Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
ATTACK & DEFENSE
                                   labs




Attacking JAVA Serialized
Communication
Manish S. Saindane
Who am I ?

• Security Researcher
      – Working as a Lead Application Security Specialist for an
        international s...
Agenda

•   JAVA Object Serialization Basics
•   The Current Scenario & Challenges Faced
•   Suggested Solution
•   Demo

...
Objectives

• Simplify the penetration testing process of thick
  clients and make it completely seamless

• Enable the pe...
JAVA Object Serialization
                                 Basics




                                               ATTAC...
JAVA Object Serialization

• Protocol implemented by SUN for converting JAVA
  objects into a stream of bytes to be
      ...
JAVA Object Serialization cont’d

• Objects can be written using the writeObject()
  method provided by the ObjectOutput i...
JAVA Object Serialization cont’d

• JAVA Object Serialized data can be easily identified
  by the 0xac 0xed stream header ...
JAVA Object Serialization cont’d

• If the object in the stream is a java.lang.String, it
  is encoded in a modified UTF-8...
The Current Scenario
                                 &
                          Challenges Faced




                   ...
So what do we have ?

• Current tools or application interception proxies
  allow very limited functionality to test such ...
Modifying Raw HEX

• One of the most basic techniques is to modify the
  raw HEX data using a HEX editor

• This is very l...
Modifying Raw HEX cont’d

• Modifying raw data may result in a corrupted
  Serialized byte stream

• Make sure to modify t...
Decompiling Class Files

• This can allow us to carefully study the application
  logic

• Hardcoded values, sensitive fun...
Decompiling Class Files cont’d

• Popular decompilers like JAD, JD, Jode and DJ Java
  Decompiler may be used for simple o...
Assessing JAVA Clients with BeanShell

• This was a technique developed by Stephen D’ Vires
  from Corsaire

• It made use...
Assessing JAVA Clients with BeanShell cont’d

• The pentester must be comfortable writing JAVA
  code to use this techniqu...
Runtime Protocol Analysis (RPA)

• This was presented by Shay Chen from Hacktics at an
  OWASP Israel meet

• He spoke abo...
Runtime Protocol Analysis (RPA) cont’d

• The way this works is:
      – Sniff traffic over the network
      – Split each...
Runtime Protocol Analysis (RPA) cont’d

• This only drawback is that it is not completely
  seamless
      – Too many step...
Suggested Solution




                                             ATTACK & DEFENSE
                                     ...
Solution




     Thick Client                     Interception          Application
     Application                     ...
Setup Needed

• Tools we need
      –   JRuby version 1.4.0
      –   BurpSuite version 1.2.x
      –   Buby version 1.8.x...
Why JRuby ?

• Why not a pure Java plug-in. Why JRuby?
      –   Easier syntax, hence easy to learn
      –   Can call alm...
Advantages

• Adds the ability of modifying JAVA objects on-the-fly

• Ease of use – makes the whole process seamless

• H...
Demo




                               ATTACK & DEFENSE
                                            labs
Black Hat Europe...
References

•   Chen, S. (2008). Achilles’ heel – Hacking Through Java Protocols. OWASP Israel.
    Herzliya.

•   Monti, ...
Big Thanks To

• For the work done that helped me build this:
      – Shay Chen
      – Eric Monti


• And of course for t...
Questions ??




                                     ATTACK & DEFENSE
                                                  l...
Thank You

                              Contact me:
                        manish (-at-) andlabs.org




               ...
Prochain SlideShare
Chargement dans…5
×

Black Hat EU 2010 - Attacking Java Serialized Communication

4 481 vues

Publié le

This presentation describes a technique to conduct penetration testing of JAVA applications communicating via serialized objects.

