1

/** * Enterprise Java Rootkits * * @author Jeff Williams - Aspect Security * @since November 13, 2009 – OWASP AppSec * * @website http://www.aspectsecurity.com * @email jeff.williams@aspectsecurity.com * @email jeff.williams@owasp.org * @twitter @planetlevel * @phone 410-707-1487 */

)

2

<!-- The Experiment -->

Experiment:* One developer* One week

3

3

<!–- Agenda -->

1: public static void present() { 2: What’s a Java Enterprise Rootkit? 3: Turning Data into Code in the JVM 4: Hiding from Source Code Analysis (both kinds)

5: Trojaning Libraries 6: Owning the Build 7: Keeping Malicious Java Out 8: Questions 9: }

4

<!-- Materials -->

Java a bit rusty?Download the paper!!

No social skills?Download the code!!

(modified BSD license)

http://www.aspectsecurity.com/documents/EnterpriseJavaRootkits.zip

5

5

<!– What’s a Java Enterprise Rootkit? -->

5

Definition

A Java Enterprise Rootkit is code that makes a malicious payload harder to find.

Security Alert!

6

6

<!–- Java Is “Secure”? -->

Disclaimer: Java is an excellent choice for secure enterprise web applications.

Likelihood: No protection, no detection. How many developers touch your application stack?

Impact: What damage could one developer’s code actually do?

Not considering the risk from a malicious developer is reckless

Hippocratic Oath

Production Alert!

Your developers already have full privilege in production.

Security Alert!

7

7

<!-- The Emperor’s New Sandbox -->• “Although Java 2

security is supported, it is disabled by default”

WebSphere7.0

• “Using a Java Security Manager is an optional security step”

WebLogic10

• “The security manager is disabled by default”

GlassFish Prelude 3

• “Tomcat can be started with a SecurityManager in place by using the-security option”

Tomcat6.0

Shields DOWN!

Running without a Java SecurityManager means any code or library can do absolutely anything!

Security Alert!

8<!-- Turning Data into Code in the JVM -->

1

9

9

/* Hiding Data*/

byte[] b = { 0x41, 0x54, 0x22, 0x24, 0x85, … };

a.foo() + b + c.bar();

new sun.misc.BASE64Decoder().decode(b);

request.getHeader( Bean.CONSTANT );

s.executeQuery( "SELECT * FROM BAD" ).getString(1);

@override toString() anywhere and call "" + o;

9

10

10

/* Writing Bytecode */

11

/* Abusing the Java Compiler API */

12

/* Abusing the JSP Compiler */

13

/* Abusing the ClassLoader */

14/* Abusing the Java Instrumentation API */

15/* Abusing the Java Instrumentation API */

16

16

<!-- Hiding from Source Code Analysis -->

17

17

/* PsyOps */

1: // Good code reviewers make assumptions2: // You can easily mislead them3:4: Use misleading method, variable, and class names

5: Use misleading comments6: Make well-known methods do the wrong thing7: Use http://www.javapuzzlers.com/ 8: Add a @SuppressWarnings annotation to your attack!

9:

18

/* Abusing Overpowerful Methods */

19

/* Abusing Reflection 1 */

20

/* Abusing Reflection 2 */

21

/* Abusing Code Formatting */

Puzzler!

Try decoding the real encoded (and obfuscated) Java file at: http://extrods.googlecode.com/svn/trunk/clients/jargon/src/api/edu/sdsc/grid/io/Lucid.java

Security Alert!

22

/* More Code Formatting */

Free Tools!

The code for this paper includes tools to encode and decode Java source code using this method.

Security Alert!

23

/* Abusing Java EE Filters */

24

/* Abusing Java EE Filters */

Easier and Easier!

In the latest servlet specification 3.0 you can add and remove servlets and filters programatically!

Security Alert!

25

/* Abusing Taint Tracing 1 */

26

/* Abusing Taint Tracing 2 */

27

/* Abusing Control Flow Analysis */

28

/* Abusing Timing Channels */

SENDRECV

29

29

<!-- Trojaning Libraries -->

30

/* Trojaning Popular Libraries */

31

/* Trojaning Class Files */

Thank You Sun!

Making the ByteCode Engineering Library (BCEL) available right in rt.jar makes things much easier!

Security Alert!

32

/* Trojaning Jar Files */

Signing?

With a bit more code you can generate a signed jar

Security Alert!

33

/* Trojaning Java Installation */

Bonus!

Put files in the /ext directory and they are automatically put on classpath AND get AllPermission for ALL applications!

Security Alert!

34

34

<!-- Owning the Build -->

35

/* "Reflections on Trusting Trust" */

“To what extent should one trust a statement that a program is free of Trojan horses? Perhaps it is more important to trust the people who wrote the software.”

“The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.)”

Ken Thompson, 1984

http://cm.bell-labs.com/who/ken/trust.html

36

36

<!-- What Happened to javac? -->

1: Maven, Hudson, Subversion, Sonar – Default installHudson core: 103 open source projectsHudson dependencies: ~50 open source projectsMaven core: ~15 open source projectsNexus core: 86 open source projectsSubversion: ~3 open source projectsSonar: ~100 open source projects

2: OverallOver 16 million lines of code503 open source projects involved

Vulnerable?

Two hours looking at Hudson resulted in 6 XSS and 4 CSRF…http://host/hudson/computer/(master)/script?script=Runtime.getRuntime().exec("notepad")

Security Alert!

37

/* Abusing Build Tasks */

Remote!

Remember, this will run on the build server and likely on every developer’s machine!

Security Alert!

38

/* Abusing Test Cases */

39

/* Abusing Dependency Resolution */

40

<!-- Keeping Malicious Java Out -->

41

41

<!-- Building Trust -->

1: Limit the Number of Developers2: Find Trustworthy Developers3: Limit Trust During Coding4: Limit Trust in Your Build Process5: Limit Trust in Operations6: Create Overlapping Trust7: Detect Malicious Code

Plausible Deniability!

After all this, the safest attack is to make a backdoor look like an inadvertent programming error like the OWASP Top Ten.

Security Alert!

{

42

<!-- Tempted? -->

43

/** * Questions? * * * * Jeff Williams - Aspect Security * @email jeff.williams@aspectsecurity.com * @email jeff.williams@owasp.org * @twitter @planetlevel */

)

Questions and Answers