyNumber)a, (MyNumber)b) 2 I don'tknow MyNumber :( bind("math", instance) math IMath 0.0.0.0:4444:ObjID SupportedMethods: INumber add(INumber arg1, INumber arg2) IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities Codebase Attacks Fig 7 – Client side codebase illustration Source: https://docs.oracle.com/javase/7/docs/technotes/guides/rmi/codebase.html
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities Codebase Attacks • Accepting client specified codebases was default behaviorup to 2011 • Misconfigurationstill possible (useCodebaseOnly=false), but often not detected (nmap and metasploit modules focus on 2011 endpoints) • For fully up to date RMI servers you usually need to know the signature of a valid remote method or to attackfrom localhost (Details: https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/actions.md#codebase-action ) Fig 7 – Client side codebase illustration Source: https://docs.oracle.com/javase/7/docs/technotes/guides/rmi/codebase.html
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities Codebase Attacks Fig 8 – useCodebaseOnly detection of remote-method-guesser • Even with useCodebaseOnly=false, exploitability depends on additionalfactors (SecurityManager)  Status is Non Default instead of Vulnerable
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities Codebase Attacks Demo
#BHUSA @BLACKHATEVENTS Localhost Bypass (CVE-2019-2684) Tobias Neitzel @qtc_de Java RMI Vulnerabilities
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities Localhost Bypass(CVE-2019-2684) • Reminder on how RMI servers bind objects to the RMI registry Fig 9 – RMI bind operation HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server bind("math", instance) math IMath 0.0.0.0:4444:ObjID
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities Localhost Bypass(CVE-2019-2684) • Reminder on how RMI servers bind objects to the RMI registry • But who is actually allowed to bind? Fig 9 – RMI bind operation HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Listen: 0.0.0.0:1099 ObjID: 0 bind("math", instance) math IMath 0.0.0.0:4444:ObjID
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities Localhost Bypass(CVE-2019-2684) • Reminder on how RMI servers bind objects to the RMI registry • But who is actually allowed to bind?  localhost is! • Each user on the same host as the registry can: • Not a vulnerability, but by design  Create new bound names  Modify existing bound names  Remove bound names Fig 9 – RMI bind operation HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Listen: 0.0.0.0:1099 ObjID: 0 bind("math", instance) math IMath 0.0.0.0:4444:ObjID
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities Localhost Bypass(CVE-2019-2684) • CVE-2019-2684let's you bypass the localhost restriction
#BHUSA @BLACKHATEVENTS • CVE-2019-2684let's you bypass the localhost restriction • Reminder on the RMI message structure: Tobias Neitzel @qtc_de Java RMI Vulnerabilities Localhost Bypass(CVE-2019-2684) RMIMessage Structure: Legacy (nowadaysalways -1) Constants version protocol opType objid opNum methodHash methodArgs magic
#BHUSA @BLACKHATEVENTS • CVE-2019-2684let's you bypass the localhost restriction • Reminder on the RMI message structure: Tobias Neitzel @qtc_de Java RMI Vulnerabilities Localhost Bypass(CVE-2019-2684) Still used for remote objects that use Skeletons, e.g. rmi-registry Fig 10 – Server side implementation of the bind operation. Access checks are performed in the skeleton only. https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java#L247 RMIMessage Structure: Legacy (nowadaysalways -1) Constants version protocol opType objid opNum methodHash methodArgs magic
#BHUSA @BLACKHATEVENTS • CVE-2019-2684let's you bypass the localhost restriction • Reminder on the RMI message structure: • RMI registry can be called using both:The legacy andthe moderncall technique Tobias Neitzel @qtc_de Java RMI Vulnerabilities Localhost Bypass(CVE-2019-2684) Still used for remote objects that use Skeletons, e.g. rmi-registry Fig 10 – Server side implementation of the bind operation. Access checks are performed in the skeleton only. https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java#L247 RMIMessage Structure: Legacy (nowadaysalways -1) Constants version protocol opType objid opNum methodHash methodArgs magic
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities Localhost Bypass(CVE-2019-2684)  Check for legacy call  Handle legacy call via Skeleton – RMI registry calls are intended to be handled here  Continue with modern call (no skeleton – and no accesscheckfor the RMI Registry :D) How Java RMI decided when to use a Skeleton up to 2019 Fig 11 – How Java RMI decided when to use Skeletons https://github.com/openjdk/jdk/blob/65db4f42d021444a7cff0f83a86a407a41b16da5/ src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java#L279
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities Localhost Bypass(CVE-2019-2684) Fig 12 – Localhost bypass detection of remote-method-guesser
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities Demo Localhost Bypass(CVE-2019-2684)
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities Localhost Bypass(CVE-2019-2684) Always use the Skeleton if one exists Fig 13 – Localhost bypass fix Localhost Bypass Fix https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java#L281
#BHUSA @BLACKHATEVENTS JEP 290 Tobias Neitzel @qtc_de Java RMI Vulnerabilities
#BHUSA @BLACKHATEVENTS • Reminder on the RMI message structure: Tobias Neitzel @qtc_de Java RMI Vulnerabilities JEP 290 RMIMessage Structure: magic version protocol opType objid opNum methodHash methodArgs
#BHUSA @BLACKHATEVENTS • Reminder on the RMI message structure: Tobias Neitzel @qtc_de Java RMI Vulnerabilities JEP 290 RMIMessage Structure: int short byte int long - int - long - short Compound: int long Serialized Java Objects magic version protocol opType objid opNum methodHash methodArgs
#BHUSA @BLACKHATEVENTS • Reminder on the RMI message structure: Tobias Neitzel @qtc_de Java RMI Vulnerabilities JEP 290 RMIMessage Structure: int short byte int long - int - long - short Compound: int long Fig 14 - How RMI arguments are unmarshaled (before 2020) read by the RMI server https://github.com/openjdk/jdk/blob/3789983e89c9de252ef546a1b98a732a7d066650 /src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L298 magic version protocol opType objid opNum methodHash methodArgs Serialized Java Objects
#BHUSA @BLACKHATEVENTS • Reminder on the RMI message structure: Tobias Neitzel @qtc_de Java RMI Vulnerabilities JEP 290 RMIMessage Structure: int short byte int long - int - long - short Compound: int long Fig 14 - How RMI arguments are unmarshaled (before 2020) read by the RMI server Deserialization Attacks https://github.com/openjdk/jdk/blob/3789983e89c9de252ef546a1b98a732a7d066650 /src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L298 magic version protocol opType objid opNum methodHash methodArgs Serialized Java Objects
#BHUSA @BLACKHATEVENTS • Reminder on the RMI message structure: Tobias Neitzel @qtc_de Java RMI Vulnerabilities JEP 290 RMIMessage Structure: int short byte int long - int - long - short Compound: int long read by the RMI server Fig 15 - How RMI arguments are unmarshaled (after 2020) No Deserialization Attacks on Strings after 2020 https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L302 magic version protocol opType objid opNum methodHash methodArgs Serialized Java Objects
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities JEP 290 • Deserializationattack surface on default remote objects: RMI Registry  publicvoid bind(Stringname, Remoteobj)  publicvoid rebind(Stringname, Remote obj)  publicvoid unbind(Stringname)  publicString[] list()  publicRemote lookup(Stringname) DistributedGarbageCollector (DGC – Availableon each RMI endpoint)  publicLease dirty(ObjID[] ids, longsequenceNum, Leaselease))  publicvoid clean( ObjID[] ids, long sequenceNum, VMID vmid, boolean strong) RMI Activator(ActivationSystem – Legacy Component)  publicMarshalledObject activate(ActivationID id, boolean force) Usable for deserialization attacks Usable for deserialization attacks before 2020 Only callable from localhost Callable from everywhere Argument Legend Method Legend
