SlideShare a Scribd company logo
1 of 102
Download to read offline
BaRMIe – Poking Java’s Back Door
Nicky Bloor 44CON 2017
whoami
Nicky Bloor
• Managing Security Consultant at NCC Group
• Ex software developer
• Desktop, web, games, industrial control systems
• Problem solver, breaker, builder, hacker
• Hiker and rock climber
• @NickstaDB on the Interwebz
A Story of Pwn
• On-site Java application assessment
• No credentials provided until day 3…
• Supporting infrastructure was in scope
• One network service stood out…
A Story of Pwn
Java Remote Method Invocation???
…gave me the server before I got those credentials.
Too easy! This left me really intrigued!
RMI?
• How common is RMI?
• How often is it so insecure?
• What else can we do with it?
Java Remote Method Invocation
A Brief Introduction to RMI
• Remote Method Invocation
• RPC for Java
• Execute methods within another Java virtual machine (JVM)
• Local or remote
• Simple to implement
• RMI takes care of connection and transport
• Developer does not need to be aware that RMI is in use
• RMI != arbitrary remote code execution
• Only execute methods that are implemented within the other JVM
8
A Brief Introduction to RMI
Client Application
IFoo.Bar()
RMI RMI
Server Application
FooImpl.Bar()
IFoo.Bar();
The RMI Registry Service
• Directory of Java objects
• Maps Java objects to names
• Listens on TCP port 1099 by default
• Interaction via java.rmi.Registry class
• void bind(String name, Remote obj)
• String[] list()
• Remote lookup(String name)
• void rebind(String name, Remote obj)
• void unbind(String name)
The RMI Registry Service
• void rebind(String name, Remote obj)
• Rebind a bound object name to another object
• Potential free man-in-the-middle attack?
• void unbind(String name)
• Unbind an object from the registry
• Potential free denial of service attack?
The RMI Registry Service
• void rebind(String name, Remote obj)
• Rebind a bound object name to another object
• Potential free man-in-the-middle attack?
• void unbind(String name)
• Unbind an object from the registry
• Potential free denial of service attack?
• Cannot bind/rebind/unbind from non-localhost
Implementing RMI
• Very easy – perhaps part of the problem!
• Server-side
• Implement java.rmi.Remote
• Instantiate object
• Bind object to RMI registry
• Client-side
• Lookup object from RMI registry
• Use as normal
What’s the Problem?
• Fairly reasonable looking method
• Authenticate first, then read the file
What’s the Problem?
What if ApplicationObjectFactory returns a remote object?
What’s the Problem?
Client Server
authenticateUser(user,pass)
readFile(filename)
true
file contents
What’s the Problem?
Client Server
readFile(filename)
file contents
RMI Security?
• Authentication?
• No.
• Session management?
• No.
• Encryption?
• No.
• Message integrity checking/anti-tampering?
• No.
• Access controls?
• Yes. Kind of… Fine. No.
RMI Security?
• Encryption
• SSLSocketFactory can be used
• Access controls
• bind/rebind/unbind can only be called from localhost
• Risky code executes BEFORE the localhost check…
• (Pre-Java 6u131, 7u121, 8u112)
RMI Security
RMI Security
• This is a bit unfair
• RMI wasn’t designed to be secure
• RMI was designed to facilitate remote method invocation
• To compare:
• HTTP wasn’t designed to be secure
• HTTP was designed to facilitate the transfer of textual information
RMI Security
• HTTP is far more prevalent
• HTTP has evolved to support security
• Web application frameworks improve security by default
• Authentication, session management, access controls etc…
• Developers don’t need to be particularly security aware
• RMI has none of this!
• Security must be explicitly incorporated in remotely exposed classes
Insecure Use of RMI
Insecure Use of RMI
• RMI not a secure protocol
• Original attack:
• Ignore authenticate method
• Call readFile/writeFile/executeQuery directly
• How often is RMI used this insecurely?
Insecure Use of RMI
• First step: Identify software using RMI
• Little success initially searching Google & Github
• Can I identify RMI software packages remotely?
Insecure Use of RMI
• Recalled an early test program which called Registry.lookup()
• Exception reveals fully-qualified class names
• Often identifies vendor
• Sometimes identifies the application itself
• Can we identify RMI software packages remotely?
• Yes!
• Internet search for fully-qualified class names
Insecure Use of RMI
• So, we can extract fully-qualified class names…
• What else can we learn from RMI network traffic?
• How can we extract this information?
RMI Enumeration
RMI Enumeration
RMI Enumeration
RMI Enumeration
RMI Enumeration
Insecure Use of RMI
• A lot of time was spent in these tools
• Along the way code was produced to parse RMI traffic and extract
useful data…
BaRMIe - Enumeration
BaRMIe - Enumeration
• Proxy-based enumeration of RMI registries
• Start TCP proxy for RMI registry connection
• Request remote objects
• Buffer RMI ‘ReplyData’ packets
• Parse the packet contents to extract useful data
