Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
OWASP
Profile Principal Security Consultant at Corsaire Anti-Virus Analyst for Sophos Plc Ministry of Defence (Level 1 Security Clearance) BSc 1st Class (Hons) Software Engineering Big Java Fan check out OWASP Java Gotchas!
OWASP
2
Agenda What is Remote Method Invocation (RMI)? RMI Architecture Attacking an RMI service with RMI Spy Securing RMI services
OWASP
What is RMI? Communicating between 2 JVMs over a network Export functionality at the object level
Remote clients deal with objects as if they were local
OWASP
OWASP
RMI Architecture
Client (Interface) Object Server (Implementation) Object
JRMP TCP/IP
OWASP
7
RMI Registry Used for looking up Objects Servers register their Objects Clients use to find and obtain remote references Runs on port 1099 by default
OWASP
Registry
Created by:
Rmiregistry.exe <port no>
Or
LocateRegistry.createRegistry(int portNo)
OWASP
The Interface / Method Hash 64 bit hash (SHA1) Method name + method descriptor used as message Example:
void myRemoteMethod(int i, Object o, boolean b)
myRemoteMethod(ILjava/lang/Object;Z)V
0xB7B6B5B4B3B2B1B0
OWASP
10
Hash weakness An attacker can pre-calculate hashes if they know API details 64-bit
Brute-force Rainbow tables
OWASP
12
Todays RMI service... Only hosting 3 methods Lets attack it.... LIVE!
OWASP
13
Methodology for a 0-day RMI assessment Step 1 Enumerate bound object names Step 2 Determine stub name Step 3 Enumerate method hashes Step 4 Determine method prototypes Step 5 Create stub
OWASP
14
Step 1 Enumerate bound objects Use your own scanning tools to detect an RMI service Identify objects which are bound to the port that we can talk to Easily done using the java.rmi package
OWASP
15
Step 2 Determine stub name Correct stub name is required so we can talk to the RMI service Use RMISpyStubName to establish the correct stub name Rename the template
OWASP
16
Step 3 Enumerate key / method hashes The hashes are calculated by using method descriptors
The signed 64-bit value
Remember, only 1 hash for v1.1 Add the hash to the template Hashes can be pre-calculated
OWASP
17
OWASP
18
Step 5 Creating the stub Detail has been added at each stage, we now have enough for a fully working custom client! The service is now ready to finger print in more detail. By using the business logic layer we can determine LOTS more detail.
Can rely on the Developer getting it wrong to establish more detail.
OWASP
19
Keys are insufficient Chances are you wont notice an attacker until a correct client has been constructed
OWASP
20
Modify the method hashes Java Authentication and Authorization Service (JAAS)
OWASP
22
Packet Sniffer
RMI Call parser
Pull keys from the wire Pull objects from the wire and assess Modify objects on the fly
OWASP
23
Dynamic Invocation
Fuzzing Exception handler (what is the server telling us)
Multi-threading
Hash attack (possible C++ and packet)
OWASP
24
RMI Spy
Only tool in (known) existence to attack RMI services
Questions
OWASP
26