Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Black Hat EU 2010 - Attacking Java Serialized Communication
1. ATTACK & DEFENSE
labs
Attacking JAVA Serialized
Communication
Manish S. Saindane
2. Who am I ?
• Security Researcher
– Working as a Lead Application Security Specialist for an
international software development and services company
– Likes to research on security issues in software
– Follow me @ blog.andlabs.org
ATTACK & DEFENSE
labs
Black Hat Europe 2010 2
3. Agenda
• JAVA Object Serialization Basics
• The Current Scenario & Challenges Faced
• Suggested Solution
• Demo
ATTACK & DEFENSE
labs
Black Hat Europe 2010 3
4. Objectives
• Simplify the penetration testing process of thick
clients and make it completely seamless
• Enable the pentester to edit JAVA objects in the same
way that a developer would
• Enable all of this using the currently available tools
ATTACK & DEFENSE
labs
Black Hat Europe 2010 4
6. JAVA Object Serialization
• Protocol implemented by SUN for converting JAVA
objects into a stream of bytes to be
– Stored in a file
– Transmitted across a network
• The serialized form contains sufficient information
such that it can be restored to an identical clone of
the original JAVA object
ATTACK & DEFENSE
labs
Black Hat Europe 2010 6
7. JAVA Object Serialization cont’d
• Objects can be written using the writeObject()
method provided by the ObjectOutput interface
• Objects can be retrieved using the readObject()
method provided by the ObjectInput interface
• The ObjectOutputStream and ObjectInputStream
classes implement the above interfaces respectively
ATTACK & DEFENSE
labs
Black Hat Europe 2010 7
8. JAVA Object Serialization cont’d
• JAVA Object Serialized data can be easily identified
by the 0xac 0xed stream header (also called as the
magic number)
ATTACK & DEFENSE
labs
Black Hat Europe 2010 8
9. JAVA Object Serialization cont’d
• If the object in the stream is a java.lang.String, it
is encoded in a modified UTF-8 format and preceded
by a 2-byte length information
• Make sure you read section 5.6 of the JAVA Object
Serialization specification before modifying the
objects
ATTACK & DEFENSE
labs
Black Hat Europe 2010 9
10. The Current Scenario
&
Challenges Faced
ATTACK & DEFENSE
labs
Black Hat Europe 2010 10
11. So what do we have ?
• Current tools or application interception proxies
allow very limited functionality to test such data
• Not as easy or straightforward as testing regular web
applications sending data in request parameters
• Some work has been done in the past to improve the
situation. Let’s have a look at some of these methods
ATTACK & DEFENSE
labs
Black Hat Europe 2010 11
12. Modifying Raw HEX
• One of the most basic techniques is to modify the
raw HEX data using a HEX editor
• This is very limited and can be used to modify simple
integers or string values in the raw data
• Isn’t really practical to inspect or modify complex
objects
ATTACK & DEFENSE
labs
Black Hat Europe 2010 12
13. Modifying Raw HEX cont’d
• Modifying raw data may result in a corrupted
Serialized byte stream
• Make sure to modify the length information if you
edit some string value as discussed earlier
• Existing interception proxies usually have very basic
HEX editors hence working with them becomes
difficult
ATTACK & DEFENSE
labs
Black Hat Europe 2010 13
14. Decompiling Class Files
• This can allow us to carefully study the application
logic
• Hardcoded values, sensitive functions, crypto
algorithms, etc. can be identified and used for
attacks
• Decompiling may not be straight forward for
applications making use of strong obfuscation
techniques ATTACK & DEFENSE
labs
Black Hat Europe 2010 14
15. Decompiling Class Files cont’d
• Popular decompilers like JAD, JD, Jode and DJ Java
Decompiler may be used for simple obfuscated