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
• Not all exposed externally
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
• Not all exposed externally
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
• Not all exposed externally
• Many probably shouldn’t be exposed
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
• Not all exposed externally
• Many probably shouldn’t be exposed
DbVehicleSearchService drivingLicenseManagercarUseRecordManager
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
• Not all exposed externally
• Many probably shouldn’t be exposed
DbVehicleSearchService drivingLicenseManagercarUseRecordManager
CameraCapturedImages CCPaymentService superviseOilManager
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
• Not all exposed externally
• Many probably shouldn’t be exposed
DbVehicleSearchService drivingLicenseManagercarUseRecordManager
CameraCapturedImages CCPaymentService superviseOilManager
SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
• Not all exposed externally
• Many probably shouldn’t be exposed
DbVehicleSearchService drivingLicenseManagercarUseRecordManager
CameraCapturedImages CCPaymentService superviseOilManager
SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI
chainGunAPI
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
• Not all exposed externally
• Many probably shouldn’t be exposed
DbVehicleSearchService drivingLicenseManagercarUseRecordManager
CameraCapturedImages CCPaymentService superviseOilManager
SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI
chainGunAPI beerMachineApi
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
• Not all exposed externally
• Many probably shouldn’t be exposed
DbVehicleSearchService drivingLicenseManagercarUseRecordManager
CameraCapturedImages CCPaymentService superviseOilManager
SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI
chainGunAPI beerMachineApi praiseService
Knocking on Java’s Back Door
• Find RMI software
• Found over 14,000 RMI services on Shodan
• Over 27,000 Java objects exposed over RMI
• Not all exposed externally
• Many probably shouldn’t be exposed
DbVehicleSearchService drivingLicenseManagercarUseRecordManager
CameraCapturedImages CCPaymentService superviseOilManager
SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI
chainGunAPI beerMachineApi praiseService
Knocking on Java’s Back Door
• Honestly, no idea what any of these do!
• These are just examples of what people expose over RMI.
• This is bad if these services are implemented as insecurely as
that first ‘writeFile’ example
Examples of Insecure RMI
Apache JMeter
• org.apache.jmeter.engine.RemoteJMeterEngineImpl_Stub
• Open source!
• Download source and review
• Locate classes that implement java.rmi.Remote
Apache JMeter
Apache JMeter
• Looks like anyone can configure this service!
Temis RemoteAdminServer
• com.temis.admin.remote.RemoteAdminServer_Stub
• Unable to locate source code or client jar
• BaRMIe revealed an interesting annotation…
Temis RemoteAdminServer
• Remote methods:
• UserProfile authenticate(String, String)
Temis RemoteAdminServer
• Remote methods:
• UserProfile authenticate(String, String)
Looks like they thought about security?
(UserProfile – could be a session-like object?)
Temis RemoteAdminServer
• Remote methods:
• UserProfile authenticate(String, String)
• boolean configure(Properties)
…or not!
Temis RemoteAdminServer
• Remote methods:
• UserProfile authenticate(String, String)
• boolean configure(Properties)
• String getAdminKey()
Temis RemoteAdminServer
• Remote methods:
• UserProfile authenticate(String, String)
• boolean configure(Properties)
• String getAdminKey()
• int addUser(String, String, String, String)
Temis RemoteAdminServer
• Account takeover?
• List<UserProfile> getAllUserList()
• int changePassword(UserProfile, String)
Temis RemoteAdminServer
• Account takeover?
• List<UserProfile> getAllUserList()
• int changePassword(UserProfile, String)
• UserProfile methods:
• String getPassword()
Temis RemoteAdminServer
• More remote methods:
• String getDatabaseIP()
• String getDatabasePort()
• String getDatabaseName()
• String getDatabaseType()
Temis RemoteAdminServer
• More remote methods:
• String getDatabaseIP()
• String getDatabasePort()
• String getDatabaseName()
• String getDatabaseType()
• String getUsername()
• String getPassword()
RMI: What’s the Problem?
RMI: What’s the Problem?
It gets worse…
Deserialization
Deserialization
• Process of converting data into runtime objects
• Often implemented/used insecurely
• Deserializing untrusted data is usually bad
• RMI is heavily dependent on Java serialization
Adobe ColdFusion
• Most commonly exposed RMI service in my scans
• coldfusion.flex.rmi.DataServicesCFProxyServer_Stub
• No strikingly interesting remote methods
Adobe ColdFusion
• Most commonly exposed RMI service in my scans
• coldfusion.flex.rmi.DataServicesCFProxyServer_Stub
• No strikingly interesting remote methods
• Except…
Adobe ColdFusion
• Most commonly exposed RMI service in my scans
