attacking java serialized communication
play

Attacking JAVA Serialized Communication Manish S. Saindane Who am - PowerPoint PPT Presentation

Feb 11, 2024 •280 likes •577 views

ATTACK & & ATTACK labs DEFENSE DEFENSE Attacking JAVA Serialized Communication Manish S. Saindane Who am I ? Security Researcher Working as a Lead Applica8on Security Specialist for an interna8onal so:ware development and

  1. ATTACK & & ATTACK labs DEFENSE DEFENSE Attacking JAVA Serialized Communication Manish S. Saindane

  2. Who am I ? • Security Researcher – Working as a Lead Applica8on Security Specialist for an interna8onal so:ware development and services company – Likes to research on security issues in so:ware – Follow me @ blog.andlabs.org ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 2

  3. Agenda • JAVA Object Serializa8on Basics • The Current Scenario & Challenges Faced • Suggested Solu8on • Demo ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 3

  4. Objectives • Simplify the penetra8on tes8ng process of thick clients and make it completely seamless • Enable the pentester to edit JAVA objects in the same way that a developer would • Enable all of this using the currently available tools ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 4

  5. JAVA Object Serialization Basics ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 5

  6. JAVA Object Serialization • Protocol implemented by SUN for conver8ng JAVA objects into a stream of bytes to be – Stored in a file – TransmiQed across a network • The serialized form contains sufficient informa8on such that it can be restored to an iden8cal clone of the original JAVA object ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 6

  7. JAVA Object Serialization cont’d • Objects can be wriQen using the writeObject() method provided by the ObjectOutput interface • Objects can be retrieved using the readObject() method provided by the ObjectInput interface • The ObjectOutputStream and ObjectInputStream classes implement the above interfaces respec8vely ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 7

  8. JAVA Object Serialization cont’d • JAVA Object Serialized data can be easily iden8fied by the 0xac 0xed stream header (also called as the magic number) ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 8

  9. JAVA Object Serialization cont’d • If the object in the stream is a java.lang.String , it is encoded in a modified UTF‐8 format and preceded by a 2‐byte length informa8on • Make sure you read sec8on 5.6 of the JAVA Object Serializa8on specifica8on before modifying the objects ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 9

  10. The Current Scenario & Challenges Faced ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 10

  11. So what do we have ? • Current tools or applica8on intercep8on proxies allow very limited func8onality to test such data • Not as easy or straigh^orward as tes8ng regular web applica8ons sending data in request parameters • Some work has been done in the past to improve the situa8on. Let’s have a look at some of these methods ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 11

  12. Modifying Raw HEX • One of the most basic techniques is to modify the raw HEX data using a HEX editor • This is very limited and can be used to modify simple integers or string values in the raw data • Isn’t really prac8cal to inspect or modify complex objects ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 12

  13. Modifying Raw HEX cont’d • Modifying raw data may result in a corrupted Serialized byte stream • Make sure to modify the length informa8on if you edit some string value as discussed earlier • Exis8ng intercep8on proxies usually have very basic HEX editors hence working with them becomes difficult ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 13

  14. Decompiling Class Files • This can allow us to carefully study the applica8on logic • Hardcoded values, sensi8ve func8ons, crypto algorithms, etc. can be iden8fied and used for aQacks • Decompiling may not be straight forward for applica8ons making use of strong obfusca8on techniques ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 14

  15. Decompiling Class Files cont’d • Popular decompilers like JAD, JD, Jode and DJ Java Decompiler may be used for simple obfuscated classes • Edi8ng signed jars may be difficult ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 15

  16. Assessing JAVA Clients with BeanShell • This was a technique developed by Stephen D’ Vires from Corsaire • It made use of the BeanShell scrip8ng language that was plugged into the client • Could be handy in iden8fying client‐side security controls ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 16