classes
• Editing signed jars may be difficult
ATTACK & DEFENSE
labs
Black Hat Europe 2010 15
16. Assessing JAVA Clients with BeanShell
• This was a technique developed by Stephen D’ Vires
from Corsaire
• It made use of the BeanShell scripting language that
was plugged into the client
• Could be handy in identifying client-side security
controls
ATTACK & DEFENSE
labs
Black Hat Europe 2010 16
17. Assessing JAVA Clients with BeanShell cont’d
• The pentester must be comfortable writing JAVA
code to use this technique
• The scope of this technique is too broad for our use
i.e. to tamper the serialized data
ATTACK & DEFENSE
labs
Black Hat Europe 2010 17
18. Runtime Protocol Analysis (RPA)
• This was presented by Shay Chen from Hacktics at an
OWASP Israel meet
• He spoke about creating a custom runtime protocol
analyzer to read data from JAVA serialized objects
• The object once read, could then be analyzed and
modified
ATTACK & DEFENSE
labs
Black Hat Europe 2010 18
19. Runtime Protocol Analysis (RPA) cont’d
• The way this works is:
– Sniff traffic over the network
– Split each request/response into individual packets
– Modify the destination URL or Host within the packet with
a HEX editor to a local server (protocol analyzer)
– Send it to the Protocol Analyzer using netcat
• The protocol analyzer is customized code written to
suit the protocol used to transfer the object
ATTACK & DEFENSE
labs
Black Hat Europe 2010 19
20. Runtime Protocol Analysis (RPA) cont’d
• This only drawback is that it is not completely
seamless
– Too many steps involved
– Takes some time to setup
– The protocol analyzer has to be modified and compiled
each time for different scenarios
• But this is the technique that suffices our needs to a
certain extent
ATTACK & DEFENSE
labs
Black Hat Europe 2010 20
22. Solution
Thick Client Interception Application
Application Proxy Server
JRuby Shell
ATTACK & DEFENSE
labs
Black Hat Europe 2010 22
23. Setup Needed
• Tools we need
– JRuby version 1.4.0
– BurpSuite version 1.2.x
– Buby version 1.8.x
– Any text editor
ATTACK & DEFENSE
labs
Black Hat Europe 2010 23
24. Why JRuby ?
• Why not a pure Java plug-in. Why JRuby?
– Easier syntax, hence easy to learn
– Can call almost all JAVA libraries
– Provides an interactive shell (jirb)
– Dynamic Type Language
ATTACK & DEFENSE
labs
Black Hat Europe 2010 24
25. Advantages
• Adds the ability of modifying JAVA objects on-the-fly
• Ease of use – makes the whole process seamless
• Hooks a JAVA development environment in your
interception proxy
• Can be used for other stuff too ….. Just be a bit
creative ;)
ATTACK & DEFENSE
labs
Black Hat Europe 2010 25
26. Demo
ATTACK & DEFENSE
labs
Black Hat Europe 2010 26
27. References
• Chen, S. (2008). Achilles’ heel – Hacking Through Java Protocols. OWASP Israel.
Herzliya.
• Monti, E. (n.d.). Buby. Retrieved from http://emonti.github.com/buby/
• Sun Microsystems. (n.d.). Java Object Serialization Specification. Retrieved from
sun.com:
http://java.sun.com/javase/6/docs/platform/serialization/spec/serialTOC.html
• Vries, S. d. (2006, June 15). Assessing JAVA Clients with the BeanShell. Retrieved
from Corsaire: http://research.corsaire.com/whitepapers/060816-assessing-java-
clients-with-the-beanshell.pdf
ATTACK & DEFENSE
labs
Black Hat Europe 2010 27
28. Big Thanks To
• For the work done that helped me build this:
– Shay Chen
– Eric Monti
• And of course for testing & review:
– Lavakumar Kuppan
– Luca Carettoni
If I have seen further it is only by standing on the shoulders of giants.
- Sir Isaac Newton
ATTACK & DEFENSE
labs
Black Hat Europe 2010 28
29. Questions ??
ATTACK & DEFENSE
labs
Black Hat Europe 2010 29
30. Thank You
Contact me:
manish (-at-) andlabs.org
ATTACK & DEFENSE
labs
Black Hat Europe 2010 30