• coldfusion.flex.rmi.DataServicesCFProxyServer_Stub
• No strikingly interesting remote methods
• Except…
Adobe ColdFusion
• Most commonly exposed RMI service in my scans
• coldfusion.flex.rmi.DataServicesCFProxyServer_Stub
• No strikingly interesting remote methods
• Except…
Adobe ColdFusion
• Most commonly exposed RMI service in my scans
• coldfusion.flex.rmi.DataServicesCFProxyServer_Stub
• No strikingly interesting remote methods
• Except…
• Call fill() to deserialize any object…
Demo Time!
• Adobe ColdFusion 2016, fully up-to-date as of 11th September 2017
• Default install except for one setting
• Unauthenticated remote method invocation…
Demo Time!
Deserialization
It’s worse than that…
Java’s Back Door
Java’s Back Door
• Testing some code
• Suddenly realised I’d made a mistake…
• …but the code worked…
Full RMI Proxy
• Successfully proxying RMI registry connections
• RMI registry does not handle method invocations
• Invocation handled by remote objects
• Different port
• Potentially different host
• Built a proxy to MitM method invocations
Proxying RMI
RMI Client
RMI Registry
RMI Object
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
First, we create an RMI registry proxy
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
Which is configured to connect directly to the target RMI registry
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
Our RMI client requests an object via the proxy
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
The object data is intercepted and parsed
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
Object Proxy
3) Creates Object Proxy
The RMI registry proxy then creates an RMI object proxy
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
Object Proxy
3) Creates Object Proxy
Which is configured to connect directly to the RMI object
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
Object Proxy
3) Creates Object Proxy
We modify the object data to point at the new proxy and return it to the client
Proxying RMI
RMI Client
RMI Registry
RMI Object
Registry Proxy
Object Proxy
3) Creates Object Proxy
We can now MitM remote method invocation traffic!
Java’s Back Door
• So, what was that mistake?!
• Experimenting with network-level payload injection and ysoserial
• Called obj.foo(String) in RMI client, rather than obj.foo(Object)
Java’s Back Door
• So, what was that mistake?!
• Experimenting with network-level payload injection and ysoserial
• Called obj.foo(String) in RMI client, rather than obj.foo(Object)
• Proxy replaced the parameter…
Java’s Back Door
• So, what was that mistake?!
• Experimenting with network-level payload injection and ysoserial
• Called obj.foo(String) in RMI client, rather than obj.foo(Object)
• Proxy replaced the parameter…
Poking Java’s Back Door
• Invoking void printString("AAAAAAAAAA") looks like this:
Poking Java’s Back Door
• Invoking void printString("AAAAAAAAAA") looks like this:
• A simple serialized object, new Dummy(), looks like this:
Poking Java’s Back Door
• The proxy did this (with a ysoserial payload):
Poking Java’s Back Door
• The proxy did this (with a ysoserial payload):
• Remotely invoked an illegal method call
Poking Java’s Back Door
• The proxy did this (with a ysoserial payload):
• Remotely invoked an illegal method call
• void printString(new Dummy()):
Poking Java’s Back Door
• The proxy did this (with a ysoserial payload):
• Remotely invoked an illegal method call
• void printString(new Dummy()):
• Server-side exception
• Dummy is not compatible with java.lang.String
Poking Java’s Back Door
• The proxy did this (with a ysoserial payload):
• Remotely invoked an illegal method call
• void printString(new Dummy()):
• Server-side exception
• Dummy is not compatible with java.lang.String
• Payload had already been deserialized
Java’s Back Door
If we invoke a remote method, we can replace parameters with incompatible payloads
Caveat
• Slight caveat, due to Java serialization format/protocol
• Method parameter that we replace must be non-primitive
• int, long, boolean etc cannot be replaced
• Integer, int[], ArrayList, and objects of arbitrary classes can
BaRMIe
BaRMIe
• RMI often exposes legitimate but dangerous methods
• writeFile(), executeQuery()
• Proxy-based attacks can introduce further risk
• Vulnerabilities where there wouldn’t otherwise be a vulnerability
• Requires knowledge of remote classes/method signatures
BaRMIe
• Written a lot of code during this research…
• Enumeration of remote objects (identify classes)
• Attacks for various targets
• Executing legitimate methods
• Deserialization attacks using Object type parameters
• Deserialization attacks through illegal parameter replacement
• BaRMIe is an all-in-one RMI enumeration and attack tool
Conclusion
Conclusion
• RMI lacks maturity
• Often used very insecurely
• Object injection/deserialization attacks are almost always a
possibility
• Old and ‘uninteresting’ technology can be a fun and fruitful
research target!
Questions?
https://nickbloor.co.uk/

