Presentation by Ian de Villiers at ZaCon 2 about exploiting java.
This presentation is about instrumenting java applications. it begins with an explanation of what a jar file is. The difficulties in attacking java, such as signing and obfuscation are discussed. How to overcome these difficulties is also discussed. The presentation ends with a walkthrough example of how to instrument a java application.
3. Why This Talk ?
• import disclaimer;
• Not ground breaking stuff – no 0-day
• Java applications and applets
appear to be popular again
• Reversing Java applications can be
difficult
• Tips for reversing Java in less time
(in my experience in any case)…
SensePost - 2010
4. The JAR File
• Java ARchive
• Used to distribute Java applications /
applets etc.
• ZIP file containing compiled classes,
libraries, settings, certificates, *
• Trivial to extract
• Normally disclose a vast amount of
information
SensePost - 2010
5. Attacking Java is fun
• Trivial to reverse engineer
• Compiled applications are vulnerable
to virtually all attacks traditional web
apps are vulnerable to…
• …but all wrapped up in increased
sense of developer smugness
• Repurposed Java applications make
*awesome* attack tools
SensePost - 2010
6. Difficulties Attacking Java
• Many classes and libraries in JAR files of
complex applications
• Class files often do not decompile cleanly
• Impossible to fix all java sources in large
application
• Applets and applications are frequently
signed
• Obfuscated Code
• Frequently have to rely on other tools
too…
SensePost - 2010
7. Defeating Signing
• Certificate information stored in
META-INF
• MANIFEST.MF contains hashes for
resources
• These files can easily be deleted…
SensePost - 2010
8. What this Means
• Now possible to modify classes in
JAR file
• Signing normally used specifically for
Java applets
– Allow applets to access network
resources
– Allow applets to read / write files
• However, the applet runs on *my*
machine
– Can specify own security model…
SensePost - 2010
9. Obfuscation
• Defeating Java obfuscation is
difficult
• Depends on the obfuscation
mechanism used
• In most cases, virtually impossible…
• … however, the newer attack
methodologies outlined later will help
…but wait – there is more…
SensePost - 2010
10. Obfuscation
• A bunch of classes depending on
reflection methods and serialized
objects can not normally be
obfuscated…
• … in obfuscated applications this
provides us with a nice area to
attack
SensePost - 2010
11. Java Quick Kills
• Not necessary to fix all compiler
errors
• Only need to fix specific classes with
functionality you need
– Sanitisation libraries
– Network Stream libraries
• Updated classes can be recompiled
with the original JAR file to satisfy
dependancies
SensePost - 2010
17. Demo and Walkthrough
• Repurposing uses the same
technique…
• … but changes the functionality
in order to turn the application
into an attack tool
SensePost - 2010
18. Newer Attack Methods
• New research and toolsets make
reversing and recompiling
unneccessary…
• Also make it easier to attack obfuscated
applications
• Cannot always be used for repurposing
SensePost - 2010
19. BlackHat Europe – 2010
• Manish Saindane
– Demonstrated attacks against serialized
objects
– Provided Burp plug-in to view and modify
serialized objects
http://www.blackhat.com/html/bh-eu-10/bh-eu-10-archives.html
SensePost - 2010
21. BlackHat Las Vegas – 2010
• Arshan Dabirsiaghi
– JavaSnoop : How to Hack Anything Written in
Java
• Stephen de Vries
– Hacking Java Clients
• Both talks outlined new methods for
attacking Java Applications
http://www.blackhat.com/html/bh-us-10/bh-us-10-archives.html
SensePost - 2010
23. In Summary
• Java reversing is fun
• Java reversing can be easy
• Newer attack methodologies no
longer require attackers to reverse
the application
• Traditional reversing techniques still
normally apply for repurposing
applications
SensePost - 2010