  17. Assessing JAVA Clients with BeanShell cont’d • The pentester must be comfortable wri8ng JAVA code to use this technique • The scope of this technique is too broad for our use i.e. to tamper the serialized data ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 17

  18. Runtime Protocol Analysis (RPA) • This was presented by Shay Chen from Hack8cs at an OWASP Israel meet • He spoke about crea8ng a custom run8me protocol analyzer to read data from JAVA serialized objects • The object once read, could then be analyzed and modified ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 18

  19. Runtime Protocol Analysis (RPA) cont’d • The way this works is: – Sniff traffic over the network – Split each request/response into individual packets – Modify the des8na8on URL or Host within the packet with a HEX editor to a local server (protocol analyzer) – Send it to the Protocol Analyzer using netcat • The protocol analyzer is customized code wriQen to suit the protocol used to transfer the object ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 19

  20. Runtime Protocol Analysis (RPA) cont’d • This only drawback is that it is not completely seamless – Too many steps involved – Takes some 8me to setup – The protocol analyzer has to be modified and compiled each 8me for different scenarios • But this is the technique that suffices our needs to a certain extent ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 20

  21. Suggested Solution ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 21

  22. Solution Thick Client Intercep1on Applica1on Applica1on Proxy Server JRuby Shell ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 22

  23. Setup Needed • Tools we need – JRuby 1.4.0 – BurpSuite version 1.2.x – Buby version 1.8.x – Any text editor ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 23

  24. Why JRuby ? • Why not a pure Java plug‐in. Why JRuby? – Easier syntax, hence easy to learn – Can call almost all JAVA libraries – Provides an interac8ve shell (jirb) – Dynamic Type Language ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 24

  25. Big Thanks To • For the work done that helped me build this: – Shay Chen – Eric Mon8 • And of course for tes8ng & review: – Lavakumar Kuppan – Luca CareQoni If I have seen further it is only by standing on the shoulders of giants. - Sir Isaac Newton ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 25

  26. Demo ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 26

  27. References Chen, S. (2008). Achilles’ heel – Hacking Through Java Protocols. OWASP Israel. • Herzliya. Mon8, E. (n.d.). Buby . Retrieved from hQp://emon8.github.com/buby/ • • Sun Microsystems. (n.d.). Java Object Serializa9on Specifica9on . Retrieved from sun.com: hQp://java.sun.com/javase/6/docs/pla^orm/serializa8on/spec/serialTOC.html Vries, S. d. (2006, June 15). Assessing JAVA Clients with the BeanShell. Retrieved • from Corsaire: hQp://research.corsaire.com/whitepapers/060816‐assessing‐java‐ clients‐with‐the‐beanshell.pdf ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 27

  28. Ques1ons ?? ATTACK ATTACK & & labs DEFENSE DEFENSE Black Hat Europe 2010 28

Recommend

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
USING THE STRUCTURE OF SERIALIZED TV, DIGITAL CONTENT TO TEACH WRITING STRATEGIES IN COMPOSITION

USING THE STRUCTURE OF SERIALIZED TV, DIGITAL CONTENT TO TEACH WRITING STRATEGIES IN COMPOSITION

USING THE STRUCTURE OF SERIALIZED TV, DIGITAL CONTENT TO TEACH WRITING STRATEGIES IN COMPOSITION No one here is exactly what he appears to be. -Ambassador G'Kar (Babylon 5) PILOT STORYTELLING IN BITS AND PIECES A Room of

389 views • 19 slides
SimpleGenericHTTPSoapClient //network communication via HTTP import java.io.*; import

SimpleGenericHTTPSoapClient //network communication via HTTP import java.io.*; import

SimpleGenericHTTPSoapClient //network communication via HTTP import java.io.*; import java.util.*; public class SimpleGenericHTTPSoapClient { //Default values used if no command line parameters are set private static final String