More Related Content

What's hot

Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Introduction to Spring Boot!
Introduction to Spring Boot!Introduction to Spring Boot!
Introduction to Spring Boot!Jakub Kubrynski
 
GraphQL IN Golang
GraphQL IN GolangGraphQL IN Golang
GraphQL IN GolangBo-Yi Wu
 
The Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionThe Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionPatrycja Wegrzynowicz
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java DeserializationShiv Sahni
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalationSongchaiDuangpan
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeologyenigma0x3
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
Server-side template injection- Slides
Server-side template injection- Slides Server-side template injection- Slides
Server-side template injection- Slides Amit Dubey
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 

What's hot (20)

Spring Boot
Spring BootSpring Boot
Spring Boot
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
 
Webauthn Tutorial
Webauthn TutorialWebauthn Tutorial
Webauthn Tutorial
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Introduction to Spring Boot!
Introduction to Spring Boot!Introduction to Spring Boot!
Introduction to Spring Boot!
 
GraphQL IN Golang
GraphQL IN GolangGraphQL IN Golang
GraphQL IN Golang
 
The Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL InjectionThe Hacker's Guide to NoSQL Injection
The Hacker's Guide to NoSQL Injection
 
Insecure Java Deserialization
Insecure Java DeserializationInsecure Java Deserialization
Insecure Java Deserialization
 
Sqlmap
SqlmapSqlmap
Sqlmap
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Pentest with Metasploit
Pentest with MetasploitPentest with Metasploit
Pentest with Metasploit
 
Linux privilege escalation
Linux privilege escalationLinux privilege escalation
Linux privilege escalation
 
Windows Operating System Archaeology
Windows Operating System ArchaeologyWindows Operating System Archaeology
Windows Operating System Archaeology
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
 
Log4j2
Log4j2Log4j2
Log4j2
 
Server-side template injection- Slides
Server-side template injection- Slides Server-side template injection- Slides
Server-side template injection- Slides
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 