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities JEP 290 • JEP 290 introduced deserializationfilters for the RMI Registry andthe DGC(not for the ActivationSystem) • Corresponding remote-method-guesser enumeration: Fig 16 – JEP290 and Activation System enumeration of remote-method-guesser
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities Demo JEP 290
#BHUSA @BLACKHATEVENTS JEP 290 Bypasses Tobias Neitzel @qtc_de Java RMI Vulnerabilities
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de • The RMI Registry andthe DGCallow certain classes to get deserialized  Filter bypasses are possible Java RMI Vulnerabilities JEP 290 Bypasses
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities JEP 290 Bypasses • The RMI Registry andthe DGCallow certain classes to get deserialized  Filter bypasses are possible HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client bind("math", instance) math IMath 0.0.0.0:4444:ObjID IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities JEP 290 Bypasses lookup(ysoserial.Payload) HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client • The RMI Registry andthe DGCallow certain classes to get deserialized  Filter bypasses are possible Listen: 0.0.0.0:1099 ObjID: 0 bind("math", instance) math Exception IMath 0.0.0.0:4444:ObjID
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities JEP 290 Bypasses Protected HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client • The RMI Registry andthe DGCallow certain classes to get deserialized  Filter bypasses are possible Listen: 0.0.0.0:1099 ObjID: 0 bind("math", instance) math lookup(ysoserial.Payload) Filtered! IMath 0.0.0.0:4444:ObjID
#BHUSA @BLACKHATEVENTS Exception Tobias Neitzel @qtc_de Java RMI Vulnerabilities JEP 290 Bypasses Protected JRMP Request ysoserial.payload HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client • The RMI Registry andthe DGCallow certain classes to get deserialized  Filter bypasses are possible Fig 17 - Outbound JRMP Bypass Schema Listen: 0.0.0.0:1099 ObjID: 0 bind("math", instance) math lookup(bypass.Payload) IMath 0.0.0.0:4444:ObjID
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities JEP 290 Bypasses • The RMI Registry andthe DGCallow certain classes to get deserialized  Filter bypasses are possible • JEP290 bypass enumeration – Uses the most recent bypass technique (discovered by @_tint0 in 2019): Fig 18 – JEP290 bypass enumeration of remote-method-guesser
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities Demo JEP 290 Bypasses
#BHUSA @BLACKHATEVENTS Application Level Attacks Tobias Neitzel @qtc_de Remote Method Guessing
#BHUSA @BLACKHATEVENTS Remote Method Guessing Tobias Neitzel @qtc_de int add(intarg1, int arg2) SupportedMethods: • Reminder: Typical RMI call example stub.add(1,1) 2 HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server bind("math", instance) math IMath 0.0.0.0:4444:ObjID IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID
#BHUSA @BLACKHATEVENTS Remote Method Guessing Tobias Neitzel @qtc_de • Reminder: Typical RMI call example • During blackbox assessments, you don’t know supported methods ??? SupportedMethods: HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server bind("math", instance) math int add(intarg1, int arg2) Listen: 0.0.0.0:1099 ObjID: 0 IMath 0.0.0.0:4444:ObjID IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID
#BHUSA @BLACKHATEVENTS Remote Method Guessing Tobias Neitzel @qtc_de • Reminder: Typical RMI call example • During blackbox assessments, you don’t know supported methods • You may miss dangerous remote methods ??? int add(intarg1, int arg2) String exec(String cmd) SupportedMethods: HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server bind("math", instance) math Listen: 0.0.0.0:1099 ObjID: 0 IMath 0.0.0.0:4444:ObjID IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID
#BHUSA @BLACKHATEVENTS Remote Method Guessing Tobias Neitzel @qtc_de Fig 19 – Method Guessing Schema • Reminder: Typical RMI call example • During blackbox assessments, you don’t know supported methods • You may miss dangerous remote methods • Method Guessing: stub.exec(canary) SupportedMethods: HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server Exception exists not exists bind("math", instance) math Listen: 0.0.0.0:1099 ObjID: 0 int add(intarg1, int arg2) String exec(String cmd) IMath 0.0.0.0:4444:ObjID IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Fig 20 – Method guessing run of remote-method-guesser https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/method-guessing.md Remote Method Guessing
#BHUSA @BLACKHATEVENTS • You may want to call methods in a regular way (e.g. String exec(String cmd) ) • remote-method-guessercando that: • Server responses are ignored by default. Plugins can be used to process them: https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/plugin-system.md Tobias Neitzel @qtc_de Fig 21 – Calling a method with remote-method-guesser Remote Method Guessing
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Demo Remote Method Guessing
#BHUSA @BLACKHATEVENTS Application Level Attacks Tobias Neitzel @qtc_de Application Level Deserialization
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities JEP 290 Bypasses Protected HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client • The RMI Registry andthe DGCare protected by deserialization filters • Applicationlevel method calls aren't! bind("math", instance) math Listen: 0.0.0.0:1099 ObjID: 0 IMath 0.0.0.0:4444:ObjID IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities JEP 290 Bypasses Protected HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client • The RMI Registry andthe DGCare protected by deserialization filters • Applicationlevel method calls aren't! stub.add(1,1) 2 bind("math", instance) math Listen: 0.0.0.0:1099 ObjID: 0 IMath 0.0.0.0:4444:ObjID IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Java RMI Vulnerabilities JEP 290 Bypasses Protected HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client • The RMI Registry andthe DGCare protected by deserialization filters • Applicationlevel method calls aren't! • Attack requires non primitive argument types 2 int[] addMap(Map<int, int>arg) SupportedMethods: stub.addMap(ysoserial.payload) Fig 22– Application Level Deserialization Schema bind("math", instance) math Listen: 0.0.0.0:1099 ObjID: 0 IMath 0.0.0.0:4444:ObjID IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Fig 23 – Exploiting application level deserialization with remote-method-guesser Application Level Deserialization
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de Demo Application Level Deserialization
#BHUSA @BLACKHATEVENTS Thank You for Your Attention! Tobias Neitzel @qtc_de • https://github.com/qtc-de/remote-method-guesser [Tool itself] • https://github.com/qtc-de/remote-method-guesser/packages/414459 [Example Server] • https://github.com/qtc-de/remote-method-guesser/tree/master/docs [Documentation] • https://mogwailabs.de/de/blog/2019/03/attacking-java-rmi-services-after-jep-290/ [JEP290 and Application Level Deserialization] • https://mogwailabs.de/de/blog/2020/02/an-trinhs-rmi-registry-bypass/ [JEP290 Bypasses] • https://i.blackhat.com/eu-19/Wednesday/eu-19-An-Far-Sides-Of-Java-Remote-Protocols.pdf [RMI Attack Surface Overview] • https://github.com/openjdk/jdk/tree/master/src/java.rmi/share/classes [Java RMI Source Code] • https://docs.oracle.com/javase/7/docs/technotes/guides/rmi/codebase.html [Remote Class Loading] • https://labs.bishopfox.com/tech-blog/rmiscout [Method Guessing] • https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/method-guessing.md [Method Guessing] remote-method-guesser: Java RMI:
#BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de RMI Attack Surface - MindMap Fig 24 – Attack Surface on Java RMI Endpoints