Publié dans : Technologie
  • Identifiez-vous pour voir les commentaires

Black Hat EU 2010 - Attacking Java Serialized Communication

  1. 1. ATTACK & DEFENSE labs Attacking JAVA Serialized Communication Manish S. Saindane
  2. 2. Who am I ? • Security Researcher – Working as a Lead Application Security Specialist for an international software development and services company – Likes to research on security issues in software – Follow me @ blog.andlabs.org ATTACK & DEFENSE labs Black Hat Europe 2010 2
  3. 3. Agenda • JAVA Object Serialization Basics • The Current Scenario & Challenges Faced • Suggested Solution • Demo ATTACK & DEFENSE labs Black Hat Europe 2010 3
  4. 4. Objectives • Simplify the penetration testing process of thick clients and make it completely seamless • Enable the pentester to edit JAVA objects in the same way that a developer would • Enable all of this using the currently available tools ATTACK & DEFENSE labs Black Hat Europe 2010 4
  5. 5. JAVA Object Serialization Basics ATTACK & DEFENSE labs Black Hat Europe 2010 5
  6. 6. JAVA Object Serialization • Protocol implemented by SUN for converting JAVA objects into a stream of bytes to be – Stored in a file – Transmitted across a network • The serialized form contains sufficient information such that it can be restored to an identical clone of the original JAVA object ATTACK & DEFENSE labs Black Hat Europe 2010 6
  7. 7. JAVA Object Serialization cont’d • Objects can be written using the writeObject() method provided by the ObjectOutput interface • Objects can be retrieved using the readObject() method provided by the ObjectInput interface • The ObjectOutputStream and ObjectInputStream classes implement the above interfaces respectively ATTACK & DEFENSE labs Black Hat Europe 2010 7
  8. 8. JAVA Object Serialization cont’d • JAVA Object Serialized data can be easily identified by the 0xac 0xed stream header (also called as the magic number) ATTACK & DEFENSE labs Black Hat Europe 2010 8
  9. 9. JAVA Object Serialization cont’d • If the object in the stream is a java.lang.String, it is encoded in a modified UTF-8 format and preceded by a 2-byte length information • Make sure you read section 5.6 of the JAVA Object Serialization specification before modifying the objects ATTACK & DEFENSE labs Black Hat Europe 2010 9
  10. 10. The Current Scenario & Challenges Faced ATTACK & DEFENSE labs Black Hat Europe 2010 10
  11. 11. So what do we have ? • Current tools or application interception proxies allow very limited functionality to test such data • Not as easy or straightforward as testing regular web applications sending data in request parameters • Some work has been done in the past to improve the situation. Let’s have a look at some of these methods ATTACK & DEFENSE labs Black Hat Europe 2010 11
  12. 12. Modifying Raw HEX • One of the most basic techniques is to modify the raw HEX data using a HEX editor • This is very limited and can be used to modify simple integers or string values in the raw data • Isn’t really practical to inspect or modify complex objects ATTACK & DEFENSE labs Black Hat Europe 2010 12
  13. 13. Modifying Raw HEX cont’d • Modifying raw data may result in a corrupted Serialized byte stream • Make sure to modify the length information if you edit some string value as discussed earlier • Existing interception proxies usually have very basic HEX editors hence working with them becomes difficult ATTACK & DEFENSE labs Black Hat Europe 2010 13
  14. 14. Decompiling Class Files • This can allow us to carefully study the application logic • Hardcoded values, sensitive functions, crypto algorithms, etc. can be identified and used for attacks • Decompiling may not be straight forward for applications making use of strong obfuscation techniques ATTACK & DEFENSE labs Black Hat Europe 2010 14