Similar to Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017

Introduction to Remote Method Invocation (RMI)
Introduction to Remote Method Invocation (RMI)Introduction to Remote Method Invocation (RMI)
Introduction to Remote Method Invocation (RMI)eLink Business Innovations
 
Remote Method Invocation, Advanced programming
Remote Method Invocation, Advanced programmingRemote Method Invocation, Advanced programming
Remote Method Invocation, Advanced programmingGera Paulos
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To ProtectGuy Podjarny
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...apidays
 
Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?Guy Podjarny
 
[Wroclaw #8] IPMI appsec - an express train to hell
[Wroclaw #8] IPMI appsec - an express train to hell[Wroclaw #8] IPMI appsec - an express train to hell
[Wroclaw #8] IPMI appsec - an express train to hellOWASP
 
Your internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableYour internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableIIMBNSRCEL
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Volkan Özçelik
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesVolkan Özçelik
 
Security at Greenhouse
Security at GreenhouseSecurity at Greenhouse
Security at GreenhouseMichael O'Neil
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) Volkan Özçelik
 
PHP framework difference
PHP framework differencePHP framework difference
PHP framework differenceiScripts
 
Introduction to hacking
Introduction to hackingIntroduction to hacking
Introduction to hackingnitish mehta
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)Greg Patton
 
Don't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev DoesDon't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev DoesLiam O'Saurus
 
Kuby, ActiveDeployment for Rails Apps
Kuby, ActiveDeployment for Rails AppsKuby, ActiveDeployment for Rails Apps
Kuby, ActiveDeployment for Rails AppsCameron Dutro
 
API Hijacking.pdf
API Hijacking.pdfAPI Hijacking.pdf
API Hijacking.pdfVishwasN6
 

Similar to Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017 (20)

Introduction to Remote Method Invocation (RMI)
Introduction to Remote Method Invocation (RMI)Introduction to Remote Method Invocation (RMI)
Introduction to Remote Method Invocation (RMI)
 
Remote Method Invocation, Advanced programming
Remote Method Invocation, Advanced programmingRemote Method Invocation, Advanced programming
Remote Method Invocation, Advanced programming
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 
Serverless Security: What's Left To Protect
Serverless Security: What's Left To ProtectServerless Security: What's Left To Protect
Serverless Security: What's Left To Protect
 
apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...apidays New York 2023 - Putting yourself out there - how to secure your publi...
apidays New York 2023 - Putting yourself out there - how to secure your publi...
 
Rmi
RmiRmi
Rmi
 
Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?Serverless Security: What's Left to Protect?
Serverless Security: What's Left to Protect?
 
[Wroclaw #8] IPMI appsec - an express train to hell
[Wroclaw #8] IPMI appsec - an express train to hell[Wroclaw #8] IPMI appsec - an express train to hell
[Wroclaw #8] IPMI appsec - an express train to hell
 
DS
DSDS
DS
 
Your internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerableYour internet-exposure-that-makes-you-vulnerable
Your internet-exposure-that-makes-you-vulnerable
 
Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012Java scriptwidgetdevelopmentjstanbul2012
Java scriptwidgetdevelopmentjstanbul2012
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
 
Security at Greenhouse
Security at GreenhouseSecurity at Greenhouse
Security at Greenhouse
 
External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1) External JavaScript Widget Development Best Practices (updated) (v.1.1)
External JavaScript Widget Development Best Practices (updated) (v.1.1)
 
PHP framework difference
PHP framework differencePHP framework difference
PHP framework difference
 
Introduction to hacking
Introduction to hackingIntroduction to hacking
Introduction to hacking
 
The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)The API Primer (OWASP AppSec Europe, May 2015)
The API Primer (OWASP AppSec Europe, May 2015)
 
Don't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev DoesDon't Do what Derpy the Dreadful Dev Does
Don't Do what Derpy the Dreadful Dev Does
 
Kuby, ActiveDeployment for Rails Apps
Kuby, ActiveDeployment for Rails AppsKuby, ActiveDeployment for Rails Apps
Kuby, ActiveDeployment for Rails Apps
 