More Related Content

PPTX
OWASP AppSecCali 2015 - Marshalling Pickles
byChristopher Frohoff
 
PDF
Exploiting Deserialization Vulnerabilities in Java
byCODE WHITE GmbH
 
PDF
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
byjoaomatosf_
 
PDF
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
byMikhail Egorov
 
PDF
XSS Magic tricks
byGarethHeyes
 
PPTX
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
PPTX
Troopers 19 - I am AD FS and So Can You
byDouglas Bienstock
 
PPTX
Dangling DNS records takeover at scale
byChandrapal Badshah
 
OWASP AppSecCali 2015 - Marshalling Pickles
byChristopher Frohoff
 
Exploiting Deserialization Vulnerabilities in Java
byCODE WHITE GmbH
 
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...
byjoaomatosf_
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
byMikhail Egorov
 
XSS Magic tricks
byGarethHeyes
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
byBenjamin Delpy
 
Troopers 19 - I am AD FS and So Can You
byDouglas Bienstock
 
Dangling DNS records takeover at scale
byChandrapal Badshah
 

What's hot

PDF
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017
byNicky Bloor
 
PPTX
Hashicorp Vault ppt
byShrey Agarwal
 
PPTX
Introduction to Spring Boot
byPurbarun Chakrabarti
 
PDF
HTTP Request Smuggling via higher HTTP versions
byneexemil
 
PPTX
HTTP HOST header attacks
byDefconRussia
 
PDF
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
byChristopher Frohoff
 
PDF
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
PDF
Hunting for security bugs in AEM webapps
byMikhail Egorov
 
PDF
HashiCorp's Vault - The Examples
byMichał Czeraszkiewicz
 
PDF
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
byCODE WHITE GmbH
 
PPTX
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 
PDF
REST APIs with Spring
byJoshua Long
 
PPTX
Here Be Dragons: The Unexplored Land of Active Directory ACLs
byAndy Robbins
 
PPT
Bypass file upload restrictions
byMukesh k.r
 
PDF
Thick Client Penetration Testing.pdf
bySouvikRoy114738
 
PDF
aclpwn - Active Directory ACL exploitation with BloodHound
byDirkjanMollema
 
PDF
Webinar: Deep Dive on Apache Flink State - Seth Wiesman
byVerverica
 
PDF
CORS and (in)security
byn|u - The Open Security Community
 
PDF
Broken access control
byPriyanshu Gandhi
 
PDF
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
byhacktivity
 
Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017
byNicky Bloor
 
Hashicorp Vault ppt
byShrey Agarwal
 
Introduction to Spring Boot
byPurbarun Chakrabarti
 
HTTP Request Smuggling via higher HTTP versions
byneexemil
 
HTTP HOST header attacks
byDefconRussia
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
byChristopher Frohoff
 
Derbycon - The Unintended Risks of Trusting Active Directory
byWill Schroeder
 
Hunting for security bugs in AEM webapps
byMikhail Egorov
 
HashiCorp's Vault - The Examples
byMichał Czeraszkiewicz
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
byCODE WHITE GmbH
 
PSConfEU - Offensive Active Directory (With PowerShell!)
byWill Schroeder
 
REST APIs with Spring
byJoshua Long
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
byAndy Robbins
 
