Post on 05-Dec-2014
description
ATTACK & DEFENSE
labs
Attacking JAVA Serialized CommunicationManish S. Saindane
ATTACK & DEFENSE labs
Who am I ?
• Security Researcher
– Working as a Lead Application Security Specialist for an international software development and services company
– Likes to research on security issues in software
– Follow me @ blog.andlabs.org
Black Hat Europe 2010 2
ATTACK & DEFENSE labs
Agenda
• JAVA Object Serialization Basics
• The Current Scenario & Challenges Faced
• Suggested Solution
• Demo
Black Hat Europe 2010 3
ATTACK & DEFENSE labs
Objectives
• Simplify the penetration testing process of thick clients and make it completely seamless
• Enable the pentester to edit JAVA objects in the same way that a developer would
• Enable all of this using the currently available tools
Black Hat Europe 2010 4
ATTACK & DEFENSE labs
Black Hat Europe 2010 5
JAVA Object Serialization Basics
ATTACK & DEFENSE labs
JAVA Object Serialization
• Protocol implemented by SUN for converting JAVA objects into a stream of bytes to be
– Stored in a file
– Transmitted across a network
• The serialized form contains sufficient information such that it can be restored to an identical clone of the original JAVA object
Black Hat Europe 2010 6
ATTACK & DEFENSE labs
JAVA Object Serialization cont’d
• Objects can be written using the writeObject()
method provided by the ObjectOutput interface
• Objects can be retrieved using the readObject()method provided by the ObjectInput interface
• The ObjectOutputStream and ObjectInputStreamclasses implement the above interfaces respectively
Black Hat Europe 2010 7
ATTACK & DEFENSE labs
JAVA Object Serialization cont’d
• JAVA Object Serialized data can be easily identified by the 0xac 0xed stream header (also called as the magic number)
Black Hat Europe 2010 8
ATTACK & DEFENSE labs
• If the object in the stream is a java.lang.String, it is encoded in a modified UTF-8 format and preceded by a 2-byte length information
• Make sure you read section 5.6 of the JAVA Object Serialization specification before modifying the objects
JAVA Object Serialization cont’d
Black Hat Europe 2010 9
ATTACK & DEFENSE labs
Black Hat Europe 2010 10
The Current Scenario&
Challenges Faced
ATTACK & DEFENSE labs
So what do we have ?
• Current tools or application interception proxies allow very limited functionality to test such data
• Not as easy or straightforward as testing regular web applications sending data in request parameters
• Some work has been done in the past to improve the situation. Let’s have a look at some of these methods
Black Hat Europe 2010 11
ATTACK & DEFENSE labs
Modifying Raw HEX
• One of the most basic techniques is to modify the raw HEX data using a HEX editor
• This is very limited and can be used to modify simple integers or string values in the raw data
• Isn’t really practical to inspect or modify complex objects
Black Hat Europe 2010 12
ATTACK & DEFENSE labs
Modifying Raw HEX cont’d
• Modifying raw data may result in a corrupted Serialized byte stream
• Make sure to modify the length information if you edit some string value as discussed earlier
• Existing interception proxies usually have very basic HEX editors hence working with them becomes difficult
Black Hat Europe 2010 13
ATTACK & DEFENSE labs
Decompiling Class Files
• This can allow us to carefully study the application logic
• Hardcoded values, sensitive functions, crypto algorithms, etc. can be identified and used for attacks
• Decompiling may not be straight forward for applications making use of strong obfuscation techniques
Black Hat Europe 2010 14
ATTACK & DEFENSE labs
Decompiling Class Files cont’d
• Popular decompilers like JAD, JD, Jode and DJ Java Decompiler may be used for simple obfuscated classes