API Hijacking.pdf
API Hijacking.pdfAPI Hijacking.pdf
API Hijacking.pdf
 

Recently uploaded

KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 

Recently uploaded (20)

KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 

Nicky Bloor - BaRMIe - Poking Java's Back Door - 44CON 2017

  • 1. BaRMIe – Poking Java’s Back Door Nicky Bloor 44CON 2017
  • 2. whoami Nicky Bloor • Managing Security Consultant at NCC Group • Ex software developer • Desktop, web, games, industrial control systems • Problem solver, breaker, builder, hacker • Hiker and rock climber • @NickstaDB on the Interwebz
  • 3. A Story of Pwn • On-site Java application assessment • No credentials provided until day 3… • Supporting infrastructure was in scope • One network service stood out…
  • 4. A Story of Pwn Java Remote Method Invocation??? …gave me the server before I got those credentials. Too easy! This left me really intrigued!
  • 5. RMI? • How common is RMI? • How often is it so insecure? • What else can we do with it?
  • 6. Java Remote Method Invocation
  • 7. A Brief Introduction to RMI • Remote Method Invocation • RPC for Java • Execute methods within another Java virtual machine (JVM) • Local or remote • Simple to implement • RMI takes care of connection and transport • Developer does not need to be aware that RMI is in use • RMI != arbitrary remote code execution • Only execute methods that are implemented within the other JVM
  • 8. 8 A Brief Introduction to RMI Client Application IFoo.Bar() RMI RMI Server Application FooImpl.Bar() IFoo.Bar();
  • 9. The RMI Registry Service • Directory of Java objects • Maps Java objects to names • Listens on TCP port 1099 by default • Interaction via java.rmi.Registry class • void bind(String name, Remote obj) • String[] list() • Remote lookup(String name) • void rebind(String name, Remote obj) • void unbind(String name)
  • 10. The RMI Registry Service • void rebind(String name, Remote obj) • Rebind a bound object name to another object • Potential free man-in-the-middle attack? • void unbind(String name) • Unbind an object from the registry • Potential free denial of service attack?
  • 11. The RMI Registry Service • void rebind(String name, Remote obj) • Rebind a bound object name to another object • Potential free man-in-the-middle attack? • void unbind(String name) • Unbind an object from the registry • Potential free denial of service attack? • Cannot bind/rebind/unbind from non-localhost
  • 12. Implementing RMI • Very easy – perhaps part of the problem! • Server-side • Implement java.rmi.Remote • Instantiate object • Bind object to RMI registry • Client-side • Lookup object from RMI registry • Use as normal
  • 13. What’s the Problem? • Fairly reasonable looking method • Authenticate first, then read the file
  • 14. What’s the Problem? What if ApplicationObjectFactory returns a remote object?
  • 15. What’s the Problem? Client Server authenticateUser(user,pass) readFile(filename) true file contents
  • 16. What’s the Problem? Client Server readFile(filename) file contents
  • 17. RMI Security? • Authentication? • No. • Session management? • No. • Encryption? • No. • Message integrity checking/anti-tampering? • No. • Access controls? • Yes. Kind of… Fine. No.
  • 18. RMI Security? • Encryption • SSLSocketFactory can be used • Access controls • bind/rebind/unbind can only be called from localhost • Risky code executes BEFORE the localhost check… • (Pre-Java 6u131, 7u121, 8u112)
  • 20. RMI Security • This is a bit unfair • RMI wasn’t designed to be secure • RMI was designed to facilitate remote method invocation • To compare: • HTTP wasn’t designed to be secure • HTTP was designed to facilitate the transfer of textual information
  • 21. RMI Security • HTTP is far more prevalent • HTTP has evolved to support security • Web application frameworks improve security by default • Authentication, session management, access controls etc… • Developers don’t need to be particularly security aware • RMI has none of this! • Security must be explicitly incorporated in remotely exposed classes
  • 23. Insecure Use of RMI • RMI not a secure protocol • Original attack: • Ignore authenticate method • Call readFile/writeFile/executeQuery directly • How often is RMI used this insecurely?
  • 24. Insecure Use of RMI • First step: Identify software using RMI • Little success initially searching Google & Github • Can I identify RMI software packages remotely?