Bypass file upload restrictions
byMukesh k.r
 
Thick Client Penetration Testing.pdf
bySouvikRoy114738
 
aclpwn - Active Directory ACL exploitation with BloodHound
byDirkjanMollema
 
Webinar: Deep Dive on Apache Flink State - Seth Wiesman
byVerverica
 
CORS and (in)security
byn|u - The Open Security Community
 
Broken access control
byPriyanshu Gandhi
 
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
byhacktivity
 

Similar to remote-method-guesser - BHUSA2021 Arsenal

PPTX
Java RMI
byAnkit Desai
 
PPTX
Java RMI
byPrajakta Nimje
 
PDF
Remote Method Invocation
byashishspace
 
PDF
Remote Method Invocation in JAVA
byJalpesh Vasa
 
PPTX
Remote Method Invocation (Java RMI)
bySonali Parab
 
PPT
Remote Method Invocation
byPaul Pajo
 
PPTX
Rmi architecture
byMaulik Desai
 
PPT
Distributed Objects and JAVA
byelliando dias
 
PPTX
Remote method invocation
byDew Shishir
 
PDF
RMI (Remote Method Invocation)
byThesis Scientist Private Limited
 
PDF
Introduction to Remote Method Invocation (RMI)
byeLink Business Innovations
 
PPTX
PPT ON PPT ON SOFTWARE ARCHITECTURE module5
bysuleman6982
 
PPTX
Rmi
byVijay Kiran
 
DOCX
remote method invocation
byArun Nair
 
DOCX
Remote Method Invocation
bySonali Parab
 
PDF
java TM rmi The Remote Method Invocation Guide 1st Edition Esmond Pitt
byhobbeljovie
 
PDF
java TM rmi The Remote Method Invocation Guide 1st Edition Esmond Pitt
byciggoaljasi
 
DOCX
Java interview questions for freshers
bySkillPracticalEdTech
 
PDF
Remote method invocation (as part of the the PTT lecture)
byRalf Laemmel
 
PPTX
Introduction To Rmi
bySwarupKulkarni
 
Java RMI
byAnkit Desai
 
Java RMI
byPrajakta Nimje
 
Remote Method Invocation
byashishspace
 
Remote Method Invocation in JAVA
byJalpesh Vasa
 
Remote Method Invocation (Java RMI)
bySonali Parab
 
Remote Method Invocation
byPaul Pajo
 
Rmi architecture
byMaulik Desai
 
Distributed Objects and JAVA
byelliando dias
 
Remote method invocation
byDew Shishir
 
RMI (Remote Method Invocation)
byThesis Scientist Private Limited
 
Introduction to Remote Method Invocation (RMI)
byeLink Business Innovations
 
PPT ON PPT ON SOFTWARE ARCHITECTURE module5
bysuleman6982
 
Rmi
byVijay Kiran
 
remote method invocation
byArun Nair
 
Remote Method Invocation
bySonali Parab
 
java TM rmi The Remote Method Invocation Guide 1st Edition Esmond Pitt
byhobbeljovie
 
java TM rmi The Remote Method Invocation Guide 1st Edition Esmond Pitt
byciggoaljasi
 
Java interview questions for freshers
bySkillPracticalEdTech
 
Remote method invocation (as part of the the PTT lecture)
byRalf Laemmel
 
Introduction To Rmi
bySwarupKulkarni
 

Recently uploaded

PPTX
OpenID AuthZEN Overview - Gartner IAM 25
byDavid Brossard
 
PDF
First Semester BCA Fundamentals of Computers – Solved Question Paper (Kuvempu...
byKuvempu University
 
PDF
Step-by-Step Guide to Building Fast Flutter Web Sites
byShiv Technolabs Pvt. Ltd.
 
PPTX
Application Security – Static Application Security Testing (SAST)
byLalit Jagotra
 
PDF
Guidewire Vs. Openkoda: Customizable, Open Alternative to Lagacy Core Systems
byOpenkoda
 
PDF
Reusable technology: Saving development time with shared Unity plug-ins and S...
byBruno Cicanci
 
PPTX
SAP SOD Management for Secure & Compliant Access | s4access
bydigitalbacklinks123
 
PPTX
Binance Smart Chain Development Guide.pptx
bylakshubadai
 
PDF
Code, Coins and Collaboration: How Open Source Shapes Modern Finance.
byDavid Okononfua
 
PDF
Code, Coins and Collaboration: How Open Source Shapes Modern Finance.
byDavid Okononfua
 
PDF
Ch2 -ENG.pdf COMPUTER ARCHITECTURE L2 INFO
byrogase8895
 
PPTX
Managed Splunk Partner vs In-House: Cost, Risk & Value Comparison
byssuser6ab5a5
 
PDF
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
PDF
PeopleSoft Lift and Shift to Oracle Cloud Infrastructure.pdf
byAstuteBusiness
 
PDF
Combinatorial Interview Problems with Backtracking Solutions - From Imperativ...
byPhilip Schwarz
 
PPTX
The Future of Surgical Practice How AI is Transforming Diagnostics, Schedulin...
byEasy Clinic
 
PPT
This-Project-Demonstrates-How-to-Create.ppt
byjayasuryanexinfo
 
PPTX
AI Clinic Management Software for Otolaryngology Clinics Bringing Precision, ...
byEasy Clinic
 
PDF
Data structure using C :UNIT-I Introduction to Data structures and Stacks BCA...
byKuvempu University
 
PDF
Josh Chu Boston - A Respected Technology Executive
byJosh Chu Boston
 
OpenID AuthZEN Overview - Gartner IAM 25
byDavid Brossard
 
First Semester BCA Fundamentals of Computers – Solved Question Paper (Kuvempu...
byKuvempu University
 
Step-by-Step Guide to Building Fast Flutter Web Sites
byShiv Technolabs Pvt. Ltd.
 
