Attacking JAVA Serialized Communication Manish S. Saindane Who am - - PowerPoint PPT Presentation

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Attacking JAVA Serialized Communication

Manish S. Saindane

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Who am I ?

• Security Researcher

– Working as a Lead Applica8on Security Specialist for an interna8onal so:ware development and services company – Likes to research on security issues in so:ware – Follow me @ blog.andlabs.org

Black Hat Europe 2010 2

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Agenda

• JAVA Object Serializa8on Basics
• The Current Scenario & Challenges Faced
• Suggested Solu8on
• Demo

Black Hat Europe 2010 3

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Objectives

• Simplify the penetra8on tes8ng process of thick

clients and make it completely seamless

• Enable the pentester to edit JAVA objects in the

same way that a developer would

• Enable all of this using the currently available tools

Black Hat Europe 2010 4

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Black Hat Europe 2010 5

JAVA Object Serialization Basics

ATTACK ATTACK & & DEFENSE DEFENSE

labs

JAVA Object Serialization

• Protocol implemented by SUN for conver8ng JAVA
• bjects into a stream of bytes to be

– Stored in a file – TransmiQed across a network

• The serialized form contains sufficient informa8on

such that it can be restored to an iden8cal clone of the original JAVA object

Black Hat Europe 2010 6

ATTACK ATTACK & & DEFENSE DEFENSE

labs

JAVA Object Serialization cont’d

• Objects can be wriQen using the writeObject()

method provided by the ObjectOutput interface

• Objects can be retrieved using the readObject()

method provided by the ObjectInput interface

• The ObjectOutputStream and ObjectInputStream

classes implement the above interfaces respec8vely

Black Hat Europe 2010 7

ATTACK ATTACK & & DEFENSE DEFENSE

labs

JAVA Object Serialization cont’d

• JAVA Object Serialized data can be easily iden8fied

by the 0xac 0xed stream header (also called as the magic number)

Black Hat Europe 2010 8

ATTACK ATTACK & & DEFENSE DEFENSE

labs

• If the object in the stream is a java.lang.String, it

is encoded in a modified UTF‐8 format and preceded by a 2‐byte length informa8on

• Make sure you read sec8on 5.6 of the JAVA Object

Serializa8on specifica8on before modifying the

• bjects

JAVA Object Serialization cont’d

Black Hat Europe 2010 9

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Black Hat Europe 2010 10

The Current Scenario & Challenges Faced

ATTACK ATTACK & & DEFENSE DEFENSE

labs

So what do we have ?

• Current tools or applica8on intercep8on proxies

allow very limited func8onality to test such data

• Not as easy or straigh^orward as tes8ng regular web

applica8ons sending data in request parameters

• Some work has been done in the past to improve the
• situa8on. Let’s have a look at some of these methods

Black Hat Europe 2010 11

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Modifying Raw HEX

• One of the most basic techniques is to modify the

raw HEX data using a HEX editor

• This is very limited and can be used to modify simple

integers or string values in the raw data

• Isn’t really prac8cal to inspect or modify complex
• bjects

Black Hat Europe 2010 12

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Modifying Raw HEX cont’d

• Modifying raw data may result in a corrupted

Serialized byte stream

• Make sure to modify the length informa8on if you

edit some string value as discussed earlier

• Exis8ng intercep8on proxies usually have very basic

HEX editors hence working with them becomes difficult

Black Hat Europe 2010 13

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Decompiling Class Files

• This can allow us to carefully study the applica8on

logic

• Hardcoded values, sensi8ve func8ons, crypto

algorithms, etc. can be iden8fied and used for aQacks

• Decompiling may not be straight forward for

applica8ons making use of strong obfusca8on techniques

Black Hat Europe 2010 14

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Decompiling Class Files cont’d

• Popular decompilers like JAD, JD, Jode and DJ Java

Decompiler may be used for simple obfuscated classes

• Edi8ng signed jars may be difficult

Black Hat Europe 2010 15

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Assessing JAVA Clients with BeanShell

• This was a technique developed by Stephen D’ Vires

from Corsaire

• It made use of the BeanShell scrip8ng language that

was plugged into the client

• Could be handy in iden8fying client‐side security

controls

Black Hat Europe 2010 16

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Assessing JAVA Clients with BeanShell cont’d

• The pentester must be comfortable wri8ng JAVA

code to use this technique

• The scope of this technique is too broad for our use

i.e. to tamper the serialized data

Black Hat Europe 2010 17

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Runtime Protocol Analysis (RPA)

• This was presented by Shay Chen from Hack8cs at an

OWASP Israel meet

• He spoke about crea8ng a custom run8me protocol

analyzer to read data from JAVA serialized objects

• The object once read, could then be analyzed and

modified

Black Hat Europe 2010 18

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Runtime Protocol Analysis (RPA) cont’d

• The way this works is:

– Sniff traffic over the network – Split each request/response into individual packets – Modify the des8na8on URL or Host within the packet with a HEX editor to a local server (protocol analyzer) – Send it to the Protocol Analyzer using netcat

• The protocol analyzer is customized code wriQen to

suit the protocol used to transfer the object

Black Hat Europe 2010 19

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Runtime Protocol Analysis (RPA) cont’d

• This only drawback is that it is not completely

seamless

– Too many steps involved – Takes some 8me to setup – The protocol analyzer has to be modified and compiled each 8me for different scenarios

• But this is the technique that suffices our needs to a

certain extent

Black Hat Europe 2010 20

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Black Hat Europe 2010 21

Suggested Solution

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Solution

Black Hat Europe 2010 22

JRuby Shell Intercep1on Proxy Thick Client Applica1on Applica1on Server

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Setup Needed

• Tools we need

– JRuby 1.4.0 – BurpSuite version 1.2.x – Buby version 1.8.x – Any text editor

Black Hat Europe 2010 23

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Why JRuby ?

• Why not a pure Java plug‐in. Why JRuby?

– Easier syntax, hence easy to learn – Can call almost all JAVA libraries – Provides an interac8ve shell (jirb) – Dynamic Type Language

Black Hat Europe 2010 24

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Big Thanks To

• For the work done that helped me build this:

– Shay Chen – Eric Mon8

• And of course for tes8ng & review:

– Lavakumar Kuppan – Luca CareQoni

Black Hat Europe 2010 25

If I have seen further it is only by standing on the shoulders of giants.

• Sir Isaac Newton

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Black Hat Europe 2010 26

Demo

ATTACK ATTACK & & DEFENSE DEFENSE

labs

References

• Chen, S. (2008). Achilles’ heel – Hacking Through Java Protocols. OWASP Israel.

Herzliya.

• Mon8, E. (n.d.). Buby. Retrieved from hQp://emon8.github.com/buby/
• Sun Microsystems. (n.d.). Java Object Serializa9on Specifica9on. Retrieved from

sun.com: hQp://java.sun.com/javase/6/docs/pla^orm/serializa8on/spec/serialTOC.html

• Vries, S. d. (2006, June 15). Assessing JAVA Clients with the BeanShell. Retrieved

from Corsaire: hQp://research.corsaire.com/whitepapers/060816‐assessing‐java‐ clients‐with‐the‐beanshell.pdf

Black Hat Europe 2010 27

ATTACK ATTACK & & DEFENSE DEFENSE

labs

Black Hat Europe 2010 28

Ques1ons ??