  • 25. Insecure Use of RMI • Recalled an early test program which called Registry.lookup() • Exception reveals fully-qualified class names • Often identifies vendor • Sometimes identifies the application itself • Can we identify RMI software packages remotely? • Yes! • Internet search for fully-qualified class names
  • 26. Insecure Use of RMI • So, we can extract fully-qualified class names… • What else can we learn from RMI network traffic? • How can we extract this information?
  • 32. Insecure Use of RMI • A lot of time was spent in these tools • Along the way code was produced to parse RMI traffic and extract useful data…
  • 34. BaRMIe - Enumeration • Proxy-based enumeration of RMI registries • Start TCP proxy for RMI registry connection • Request remote objects • Buffer RMI ‘ReplyData’ packets • Parse the packet contents to extract useful data
  • 35. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI
  • 36. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally
  • 37. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally
  • 38. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed
  • 39. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager
  • 40. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager
  • 41. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI
  • 42. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI chainGunAPI
  • 43. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI chainGunAPI beerMachineApi
  • 44. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI chainGunAPI beerMachineApi praiseService
  • 45. Knocking on Java’s Back Door • Find RMI software • Found over 14,000 RMI services on Shodan • Over 27,000 Java objects exposed over RMI • Not all exposed externally • Many probably shouldn’t be exposed DbVehicleSearchService drivingLicenseManagercarUseRecordManager CameraCapturedImages CCPaymentService superviseOilManager SecurityServer ROOT_TERMINAL AdminAPI system UserConfigAPI chainGunAPI beerMachineApi praiseService
  • 46. Knocking on Java’s Back Door • Honestly, no idea what any of these do! • These are just examples of what people expose over RMI. • This is bad if these services are implemented as insecurely as that first ‘writeFile’ example
  • 48. Apache JMeter • org.apache.jmeter.engine.RemoteJMeterEngineImpl_Stub • Open source! • Download source and review • Locate classes that implement java.rmi.Remote
  • 50. Apache JMeter • Looks like anyone can configure this service!
  • 51. Temis RemoteAdminServer • com.temis.admin.remote.RemoteAdminServer_Stub • Unable to locate source code or client jar • BaRMIe revealed an interesting annotation…
  • 52. Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String)
  • 53. Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String) Looks like they thought about security? (UserProfile – could be a session-like object?)
  • 54. Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String) • boolean configure(Properties) …or not!
  • 55. Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String) • boolean configure(Properties) • String getAdminKey()
  • 56. Temis RemoteAdminServer • Remote methods: • UserProfile authenticate(String, String) • boolean configure(Properties) • String getAdminKey() • int addUser(String, String, String, String)
  • 57. Temis RemoteAdminServer • Account takeover? • List<UserProfile> getAllUserList() • int changePassword(UserProfile, String)
  • 58. Temis RemoteAdminServer • Account takeover? • List<UserProfile> getAllUserList() • int changePassword(UserProfile, String) • UserProfile methods: • String getPassword()
  • 59. Temis RemoteAdminServer • More remote methods: • String getDatabaseIP() • String getDatabasePort() • String getDatabaseName() • String getDatabaseType()
  • 60. Temis RemoteAdminServer • More remote methods: • String getDatabaseIP() • String getDatabasePort() • String getDatabaseName() • String getDatabaseType() • String getUsername() • String getPassword()
  • 61. RMI: What’s the Problem?
  • 62. RMI: What’s the Problem? It gets worse…
  • 64. Deserialization • Process of converting data into runtime objects • Often implemented/used insecurely • Deserializing untrusted data is usually bad • RMI is heavily dependent on Java serialization
  • 65. Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods
  • 66. Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods • Except…
  • 67. Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods • Except…
  • 68. Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods • Except…
  • 69. Adobe ColdFusion • Most commonly exposed RMI service in my scans • coldfusion.flex.rmi.DataServicesCFProxyServer_Stub • No strikingly interesting remote methods • Except… • Call fill() to deserialize any object…