398 views • 3 slides
JAVA Java vs. Java Java Language Specification

JAVA Java vs. Java Java Language Specification

BR 10/05 JAVA Java vs. Java Java Language Specification http://java.sun.com/docs/books/jls/second_edition/html/j.title.doc.html Java programming language is compiled into java byte code Java Virtual Machine Specification

1.07k views • 44 slides
Java Middleware Patrick Eugster, Till Bay, Tomas Hruz Java Middleware What is middleware

Java Middleware Patrick Eugster, Till Bay, Tomas Hruz Java Middleware What is middleware

Chair of Software Engineering Languages in Depth Series: Java Programming Prof. Dr. Bertrand Meyer Java Middleware Patrick Eugster, Till Bay, Tomas Hruz Java Middleware What is middleware Client-server communication and method invocation

675 views • 65 slides
Network Programming in Java Agenda Socket-based communication Remote method invocation

Network Programming in Java Agenda Socket-based communication Remote method invocation

Network Programming in Java Agenda Socket-based communication Remote method invocation (RMI) 1 2 Distributed computations Communication Todays computing environments are Java provides two mechanisms for distributed computing:

352 views • 14 slides
Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security

Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security

Attacking the Baseband Modem of Mobile Phones to Breach the Users Privacy and Network Security Dr. Christos Xenakis Dr. Christoforos Ntantogian Associate Professor, Department of Digital Systems School of Information and Communication

524 views • 26 slides
SK Telecom 1 U U U U U U U- U - - communication - - - - - communication

SK Telecom 1 U U U U U U U- U - - communication - - - - - communication

U U U U U U U- U - - communication - - - - - communication communication communication communication communication communication communication Korea Mobile Market Trend for Convergence & Ubiquitous Communication 2004.

400 views • 16 slides
Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006)

Multi-core in JVM/Java Concurrent programming in java Prior Java 5 Java 5 (2006) Java 7 (2010) Other topics Basic concurrency in Java Java Memory Model describes how threads interact through memory Single thread

812 views • 34 slides
Java Java Basics Java Program Statements Java Review Conditional statements

Java Java Basics Java Program Statements Java Review Conditional statements

Java Java Basics Java Program Statements Java Review Conditional statements Repetition statements (loops) Writing Classes in Java Selim Aksoy Class definitions Bilkent University Encapsulation and Java modifiers

346 views • 11 slides
1 Java compilation model Java bytecode format void spin () { int i; for (i = 0; i < 100;

1 Java compilation model Java bytecode format void spin () { int i; for (i = 0; i < 100;

The Java programming environment Introduction to JVM Based on material produced by Bill Venners 1 2 The Java platform The role of the virtual machime byte code generated by the Java front-end is an intermediate representation (IR)

834 views • 3 slides
TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java

TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java

TM Technology for Blu-ray and TV: Java Creating your own Blu-ray Java Discs The Blu-ray Java Authoring Team: Bill Foote, Chihiro Saito, A. Sundararajan, Jaya Hangal TS-5449 Talk Outline HD Cookbook Community Overview Target: Blu-ray

592 views • 44 slides
DTrace Topics: -> java/lang/System.arraycopy <- java/lang/System.arraycopy Java <-

DTrace Topics: -> java/lang/System.arraycopy <- java/lang/System.arraycopy Java <-

# ./jflow.d <- java/lang/Thread.sleep -> Greeting.greet -> java/io/PrintStream.println -> java/io/PrintStream.print -> java/io/PrintStream.write -> java/io/PrintStream.ensureOpen <- java/io/PrintStream.ensureOpen ->

632 views • 34 slides
Migrating to Java 9 Modules @Sander_Mak By Sander Mak Migrating to Java 9 Java 8 java -cp ..

Migrating to Java 9 Modules @Sander_Mak By Sander Mak Migrating to Java 9 Java 8 java -cp ..

