Sei sulla pagina 1di 26

Security Assessing Java RMI

OWASP

Adam Boulton OWASP Contributor Corsaire Adam.Boulton@corsaire.com +44 1483 746700

24th Sept 2008


Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation


http://www.owasp.org

Profile Principal Security Consultant at Corsaire Anti-Virus Analyst for Sophos Plc Ministry of Defence (Level 1 Security Clearance) BSc 1st Class (Hons) Software Engineering Big Java Fan check out OWASP Java Gotchas!
OWASP
2

Agenda What is Remote Method Invocation (RMI)? RMI Architecture Attacking an RMI service with RMI Spy Securing RMI services

OWASP

What is RMI? Distributed computing solution


All about remote objects

Part of core JDK platform since 1.1


java.rmi package

Not familiar? Think.


Microsoft .NET Remoting RPC CORBA
OWASP
4

What is RMI? Communicating between 2 JVMs over a network Export functionality at the object level
Remote clients deal with objects as if they were local

RMI uses object serialization


Your custom classes must implement the serializable interface so they can be distributed Primitives are just sent by value

OWASP

What is RMI? Transparent solution


All underlying network functionality RMI Specification states:
Make writing reliable distributed applications as simple as possible

Increases risk that services are implemented insecurely


Security through obscurity

OWASP

RMI Architecture
Client (Interface) Object Server (Implementation) Object

JRMP TCP/IP
OWASP
7

RMI Registry Used for looking up Objects Servers register their Objects Clients use to find and obtain remote references Runs on port 1099 by default

OWASP

RMI tools RMIC (rmic.exe)


Special compiler that creates stub and skeleton

Registry
Created by:
Rmiregistry.exe <port no>
Or

LocateRegistry.createRegistry(int portNo)

OWASP

The Interface / Method Hash 64 bit hash (SHA1) Method name + method descriptor used as message Example:
void myRemoteMethod(int i, Object o, boolean b)
myRemoteMethod(ILjava/lang/Object;Z)V
0xB7B6B5B4B3B2B1B0

OWASP

10

Hash weakness An attacker can pre-calculate hashes if they know API details 64-bit
Brute-force Rainbow tables

Due to the implementation it doesnt even appear to actually be 64 bits!


Still doing the analysis
OWASP
11

RMI server secrets... An attackers shopping list:


Bound object names Stub name A static signed 64 bit key(s) Method prototypes (interface) The ability to code a client!

OWASP

12

Todays RMI service... Only hosting 3 methods Lets attack it.... LIVE!

OWASP

13

Methodology for a 0-day RMI assessment Step 1 Enumerate bound object names Step 2 Determine stub name Step 3 Enumerate method hashes Step 4 Determine method prototypes Step 5 Create stub
OWASP
14

Step 1 Enumerate bound objects Use your own scanning tools to detect an RMI service Identify objects which are bound to the port that we can talk to Easily done using the java.rmi package

OWASP

15

Step 2 Determine stub name Correct stub name is required so we can talk to the RMI service Use RMISpyStubName to establish the correct stub name Rename the template

OWASP

16

Step 3 Enumerate key / method hashes The hashes are calculated by using method descriptors
The signed 64-bit value

Remember, only 1 hash for v1.1 Add the hash to the template Hashes can be pre-calculated
OWASP
17

Step 4 Determine method prototypes First establish the parameter types


Bit more manual work

Secondly, establish the return type


Object is our friend

Method names are irrelevant


All about the 64-bit signed value

OWASP

18

Step 5 Creating the stub Detail has been added at each stage, we now have enough for a fully working custom client! The service is now ready to finger print in more detail. By using the business logic layer we can determine LOTS more detail.
Can rely on the Developer getting it wrong to establish more detail.
OWASP
19

Why is RMI insecure? Building on an insecure foundation


Skeleton implementation is flawed

False sense of security


Security through obscurity

Keys are insufficient Chances are you wont notice an attacker until a correct client has been constructed
OWASP
20

Securing an RMI Server Adapt the RMI server code


Stop information leakage
Sun should have read the OWASP top 10!

Modify the method hashes Java Authentication and Authorization Service (JAAS)

Be careful what you expose!


Just because you dont release a client with the functionality doesnt mean attackers cant see it! Dont expose the server object directly Dont rely on security through obscurity
OWASP
21

Securing and RMI Server (Cont...) Logging


Invoke from command line:
java -Djava.rmi.server.logCalls=true YourServerImp

Or enable inside program


RemoteServer.setLog(System.err);

OWASP

22

Further Developments of RMI Spy Fully automated


Integrating the 5 stages into a click and run GUI Automated interface and stub creation

Packet Sniffer
RMI Call parser
Pull keys from the wire Pull objects from the wire and assess Modify objects on the fly

OWASP

23

Further Developments of RMI Spy (cont...) Code tidy! Hash generator

Dynamic Invocation
Fuzzing Exception handler (what is the server telling us)

Multi-threading
Hash attack (possible C++ and packet)
OWASP
24

Summary RMI Architecture Why RMI is insecure


Comment in the generated code says do not edit. We all know differently now. Security is difficult; even Sun dont always get it right!

RMI Spy
Only tool in (known) existence to attack RMI services

How to secure RMI


OWASP
25

Questions

OWASP

26