• Editing signed jars may be difficult
Black Hat Europe 2010 15
ATTACK & DEFENSE labs
Assessing JAVA Clients with BeanShell
• This was a technique developed by Stephen D’ Vires from Corsaire
• It made use of the BeanShell scripting language that was plugged into the client
• Could be handy in identifying client-side security controls
Black Hat Europe 2010 16
ATTACK & DEFENSE labs
Assessing JAVA Clients with BeanShell cont’d
• The pentester must be comfortable writing JAVA code to use this technique
• The scope of this technique is too broad for our use i.e. to tamper the serialized data
Black Hat Europe 2010 17
ATTACK & DEFENSE labs
Runtime Protocol Analysis (RPA)
• This was presented by Shay Chen from Hacktics at an OWASP Israel meet
• He spoke about creating a custom runtime protocol analyzer to read data from JAVA serialized objects
• The object once read, could then be analyzed and modified
Black Hat Europe 2010 18
ATTACK & DEFENSE labs
Runtime Protocol Analysis (RPA) cont’d
• The way this works is:
– Sniff traffic over the network
– Split each request/response into individual packets
– Modify the destination URL or Host within the packet with a HEX editor to a local server (protocol analyzer)
– Send it to the Protocol Analyzer using netcat
• The protocol analyzer is customized code written to suit the protocol used to transfer the object
Black Hat Europe 2010 19
ATTACK & DEFENSE labs
Runtime Protocol Analysis (RPA) cont’d
• This only drawback is that it is not completely seamless
– Too many steps involved
– Takes some time to setup
– The protocol analyzer has to be modified and compiled each time for different scenarios
• But this is the technique that suffices our needs to a certain extent
Black Hat Europe 2010 20
ATTACK & DEFENSE labs
Black Hat Europe 2010 21
Suggested Solution
ATTACK & DEFENSE labs
Solution
Black Hat Europe 2010 22
JRuby Shell
Interception Proxy
Thick Client Application
Application Server
ATTACK & DEFENSE labs
Setup Needed
• Tools we need
– JRuby version 1.4.0
– BurpSuite version 1.2.x
– Buby version 1.8.x
– Any text editor
Black Hat Europe 2010 23
ATTACK & DEFENSE labs
Why JRuby ?
• Why not a pure Java plug-in. Why JRuby?
– Easier syntax, hence easy to learn
– Can call almost all JAVA libraries
– Provides an interactive shell (jirb)
– Dynamic Type Language
Black Hat Europe 2010 24
ATTACK & DEFENSE labs
Advantages
• Adds the ability of modifying JAVA objects on-the-fly
• Ease of use – makes the whole process seamless
• Hooks a JAVA development environment in your interception proxy
• Can be used for other stuff too ….. Just be a bit creative ;)
Black Hat Europe 2010 25
ATTACK & DEFENSE labs
Black Hat Europe 2010 26
Demo
ATTACK & DEFENSE labs
References
• Chen, S. (2008). Achilles’ heel – Hacking Through Java Protocols. OWASP Israel.Herzliya.
• Monti, E. (n.d.). Buby. Retrieved from http://emonti.github.com/buby/
• Sun Microsystems. (n.d.). Java Object Serialization Specification. Retrieved from sun.com: http://java.sun.com/javase/6/docs/platform/serialization/spec/serialTOC.html
• Vries, S. d. (2006, June 15). Assessing JAVA Clients with the BeanShell. Retrieved from Corsaire: http://research.corsaire.com/whitepapers/060816-assessing-java-clients-with-the-beanshell.pdf
Black Hat Europe 2010 27
ATTACK & DEFENSE labs
Big Thanks To
• For the work done that helped me build this:
– Shay Chen
– Eric Monti
• And of course for testing & review:
– Lavakumar Kuppan
– Luca Carettoni
Black Hat Europe 2010 28
If I have seen further it is only by standing on the shoulders of giants.
- Sir Isaac Newton
ATTACK & DEFENSE labs
Black Hat Europe 2010 29
Questions ??
ATTACK & DEFENSE labs
Black Hat Europe 2010 30
Thank You
Contact me:manish (-at-) andlabs.org