Migrating to Java 9 Modules @Sander_Mak By Sander Mak Migrating to Java 9 Java 8 java -cp .. -jar myapp.jar Java 9 java -cp .. -jar myapp.jar Today's journey Running on Java 9 Java 9 modules Migrating to modules Modularising code

851 views • 45 slides
C vs Java Dalhousie University Winter 2019 Comparing C to Java Assumption: You know Java well.

C vs Java Dalhousie University Winter 2019 Comparing C to Java Assumption: You know Java well.

CSCI 2132: Software Development Norbert Zeh Faculty of Computer Science C vs Java Dalhousie University Winter 2019 Comparing C to Java Assumption: You know Java well. Focus on differences between C and Java. Arithmetic Operators Most

152 views • 14 slides
Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 1 1 Attacking the stack We have seen how the stack works. Now: lets see how we can abuse this. We have

733 views • 48 slides
Actually, C++ and Java are much the same as C. C was designed in the 1970s. 1 Java 2 C 3

Actually, C++ and Java are much the same as C. C was designed in the 1970s. 1 Java 2 C 3

C is a high level language (HLL) Its syntax is much the same as Java and C++, but no objects. Actually, C++ and Java are much the same as C. C was designed in the 1970s. 1 Java 2 C 3 Why C ? 1. Millions of lines of code have been

377 views • 23 slides
JAVA Language Mapping Java IDL (CORBA) introduced in Version 1.2 of the Java 2 platform,

JAVA Language Mapping Java IDL (CORBA) introduced in Version 1.2 of the Java 2 platform,

BR 11/05 JAVA Language Mapping Java IDL (CORBA) introduced in Version 1.2 of the Java 2 platform, provides an interface between Java programs and distributed objects and services built using the Common Object Request Broker

355 views • 31 slides
Lecture 5: Message Passing & Other Communication Mechanisms (SR & Java) Intro:

Lecture 5: Message Passing & Other Communication Mechanisms (SR & Java) Intro:

Lecture 5: Message Passing & Other Communication Mechanisms (SR & Java) Intro: Synchronous & Asynchronous Message Passing Types of Processes in Message Passing Examples Asynchronous Sorting Network Filter (SR)

914 views • 50 slides
JAVA Basics & OOP 2020/3/14 Write Once, Run Anywhere Java Virtual Machine (JVM)

JAVA Basics & OOP 2020/3/14 Write Once, Run Anywhere Java Virtual Machine (JVM)

Poly- mor- phism Abstra ction Class OOP Inheri -tance En- capsu- lation Kuan-Ting Lai JAVA Basics & OOP 2020/3/14 Write Once, Run Anywhere Java Virtual Machine (JVM) http://net-informations.com/java/intro/jvm.htm Java Overview

660 views • 44 slides
RIDING THE JET STREAMS FUAD MALIKOV | HAZELCAST JAVA 8 STREAM API WHAT IS IT? JAVA 8 PRE JAVA

RIDING THE JET STREAMS FUAD MALIKOV | HAZELCAST JAVA 8 STREAM API WHAT IS IT? JAVA 8 PRE JAVA

RIDING THE JET STREAMS FUAD MALIKOV | HAZELCAST JAVA 8 STREAM API WHAT IS IT? JAVA 8 PRE JAVA 8 HISTORIC TIMES Collections Iterators For loops If-else statements WORD COUNT CODE Pre Java 8 Stream examples Get the unique

489 views • 19 slides
y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

Security bug of the week (in iOS and OS X) y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 2 2 Attacking the stack g We have seen how the

850 views • 47 slides
The testing pyramid Maurcio F. Aniche M.F.Aniche@tudelft.nl A.java ATest.java Thats what

The testing pyramid Maurcio F. Aniche M.F.Aniche@tudelft.nl A.java ATest.java Thats what

The testing pyramid Maurcio F. Aniche M.F.Aniche@tudelft.nl A.java ATest.java Thats what we have been calling B.java BTest.java Unit Testing . C.java CTest.java Some definitions ISQTB: Searches for defects in, and verifies the

604 views • 17 slides

More recommend