Application Security – Static Application Security Testing (SAST)
byLalit Jagotra
 
Guidewire Vs. Openkoda: Customizable, Open Alternative to Lagacy Core Systems
byOpenkoda
 
Reusable technology: Saving development time with shared Unity plug-ins and S...
byBruno Cicanci
 
SAP SOD Management for Secure & Compliant Access | s4access
bydigitalbacklinks123
 
Binance Smart Chain Development Guide.pptx
bylakshubadai
 
Code, Coins and Collaboration: How Open Source Shapes Modern Finance.
byDavid Okononfua
 
Code, Coins and Collaboration: How Open Source Shapes Modern Finance.
byDavid Okononfua
 
Ch2 -ENG.pdf COMPUTER ARCHITECTURE L2 INFO
byrogase8895
 
Managed Splunk Partner vs In-House: Cost, Risk & Value Comparison
byssuser6ab5a5
 
nsfconvertersoftwaretoconvertNSFtoPST.pdf
byNSF Converter Software
 
PeopleSoft Lift and Shift to Oracle Cloud Infrastructure.pdf
byAstuteBusiness
 
Combinatorial Interview Problems with Backtracking Solutions - From Imperativ...
byPhilip Schwarz
 
The Future of Surgical Practice How AI is Transforming Diagnostics, Schedulin...
byEasy Clinic
 
This-Project-Demonstrates-How-to-Create.ppt
byjayasuryanexinfo
 
AI Clinic Management Software for Otolaryngology Clinics Bringing Precision, ...
byEasy Clinic
 
Data structure using C :UNIT-I Introduction to Data structures and Stacks BCA...
byKuvempu University
 
