1. Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Security Assessing Java RMI Adam Boulton OWASP Contributor Corsaire Adam.Boulton@corsaire.com +44 1483 746700 24 th Sept 2008

2. OWASP 2 Profile  Principal Security Consultant at Corsaire  Anti-Virus Analyst for Sophos Plc  Ministry of Defence (Level 1 Security Clearance)  BSc 1 st Class (Hons) Software Engineering  Big Java Fan – check out OWASP Java Gotchas!

3. OWASP 3 Agenda  What is Remote Method Invocation (RMI)?  RMI Architecture  Attacking an RMI service with RMI Spy  Securing RMI services

4. OWASP 4 What is RMI?  Distributed computing solution  All about remote objects  Part of core JDK platform since 1.1  java.rmi package  Not familiar? Think….  Microsoft.NET Remoting  RPC  CORBA

5. OWASP What is RMI?  Communicating between 2 JVMs over a network  Export functionality at the object level  Remote clients deal with objects as if they were local  RMI uses object serialization  Your custom classes must implement the serializable interface so they can be distributed  Primitives are just sent by value 5

6. OWASP What is RMI?  Transparent solution  All underlying network functionality  RMI Specification states:  “Make writing reliable distributed applications as simple as possible”  Increases risk that services are implemented insecurely  Security through obscurity 6

7. OWASP RMI Architecture 7 Server (Implementation)Client (Interface) TCP/IP JRMP

8. OWASP RMI Registry  Used for looking up Objects  Servers register their Objects  Clients use to find and obtain remote references  Runs on port 1099 by default 8

9. OWASP RMI tools  RMIC (rmic.exe)  Special compiler that creates stub and skeleton  Registry  Created by:  Rmiregistry.exe –Or  LocateRegistry.createRegistry(int portNo) 9

10. OWASP  64 bit hash (SHA1)  Method name + method descriptor used as message  Example:  void myRemoteMethod(int i, Object o, boolean b)  myRemoteMethod(ILjava/lang/Object;Z)V –0xB7B6B5B4B3B2B1B0 10 The Interface / Method Hash

11. OWASP Hash weakness  An attacker can pre-calculate hashes if they know API details  64-bit  Brute-force  Rainbow tables  Due to the implementation it doesn’t even appear to actually be 64 bits!  Still doing the analysis 11

12. OWASP RMI server secrets...  An attacker’s shopping list:  Bound object names  Stub name  A static signed 64 bit key(s)  Method prototypes (interface)  The ability to code a client! 12

13. OWASP Today’s RMI service... OOnly hosting 3 methods LLet’s attack it.... LIVE! 13

14. OWASP 14 Methodology for a 0-day RMI assessment  Step 1 – Enumerate bound object names  Step 2 – Determine stub name  Step 3 – Enumerate method hashes  Step 4 – Determine method prototypes  Step 5 – Create stub

15. OWASP Step 1 – Enumerate bound objects  Use your own scanning tools to detect an RMI service  Identify objects which are bound to the port that we can talk to  Easily done using the java.rmi package 15

16. OWASP Step 2 – Determine stub name  Correct stub name is required so we can talk to the RMI service  Use RMISpyStubName to establish the correct stub name  Rename the template 16

17. OWASP Step 3 – Enumerate key / method hashes  The hashes are calculated by using method descriptors  The signed 64-bit value  Remember, only 1 hash for v1.1  Add the hash to the template  Hashes can be pre-calculated 17

18. OWASP Step 4 – Determine method prototypes  First establish the parameter types  Bit more manual work  Secondly, establish the return type  Object is our friend  Method names are irrelevant  All about the 64-bit signed value 18

19. OWASP Step 5 – Creating the stub  Detail has been added at each stage, we now have enough for a fully working custom client!  The service is now ready to finger print in more detail.  By using the business logic layer we can determine LOTS more detail.  Can rely on the Developer getting it wrong to establish more detail. 19

20. OWASP Why is RMI insecure?  Building on an insecure foundation  Skeleton implementation is flawed  False sense of security  Security through obscurity  Keys are insufficient  Chances are you won’t notice an attacker until a correct client has been constructed 20

21. OWASP 21 Securing an RMI Server  Adapt the RMI server code  Stop information leakage  Sun should have read the OWASP top 10!  Modify the method hashes  Java Authentication and Authorization Service (JAAS)  Be careful what you expose!  Just because you don’t release a client with the functionality doesn’t mean attackers can’t see it!  Don’t expose the server object directly  Don’t rely on security through obscurity

22. OWASP Securing and RMI Server (Cont...)  Logging  Invoke from command line:  java -Djava.rmi.server.logCalls=true YourServerImp  Or enable inside program  RemoteServer.setLog(System.err); 22

23. OWASP 23 Further Developments of RMI Spy  Fully automated  Integrating the 5 stages into a click and run  GUI  Automated interface and stub creation  Packet Sniffer  RMI Call parser  Pull keys from the wire  Pull objects from the wire and assess  Modify objects on the fly

24. OWASP Further Developments of RMI Spy (cont...)  Code tidy!  Hash generator  Dynamic Invocation  Fuzzing  Exception handler (what is the server telling us)  Multi-threading  Hash attack (possible C++ and packet) 24

25. OWASP 25 Summary  RMI Architecture  Why RMI is insecure  Comment in the generated code says “do not edit”. We all know differently now.  Security is difficult; even Sun don’t always get it right!  RMI Spy  Only tool in (known) existence to attack RMI services  How to secure RMI

26. OWASP Questions 26