Attacking JAVA Serialized Communication Manish S. Saindane Who am - PowerPoint PPT Presentation

ATTACK & & ATTACK labs DEFENSE DEFENSE Attacking JAVA Serialized Communication Manish S. Saindane

Who am I ? • Security Researcher – Working as a Lead Applica8on Security Specialist for an interna8onal so:ware development and services company – Likes to research on security issues in so:ware – Follow me @ blog.andlabs.org ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 2

Agenda • JAVA Object Serializa8on Basics • The Current Scenario & Challenges Faced • Suggested Solu8on • Demo ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 3

Objectives • Simplify the penetra8on tes8ng process of thick clients and make it completely seamless • Enable the pentester to edit JAVA objects in the same way that a developer would • Enable all of this using the currently available tools ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 4

JAVA Object Serialization Basics ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 5

JAVA Object Serialization • Protocol implemented by SUN for conver8ng JAVA objects into a stream of bytes to be – Stored in a file – TransmiQed across a network • The serialized form contains sufficient informa8on such that it can be restored to an iden8cal clone of the original JAVA object ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 6

JAVA Object Serialization cont’d • Objects can be wriQen using the writeObject() method provided by the ObjectOutput interface • Objects can be retrieved using the readObject() method provided by the ObjectInput interface • The ObjectOutputStream and ObjectInputStream classes implement the above interfaces respec8vely ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 7

JAVA Object Serialization cont’d • JAVA Object Serialized data can be easily iden8fied by the 0xac 0xed stream header (also called as the magic number) ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 8

JAVA Object Serialization cont’d • If the object in the stream is a java.lang.String , it is encoded in a modified UTF‐8 format and preceded by a 2‐byte length informa8on • Make sure you read sec8on 5.6 of the JAVA Object Serializa8on specifica8on before modifying the objects ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 9

The Current Scenario & Challenges Faced ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 10

So what do we have ? • Current tools or applica8on intercep8on proxies allow very limited func8onality to test such data • Not as easy or straigh^orward as tes8ng regular web applica8ons sending data in request parameters • Some work has been done in the past to improve the situa8on. Let’s have a look at some of these methods ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 11

Modifying Raw HEX • One of the most basic techniques is to modify the raw HEX data using a HEX editor • This is very limited and can be used to modify simple integers or string values in the raw data • Isn’t really prac8cal to inspect or modify complex objects ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 12

Modifying Raw HEX cont’d • Modifying raw data may result in a corrupted Serialized byte stream • Make sure to modify the length informa8on if you edit some string value as discussed earlier • Exis8ng intercep8on proxies usually have very basic HEX editors hence working with them becomes difficult ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 13

Decompiling Class Files • This can allow us to carefully study the applica8on logic • Hardcoded values, sensi8ve func8ons, crypto algorithms, etc. can be iden8fied and used for aQacks • Decompiling may not be straight forward for applica8ons making use of strong obfusca8on techniques ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 14

Decompiling Class Files cont’d • Popular decompilers like JAD, JD, Jode and DJ Java Decompiler may be used for simple obfuscated classes • Edi8ng signed jars may be difficult ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 15

Assessing JAVA Clients with BeanShell • This was a technique developed by Stephen D’ Vires from Corsaire • It made use of the BeanShell scrip8ng language that was plugged into the client • Could be handy in iden8fying client‐side security controls ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 16

Assessing JAVA Clients with BeanShell cont’d • The pentester must be comfortable wri8ng JAVA code to use this technique • The scope of this technique is too broad for our use i.e. to tamper the serialized data ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 17

Runtime Protocol Analysis (RPA) • This was presented by Shay Chen from Hack8cs at an OWASP Israel meet • He spoke about crea8ng a custom run8me protocol analyzer to read data from JAVA serialized objects • The object once read, could then be analyzed and modified ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 18

Runtime Protocol Analysis (RPA) cont’d • The way this works is: – Sniff traffic over the network – Split each request/response into individual packets – Modify the des8na8on URL or Host within the packet with a HEX editor to a local server (protocol analyzer) – Send it to the Protocol Analyzer using netcat • The protocol analyzer is customized code wriQen to suit the protocol used to transfer the object ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 19

Runtime Protocol Analysis (RPA) cont’d • This only drawback is that it is not completely seamless – Too many steps involved – Takes some 8me to setup – The protocol analyzer has to be modified and compiled each 8me for different scenarios • But this is the technique that suffices our needs to a certain extent ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 20

Suggested Solution ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 21

Solution Thick Client Intercep1on Applica1on Applica1on Proxy Server JRuby Shell ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 22

Setup Needed • Tools we need – JRuby 1.4.0 – BurpSuite version 1.2.x – Buby version 1.8.x – Any text editor ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 23

Why JRuby ? • Why not a pure Java plug‐in. Why JRuby? – Easier syntax, hence easy to learn – Can call almost all JAVA libraries – Provides an interac8ve shell (jirb) – Dynamic Type Language ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 24

Big Thanks To • For the work done that helped me build this: – Shay Chen – Eric Mon8 • And of course for tes8ng & review: – Lavakumar Kuppan – Luca CareQoni If I have seen further it is only by standing on the shoulders of giants. - Sir Isaac Newton ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 25

Demo ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 26

References Chen, S. (2008). Achilles’ heel – Hacking Through Java Protocols. OWASP Israel. • Herzliya. Mon8, E. (n.d.). Buby . Retrieved from hQp://emon8.github.com/buby/ • • Sun Microsystems. (n.d.). Java Object Serializa9on Specifica9on . Retrieved from sun.com: hQp://java.sun.com/javase/6/docs/pla^orm/serializa8on/spec/serialTOC.html Vries, S. d. (2006, June 15). Assessing JAVA Clients with the BeanShell. Retrieved • from Corsaire: hQp://research.corsaire.com/whitepapers/060816‐assessing‐java‐ clients‐with‐the‐beanshell.pdf ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 27

Ques1ons ?? ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 28