Josh Chu Boston - A Respected Technology Executive
byJosh Chu Boston
 

remote-method-guesser - BHUSA2021 Arsenal

  • 1.
  • 2.
    remote-method-guesser A Java RMIVulnerability Scanner #BHUSA @BLACKHATEVENTS Tobias Neitzel @qtc_de
  • 3.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de $ whoami Tobias Neitzel • Penetration tester and security researcher at • Former physicist in the field of Lattice QCD • Interested in RPC technologieslike Java RMI, .NET Remoting, WCF, Windows RPC, DCOM, …
  • 4.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de What I'm Going to Talk About • Motivation and Etymology • Java RMI in a Nutshell • Java RMI Vulnerabilities • Application Level Attacks  RMI Codebase Attacks  Remote Binding (Localhost Bypass - CVE-2019-2684)  JEP 290 and the Activation System  JEP 290 Bypasses  Remote Method Guessing and Method Invocation  Application Level Deserialization Attacks … and how to detect them with remote-method-guesser
  • 5.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Motivation and Etymology • Project started with the only purpose of guessing remote methods  remote-method-guesser • Learned a lot about RMI internals during implementation. Noticed that several vulnerabilities are missing tool support. • Idea: Turn remote-method-guesser into a Java RMI vulnerability scanner Fig 1 - nmap scan identifying Java RMI endpoints
  • 6.
    #BHUSA @BLACKHATEVENTS Java RMIin a Nutshell Tobias Neitzel @qtc_de
  • 7.
    #BHUSA @BLACKHATEVENTS Java RMIin a Nutshell Tobias Neitzel @qtc_de Server
  • 8.
    #BHUSA @BLACKHATEVENTS Java RMIin a Nutshell Tobias Neitzel @qtc_de Fig 2 – Example RMI implementation Server
  • 9.
    #BHUSA @BLACKHATEVENTS Java RMIin a Nutshell Tobias Neitzel @qtc_de Instance RemoteMath new RemoteMath() Listen: 0.0.0.0:4444 ObjID: 1234567890 Server Fig 2 – Example RMI implementation exportObject(instance, 4444)
  • 10.
    #BHUSA @BLACKHATEVENTS Java RMIin a Nutshell Tobias Neitzel @qtc_de Client ??? Server Instance RemoteMath Listen: 0.0.0.0:4444 ObjID: 1234567890
  • 11.
    #BHUSA @BLACKHATEVENTS Java RMIin a Nutshell Tobias Neitzel @qtc_de magic version protocol opType objid opNum methodHash methodArgs RMIMessage Structure: Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client
  • 12.
    #BHUSA @BLACKHATEVENTS Java RMIin a Nutshell Tobias Neitzel @qtc_de RMIMessage Structure: Legacy (nowadaysalways -1) Constants Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client version protocol opType objid opNum methodHash methodArgs magic
  • 13.
    #BHUSA @BLACKHATEVENTS Java RMIin a Nutshell Tobias Neitzel @qtc_de sha(add(II)I) (int)1 (int)2 RMIMessage Structure: Legacy (nowadaysalways -1) Constants Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client ArgumentTypes: int, int Return Type:int magic version protocol opType objid opNum methodHash methodArgs
  • 14.
    #BHUSA @BLACKHATEVENTS Java RMIin a Nutshell Tobias Neitzel @qtc_de WhyObjIDs? Instance RemoteControl Listen: 0.0.0.0:4444 ObjID: 0987654321 Allowsmultipleremote objects to listen on the same port RMIMessage Structure: Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client version protocol opType objid opNum methodHash methodArgs magic
  • 15.
    #BHUSA @BLACKHATEVENTS Java RMIin a Nutshell Tobias Neitzel @qtc_de RMIMessage Structure: Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server version protocol opType objid opNum methodHash methodArgs magic
  • 16.
    #BHUSA @BLACKHATEVENTS Java RMIin a Nutshell Tobias Neitzel @qtc_de Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 RMIMessage Structure: Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server version protocol opType objid opNum methodHash methodArgs magic
  • 17.
    #BHUSA @BLACKHATEVENTS Java RMIin a Nutshell Tobias Neitzel @qtc_de HashMap<String,RemoteObj> RMIMessage Structure: Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server version protocol opType objid opNum methodHash methodArgs magic
  • 18.
    #BHUSA @BLACKHATEVENTS Java RMIin a Nutshell Tobias Neitzel @qtc_de IMath 0.0.0.0:4444:ObjID math bind("math", instance) RMIMessage Structure: HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server version protocol opType objid opNum methodHash methodArgs magic
  • 19.
    #BHUSA @BLACKHATEVENTS Java RMIin a Nutshell Tobias Neitzel @qtc_de IMath 0.0.0.0:4444:ObjID RMIMessage Structure: IMath 0.0.0.0:4444:ObjID HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server bind("math", instance) math IMath stub = lookup("math") version protocol opType objid opNum methodHash methodArgs magic
  • 20.
    #BHUSA @BLACKHATEVENTS Java RMIin a Nutshell Tobias Neitzel @qtc_de stub.add(1,1) 2 Fig 3 – Full RMI call example RMIMessage Structure: IMath 0.0.0.0:4444:ObjID HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server bind("math", instance) math IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID version protocol opType objid opNum methodHash methodArgs magic
  • 21.
    #BHUSA @BLACKHATEVENTS Java RMIVulnerabilities Tobias Neitzel @qtc_de
  • 22.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities Fig 4 – Example run of remote-method-guesser • Example run of remote-method-guesser • Docker images of vulnerable example servers can be found here: https://github.com/qtc-de/remote-method-guesser/packages/414459
  • 23.
    #BHUSA @BLACKHATEVENTS Codebase Attacks TobiasNeitzel @qtc_de Java RMI Vulnerabilities
  • 24.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server Java RMI Vulnerabilities Codebase Attacks bind("math", instance) math IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID IMath 0.0.0.0:4444:ObjID
  • 25.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server Java RMI Vulnerabilities Codebase Attacks I don'tknow IMath :( bind("math", instance) math IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID IMath 0.0.0.0:4444:ObjID
  • 26.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities Codebase Attacks Fig 5 – Server side codebase illustration Source: https://docs.oracle.com/javase/7/docs/technotes/guides/rmi/codebase.html
  • 27.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities Codebase Attacks Fig 6 – Codebase detection of remote-method-guesser
  • 28.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server Java RMI Vulnerabilities Codebase Attacks SupportedMethods: INumber add(INumber arg1, INumber arg2) bind("math", instance) math IMath 0.0.0.0:4444:ObjID IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID
  • 29.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server Java RMI Vulnerabilities Codebase Attacks SupportedMethods: stub.add( (MyNumber)a, (MyNumber)b) 2 I don'tknow MyNumber :( bind("math", instance) math IMath 0.0.0.0:4444:ObjID SupportedMethods: INumber add(INumber arg1, INumber arg2) IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID
  • 30.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities Codebase Attacks Fig 7 – Client side codebase illustration Source: https://docs.oracle.com/javase/7/docs/technotes/guides/rmi/codebase.html
  • 31.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities Codebase Attacks • Accepting client specified codebases was default behaviorup to 2011 • Misconfigurationstill possible (useCodebaseOnly=false), but often not detected (nmap and metasploit modules focus on 2011 endpoints) • For fully up to date RMI servers you usually need to know the signature of a valid remote method or to attackfrom localhost (Details: https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/actions.md#codebase-action ) Fig 7 – Client side codebase illustration Source: https://docs.oracle.com/javase/7/docs/technotes/guides/rmi/codebase.html
  • 32.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities Codebase Attacks Fig 8 – useCodebaseOnly detection of remote-method-guesser • Even with useCodebaseOnly=false, exploitability depends on additionalfactors (SecurityManager)  Status is Non Default instead of Vulnerable