  15. 15. Decompiling Class Files cont’d • Popular decompilers like JAD, JD, Jode and DJ Java Decompiler may be used for simple obfuscated classes • Editing signed jars may be difficult ATTACK & DEFENSE labs Black Hat Europe 2010 15
  16. 16. Assessing JAVA Clients with BeanShell • This was a technique developed by Stephen D’ Vires from Corsaire • It made use of the BeanShell scripting language that was plugged into the client • Could be handy in identifying client-side security controls ATTACK & DEFENSE labs Black Hat Europe 2010 16
  17. 17. Assessing JAVA Clients with BeanShell cont’d • The pentester must be comfortable writing JAVA code to use this technique • The scope of this technique is too broad for our use i.e. to tamper the serialized data ATTACK & DEFENSE labs Black Hat Europe 2010 17
  18. 18. Runtime Protocol Analysis (RPA) • This was presented by Shay Chen from Hacktics at an OWASP Israel meet • He spoke about creating a custom runtime protocol analyzer to read data from JAVA serialized objects • The object once read, could then be analyzed and modified ATTACK & DEFENSE labs Black Hat Europe 2010 18
  19. 19. Runtime Protocol Analysis (RPA) cont’d • The way this works is: – Sniff traffic over the network – Split each request/response into individual packets – Modify the destination URL or Host within the packet with a HEX editor to a local server (protocol analyzer) – Send it to the Protocol Analyzer using netcat • The protocol analyzer is customized code written to suit the protocol used to transfer the object ATTACK & DEFENSE labs Black Hat Europe 2010 19
  20. 20. Runtime Protocol Analysis (RPA) cont’d • This only drawback is that it is not completely seamless – Too many steps involved – Takes some time to setup – The protocol analyzer has to be modified and compiled each time for different scenarios • But this is the technique that suffices our needs to a certain extent ATTACK & DEFENSE labs Black Hat Europe 2010 20
  21. 21. Suggested Solution ATTACK & DEFENSE labs Black Hat Europe 2010 21
  22. 22. Solution Thick Client Interception Application Application Proxy Server JRuby Shell ATTACK & DEFENSE labs Black Hat Europe 2010 22
  23. 23. Setup Needed • Tools we need – JRuby version 1.4.0 – BurpSuite version 1.2.x – Buby version 1.8.x – Any text editor ATTACK & DEFENSE labs Black Hat Europe 2010 23
  24. 24. Why JRuby ? • Why not a pure Java plug-in. Why JRuby? – Easier syntax, hence easy to learn – Can call almost all JAVA libraries – Provides an interactive shell (jirb) – Dynamic Type Language ATTACK & DEFENSE labs Black Hat Europe 2010 24
  25. 25. Advantages • Adds the ability of modifying JAVA objects on-the-fly • Ease of use – makes the whole process seamless • Hooks a JAVA development environment in your interception proxy • Can be used for other stuff too ….. Just be a bit creative ;) ATTACK & DEFENSE labs Black Hat Europe 2010 25
  26. 26. Demo ATTACK & DEFENSE labs Black Hat Europe 2010 26
  27. 27. References • Chen, S. (2008). Achilles’ heel – Hacking Through Java Protocols. OWASP Israel. Herzliya. • Monti, E. (n.d.). Buby. Retrieved from http://emonti.github.com/buby/ • Sun Microsystems. (n.d.). Java Object Serialization Specification. Retrieved from sun.com: http://java.sun.com/javase/6/docs/platform/serialization/spec/serialTOC.html • Vries, S. d. (2006, June 15). Assessing JAVA Clients with the BeanShell. Retrieved from Corsaire: http://research.corsaire.com/whitepapers/060816-assessing-java- clients-with-the-beanshell.pdf ATTACK & DEFENSE labs Black Hat Europe 2010 27
  28. 28. Big Thanks To • For the work done that helped me build this: – Shay Chen – Eric Monti • And of course for testing & review: – Lavakumar Kuppan – Luca Carettoni If I have seen further it is only by standing on the shoulders of giants. - Sir Isaac Newton ATTACK & DEFENSE labs Black Hat Europe 2010 28
  29. 29. Questions ?? ATTACK & DEFENSE labs Black Hat Europe 2010 29
  30. 30. Thank You Contact me: manish (-at-) andlabs.org ATTACK & DEFENSE labs Black Hat Europe 2010 30

×