  • 70. Demo Time! • Adobe ColdFusion 2016, fully up-to-date as of 11th September 2017 • Default install except for one setting • Unauthenticated remote method invocation…
  • 74. Java’s Back Door • Testing some code • Suddenly realised I’d made a mistake… • …but the code worked…
  • 75. Full RMI Proxy • Successfully proxying RMI registry connections • RMI registry does not handle method invocations • Invocation handled by remote objects • Different port • Potentially different host • Built a proxy to MitM method invocations
  • 76. Proxying RMI RMI Client RMI Registry RMI Object
  • 77. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy First, we create an RMI registry proxy
  • 78. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Which is configured to connect directly to the target RMI registry
  • 79. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Our RMI client requests an object via the proxy
  • 80. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy The object data is intercepted and parsed
  • 81. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Object Proxy 3) Creates Object Proxy The RMI registry proxy then creates an RMI object proxy
  • 82. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Object Proxy 3) Creates Object Proxy Which is configured to connect directly to the RMI object
  • 83. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Object Proxy 3) Creates Object Proxy We modify the object data to point at the new proxy and return it to the client
  • 84. Proxying RMI RMI Client RMI Registry RMI Object Registry Proxy Object Proxy 3) Creates Object Proxy We can now MitM remote method invocation traffic!
  • 85. Java’s Back Door • So, what was that mistake?! • Experimenting with network-level payload injection and ysoserial • Called obj.foo(String) in RMI client, rather than obj.foo(Object)
  • 86. Java’s Back Door • So, what was that mistake?! • Experimenting with network-level payload injection and ysoserial • Called obj.foo(String) in RMI client, rather than obj.foo(Object) • Proxy replaced the parameter…
  • 87. Java’s Back Door • So, what was that mistake?! • Experimenting with network-level payload injection and ysoserial • Called obj.foo(String) in RMI client, rather than obj.foo(Object) • Proxy replaced the parameter…
  • 88. Poking Java’s Back Door • Invoking void printString("AAAAAAAAAA") looks like this:
  • 89. Poking Java’s Back Door • Invoking void printString("AAAAAAAAAA") looks like this: • A simple serialized object, new Dummy(), looks like this:
  • 90. Poking Java’s Back Door • The proxy did this (with a ysoserial payload):
  • 91. Poking Java’s Back Door • The proxy did this (with a ysoserial payload): • Remotely invoked an illegal method call
  • 92. Poking Java’s Back Door • The proxy did this (with a ysoserial payload): • Remotely invoked an illegal method call • void printString(new Dummy()):
  • 93. Poking Java’s Back Door • The proxy did this (with a ysoserial payload): • Remotely invoked an illegal method call • void printString(new Dummy()): • Server-side exception • Dummy is not compatible with java.lang.String
  • 94. Poking Java’s Back Door • The proxy did this (with a ysoserial payload): • Remotely invoked an illegal method call • void printString(new Dummy()): • Server-side exception • Dummy is not compatible with java.lang.String • Payload had already been deserialized
  • 95. Java’s Back Door If we invoke a remote method, we can replace parameters with incompatible payloads
  • 96. Caveat • Slight caveat, due to Java serialization format/protocol • Method parameter that we replace must be non-primitive • int, long, boolean etc cannot be replaced • Integer, int[], ArrayList, and objects of arbitrary classes can
  • 98. BaRMIe • RMI often exposes legitimate but dangerous methods • writeFile(), executeQuery() • Proxy-based attacks can introduce further risk • Vulnerabilities where there wouldn’t otherwise be a vulnerability • Requires knowledge of remote classes/method signatures
  • 99. BaRMIe • Written a lot of code during this research… • Enumeration of remote objects (identify classes) • Attacks for various targets • Executing legitimate methods • Deserialization attacks using Object type parameters • Deserialization attacks through illegal parameter replacement • BaRMIe is an all-in-one RMI enumeration and attack tool
  • 101. Conclusion • RMI lacks maturity • Often used very insecurely • Object injection/deserialization attacks are almost always a possibility • Old and ‘uninteresting’ technology can be a fun and fruitful research target!