  • 33.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities Codebase Attacks Demo
  • 34.
    #BHUSA @BLACKHATEVENTS Localhost Bypass(CVE-2019-2684) Tobias Neitzel @qtc_de Java RMI Vulnerabilities
  • 35.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities Localhost Bypass(CVE-2019-2684) • Reminder on how RMI servers bind objects to the RMI registry Fig 9 – RMI bind operation HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server bind("math", instance) math IMath 0.0.0.0:4444:ObjID
  • 36.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities Localhost Bypass(CVE-2019-2684) • Reminder on how RMI servers bind objects to the RMI registry • But who is actually allowed to bind? Fig 9 – RMI bind operation HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Listen: 0.0.0.0:1099 ObjID: 0 bind("math", instance) math IMath 0.0.0.0:4444:ObjID
  • 37.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities Localhost Bypass(CVE-2019-2684) • Reminder on how RMI servers bind objects to the RMI registry • But who is actually allowed to bind?  localhost is! • Each user on the same host as the registry can: • Not a vulnerability, but by design  Create new bound names  Modify existing bound names  Remove bound names Fig 9 – RMI bind operation HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Listen: 0.0.0.0:1099 ObjID: 0 bind("math", instance) math IMath 0.0.0.0:4444:ObjID
  • 38.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities Localhost Bypass(CVE-2019-2684) • CVE-2019-2684let's you bypass the localhost restriction
  • 39.
    #BHUSA @BLACKHATEVENTS • CVE-2019-2684let'syou bypass the localhost restriction • Reminder on the RMI message structure: Tobias Neitzel @qtc_de Java RMI Vulnerabilities Localhost Bypass(CVE-2019-2684) RMIMessage Structure: Legacy (nowadaysalways -1) Constants version protocol opType objid opNum methodHash methodArgs magic
  • 40.
    #BHUSA @BLACKHATEVENTS • CVE-2019-2684let'syou bypass the localhost restriction • Reminder on the RMI message structure: Tobias Neitzel @qtc_de Java RMI Vulnerabilities Localhost Bypass(CVE-2019-2684) Still used for remote objects that use Skeletons, e.g. rmi-registry Fig 10 – Server side implementation of the bind operation. Access checks are performed in the skeleton only. https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java#L247 RMIMessage Structure: Legacy (nowadaysalways -1) Constants version protocol opType objid opNum methodHash methodArgs magic
  • 41.
    #BHUSA @BLACKHATEVENTS • CVE-2019-2684let'syou bypass the localhost restriction • Reminder on the RMI message structure: • RMI registry can be called using both:The legacy andthe moderncall technique Tobias Neitzel @qtc_de Java RMI Vulnerabilities Localhost Bypass(CVE-2019-2684) Still used for remote objects that use Skeletons, e.g. rmi-registry Fig 10 – Server side implementation of the bind operation. Access checks are performed in the skeleton only. https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/registry/RegistryImpl.java#L247 RMIMessage Structure: Legacy (nowadaysalways -1) Constants version protocol opType objid opNum methodHash methodArgs magic
  • 42.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities Localhost Bypass(CVE-2019-2684)  Check for legacy call  Handle legacy call via Skeleton – RMI registry calls are intended to be handled here  Continue with modern call (no skeleton – and no accesscheckfor the RMI Registry :D) How Java RMI decided when to use a Skeleton up to 2019 Fig 11 – How Java RMI decided when to use Skeletons https://github.com/openjdk/jdk/blob/65db4f42d021444a7cff0f83a86a407a41b16da5/ src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java#L279
  • 43.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities Localhost Bypass(CVE-2019-2684) Fig 12 – Localhost bypass detection of remote-method-guesser
  • 44.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities Demo Localhost Bypass(CVE-2019-2684)
  • 45.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities Localhost Bypass(CVE-2019-2684) Always use the Skeleton if one exists Fig 13 – Localhost bypass fix Localhost Bypass Fix https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/server/UnicastServerRef.java#L281
  • 46.
    #BHUSA @BLACKHATEVENTS JEP 290 TobiasNeitzel @qtc_de Java RMI Vulnerabilities
  • 47.
    #BHUSA @BLACKHATEVENTS • Reminderon the RMI message structure: Tobias Neitzel @qtc_de Java RMI Vulnerabilities JEP 290 RMIMessage Structure: magic version protocol opType objid opNum methodHash methodArgs
  • 48.
    #BHUSA @BLACKHATEVENTS • Reminderon the RMI message structure: Tobias Neitzel @qtc_de Java RMI Vulnerabilities JEP 290 RMIMessage Structure: int short byte int long - int - long - short Compound: int long Serialized Java Objects magic version protocol opType objid opNum methodHash methodArgs
  • 49.
    #BHUSA @BLACKHATEVENTS • Reminderon the RMI message structure: Tobias Neitzel @qtc_de Java RMI Vulnerabilities JEP 290 RMIMessage Structure: int short byte int long - int - long - short Compound: int long Fig 14 - How RMI arguments are unmarshaled (before 2020) read by the RMI server https://github.com/openjdk/jdk/blob/3789983e89c9de252ef546a1b98a732a7d066650 /src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L298 magic version protocol opType objid opNum methodHash methodArgs Serialized Java Objects
  • 50.
    #BHUSA @BLACKHATEVENTS • Reminderon the RMI message structure: Tobias Neitzel @qtc_de Java RMI Vulnerabilities JEP 290 RMIMessage Structure: int short byte int long - int - long - short Compound: int long Fig 14 - How RMI arguments are unmarshaled (before 2020) read by the RMI server Deserialization Attacks https://github.com/openjdk/jdk/blob/3789983e89c9de252ef546a1b98a732a7d066650 /src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L298 magic version protocol opType objid opNum methodHash methodArgs Serialized Java Objects
  • 51.
    #BHUSA @BLACKHATEVENTS • Reminderon the RMI message structure: Tobias Neitzel @qtc_de Java RMI Vulnerabilities JEP 290 RMIMessage Structure: int short byte int long - int - long - short Compound: int long read by the RMI server Fig 15 - How RMI arguments are unmarshaled (after 2020) No Deserialization Attacks on Strings after 2020 https://github.com/openjdk/jdk/blob/master/src/java.rmi/share/classes/sun/rmi/server/UnicastRef.java#L302 magic version protocol opType objid opNum methodHash methodArgs Serialized Java Objects
  • 52.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities JEP 290 • Deserializationattack surface on default remote objects: RMI Registry  publicvoid bind(Stringname, Remoteobj)  publicvoid rebind(Stringname, Remote obj)  publicvoid unbind(Stringname)  publicString[] list()  publicRemote lookup(Stringname) DistributedGarbageCollector (DGC – Availableon each RMI endpoint)  publicLease dirty(ObjID[] ids, longsequenceNum, Leaselease))  publicvoid clean( ObjID[] ids, long sequenceNum, VMID vmid, boolean strong) RMI Activator(ActivationSystem – Legacy Component)  publicMarshalledObject activate(ActivationID id, boolean force) Usable for deserialization attacks Usable for deserialization attacks before 2020 Only callable from localhost Callable from everywhere Argument Legend Method Legend
  • 53.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities JEP 290 • JEP 290 introduced deserializationfilters for the RMI Registry andthe DGC(not for the ActivationSystem) • Corresponding remote-method-guesser enumeration: Fig 16 – JEP290 and Activation System enumeration of remote-method-guesser
  • 54.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities Demo JEP 290
  • 55.
    #BHUSA @BLACKHATEVENTS JEP 290Bypasses Tobias Neitzel @qtc_de Java RMI Vulnerabilities
  • 56.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de • The RMI Registry andthe DGCallow certain classes to get deserialized  Filter bypasses are possible Java RMI Vulnerabilities JEP 290 Bypasses
  • 57.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities JEP 290 Bypasses • The RMI Registry andthe DGCallow certain classes to get deserialized  Filter bypasses are possible HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client bind("math", instance) math IMath 0.0.0.0:4444:ObjID IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID
  • 58.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities JEP 290 Bypasses lookup(ysoserial.Payload) HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client • The RMI Registry andthe DGCallow certain classes to get deserialized  Filter bypasses are possible Listen: 0.0.0.0:1099 ObjID: 0 bind("math", instance) math Exception IMath 0.0.0.0:4444:ObjID
  • 59.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities JEP 290 Bypasses Protected HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client • The RMI Registry andthe DGCallow certain classes to get deserialized  Filter bypasses are possible Listen: 0.0.0.0:1099 ObjID: 0 bind("math", instance) math lookup(ysoserial.Payload) Filtered! IMath 0.0.0.0:4444:ObjID
  • 60.
    #BHUSA @BLACKHATEVENTS Exception Tobias Neitzel@qtc_de Java RMI Vulnerabilities JEP 290 Bypasses Protected JRMP Request ysoserial.payload HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client • The RMI Registry andthe DGCallow certain classes to get deserialized  Filter bypasses are possible Fig 17 - Outbound JRMP Bypass Schema Listen: 0.0.0.0:1099 ObjID: 0 bind("math", instance) math lookup(bypass.Payload) IMath 0.0.0.0:4444:ObjID
  • 61.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities JEP 290 Bypasses • The RMI Registry andthe DGCallow certain classes to get deserialized  Filter bypasses are possible • JEP290 bypass enumeration – Uses the most recent bypass technique (discovered by @_tint0 in 2019): Fig 18 – JEP290 bypass enumeration of remote-method-guesser
  • 62.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities Demo JEP 290 Bypasses
  • 63.
    #BHUSA @BLACKHATEVENTS Application Level Attacks TobiasNeitzel @qtc_de Remote Method Guessing
  • 64.
    #BHUSA @BLACKHATEVENTS Remote MethodGuessing Tobias Neitzel @qtc_de int add(intarg1, int arg2) SupportedMethods: • Reminder: Typical RMI call example stub.add(1,1) 2 HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:1099 ObjID: 0 Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server bind("math", instance) math IMath 0.0.0.0:4444:ObjID IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID
  • 65.
    #BHUSA @BLACKHATEVENTS Remote MethodGuessing Tobias Neitzel @qtc_de • Reminder: Typical RMI call example • During blackbox assessments, you don’t know supported methods ??? SupportedMethods: HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server bind("math", instance) math int add(intarg1, int arg2) Listen: 0.0.0.0:1099 ObjID: 0 IMath 0.0.0.0:4444:ObjID IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID
  • 66.
    #BHUSA @BLACKHATEVENTS Remote MethodGuessing Tobias Neitzel @qtc_de • Reminder: Typical RMI call example • During blackbox assessments, you don’t know supported methods • You may miss dangerous remote methods ??? int add(intarg1, int arg2) String exec(String cmd) SupportedMethods: HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server bind("math", instance) math Listen: 0.0.0.0:1099 ObjID: 0 IMath 0.0.0.0:4444:ObjID IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID
  • 67.
    #BHUSA @BLACKHATEVENTS Remote MethodGuessing Tobias Neitzel @qtc_de Fig 19 – Method Guessing Schema • Reminder: Typical RMI call example • During blackbox assessments, you don’t know supported methods • You may miss dangerous remote methods • Method Guessing: stub.exec(canary) SupportedMethods: HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Client Server Exception exists not exists bind("math", instance) math Listen: 0.0.0.0:1099 ObjID: 0 int add(intarg1, int arg2) String exec(String cmd) IMath 0.0.0.0:4444:ObjID IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID
  • 68.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Fig 20 – Method guessing run of remote-method-guesser https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/method-guessing.md Remote Method Guessing
  • 69.
    #BHUSA @BLACKHATEVENTS • Youmay want to call methods in a regular way (e.g. String exec(String cmd) ) • remote-method-guessercando that: • Server responses are ignored by default. Plugins can be used to process them: https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/plugin-system.md Tobias Neitzel @qtc_de Fig 21 – Calling a method with remote-method-guesser Remote Method Guessing
  • 70.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Demo Remote Method Guessing
  • 71.
    #BHUSA @BLACKHATEVENTS Application Level Attacks TobiasNeitzel @qtc_de Application Level Deserialization
  • 72.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities JEP 290 Bypasses Protected HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client • The RMI Registry andthe DGCare protected by deserialization filters • Applicationlevel method calls aren't! bind("math", instance) math Listen: 0.0.0.0:1099 ObjID: 0 IMath 0.0.0.0:4444:ObjID IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID
  • 73.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities JEP 290 Bypasses Protected HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client • The RMI Registry andthe DGCare protected by deserialization filters • Applicationlevel method calls aren't! stub.add(1,1) 2 bind("math", instance) math Listen: 0.0.0.0:1099 ObjID: 0 IMath 0.0.0.0:4444:ObjID IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID
  • 74.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Java RMI Vulnerabilities JEP 290 Bypasses Protected HashMap<String,RemoteObj> Instance RMIRegistry Listen: 0.0.0.0:4444 ObjID: 1234567890 Instance RemoteMath Server Client • The RMI Registry andthe DGCare protected by deserialization filters • Applicationlevel method calls aren't! • Attack requires non primitive argument types 2 int[] addMap(Map<int, int>arg) SupportedMethods: stub.addMap(ysoserial.payload) Fig 22– Application Level Deserialization Schema bind("math", instance) math Listen: 0.0.0.0:1099 ObjID: 0 IMath 0.0.0.0:4444:ObjID IMath stub = lookup("math") IMath 0.0.0.0:4444:ObjID
  • 75.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Fig 23 – Exploiting application level deserialization with remote-method-guesser Application Level Deserialization
  • 76.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de Demo Application Level Deserialization
  • 77.
    #BHUSA @BLACKHATEVENTS Thank Youfor Your Attention! Tobias Neitzel @qtc_de • https://github.com/qtc-de/remote-method-guesser [Tool itself] • https://github.com/qtc-de/remote-method-guesser/packages/414459 [Example Server] • https://github.com/qtc-de/remote-method-guesser/tree/master/docs [Documentation] • https://mogwailabs.de/de/blog/2019/03/attacking-java-rmi-services-after-jep-290/ [JEP290 and Application Level Deserialization] • https://mogwailabs.de/de/blog/2020/02/an-trinhs-rmi-registry-bypass/ [JEP290 Bypasses] • https://i.blackhat.com/eu-19/Wednesday/eu-19-An-Far-Sides-Of-Java-Remote-Protocols.pdf [RMI Attack Surface Overview] • https://github.com/openjdk/jdk/tree/master/src/java.rmi/share/classes [Java RMI Source Code] • https://docs.oracle.com/javase/7/docs/technotes/guides/rmi/codebase.html [Remote Class Loading] • https://labs.bishopfox.com/tech-blog/rmiscout [Method Guessing] • https://github.com/qtc-de/remote-method-guesser/blob/master/docs/rmg/method-guessing.md [Method Guessing] remote-method-guesser: Java RMI:
  • 78.
    #BHUSA @BLACKHATEVENTS Tobias Neitzel@qtc_de RMI Attack Surface - MindMap Fig 24 – Attack Surface on Java RMI Endpoints