![Page 1: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/1.jpg)
JavaSnoophow to hack anything in java
arshan dabirsiaghidirector of research
aspect securityhttp://www.aspectsecurity.com/
http://i8jesus.com/@nahsra
![Page 2: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/2.jpg)
Any more detail is theoretically irrelevant. A client is a client.
![Page 3: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/3.jpg)
Why hacking Java apps is practically difficult
Showing how JavaSnoop solves the problem
Demos, videos, details
Agenda
![Page 4: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/4.jpg)
![Page 5: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/5.jpg)
Hey, Security Company X. I want you to test the security of this important applet. Can you do it in 40 hours?
No problem we do it all the time!! What’s an applet again?
Absolutely. I can scan that with WebInspect, right?
![Page 6: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/6.jpg)
Zero intel on applet.
Looks to be some kind of chat thing.
Not sure about protocols, exit points, data types.
After eating Panda Express and bitching about lack of useful docs, time left:
38 hours.
![Page 7: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/7.jpg)
Option #1 (hack the traffic)
1. Pray it uses HTTP2. Pray it has configurable proxy settings3. Pray it doesn’t use serialized
objects/layer 7.5 encryption/custom protocols
Applet MITM yourselfServer
![Page 8: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/8.jpg)
What am I even looking at?Never mind, this clearly didn’t work.
Time left: 35 hours.
I setup Wireshark to look at the data.
Crap, it’s not HTTP. It’s some kind of bizarroprotocol. That rules out Ethereal/Middler too.
![Page 9: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/9.jpg)
Option #2 (hack the client)
1. Grab classes/jars2. Decompile them3. Perform source code review
Theoretical next steps:4. Alter code5. Recompile evil client6. Send custom attacks
Real next steps:4. Alter code5. Nothing compiles/works6. Tests never happen or are invalid
![Page 10: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/10.jpg)
I don’t have that kind of time. Time left: 31 hours.
1. I download the applet codebase.2. I decompile the codebase.3. I load the decompiled code into Eclipse.
Are you serious? 3800+ errors? Is every single line of code broken?
![Page 11: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/11.jpg)
Option #3 (hack the server)
1. Pray the endpoints are HTTP2. Pray it doesn’t require client certificates3. Pray it doesn’t use serialized objects/layer
7.5 encryption/custom protocols
Fiddler, Burp, Webscarab, SoapUI Application
endpoints
![Page 12: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/12.jpg)
I need some “me” time. Time left: 27 hours.
Tried to talk to the server.
Not sure about this traffic - some new raw-byte protocol?
F*#&ing stupid Java s*%#, mother*@#& bananas.
Entering Mel Gibson rage.
![Page 13: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/13.jpg)
We need some inspiration. Anna?
If only there was a “WebScarab” or “Burp”, but for
the Java Virtual Machine.
If there was, I could tamper with method parameters like
HTTP traffic. That certainly would have made Scary Movie
3 easier to make.
Also, I love you Arshan.
-- Anna Faris
![Page 14: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/14.jpg)
That sounds like something we could
do with instrumentation.
we miss you pdp, come back
![Page 15: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/15.jpg)
What is instrumentation?
![Page 16: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/16.jpg)
How would instrumentation help?
![Page 17: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/17.jpg)
Target application Our evil hacking program(JavaSnoop)
Methodparameters
Returnvalue
Tamperedmethodparameters
Tamperedreturnvalue
![Page 18: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/18.jpg)
Number of flaws found: zero.
Have to read up on instrumentation.
Time left: 20 hours.
Am I really good at my job? Maybe I should have stayed in development/snarky Slashdot commenting.
![Page 19: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/19.jpg)
To redefine a class we need the actual raw bytecode. I tried putting in: alert(document.cookie) …but it didn’t work.
![Page 20: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/20.jpg)
reJhttp://rejava.sourceforge.net
Example of wedgingin a println() at the top and bottom of a function.
![Page 21: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/21.jpg)
Userland
Dailydaver’s guide to Java VM
Bootstrapclassloader
System classloader
Core Java classes(/jre/lib)
Extensionclassloader
Supporting classes
(/jre/lib/ext)
Custom classes (java.class.path)
Ring0
Runlevel 0 Runlevel 1 Runlevel 2
Java VM
JavaAgent
![Page 22: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/22.jpg)
Userland
Dailydaver’s guide to Java VM
Bootstrapclassloader
System classloader
Core Java classes(/jre/lib)
Extensionclassloader
Supporting classes
(/jre/lib/ext)
Custom classes (java.class.path)
Ring0
Runlevel 0 Runlevel 1 Runlevel 2
Java VM
JavaAgent
![Page 23: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/23.jpg)
Java Snoop Agent
Java Snoop Managing UI
JavaSnoop
= awesome
![Page 24: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/24.jpg)
Time left: 12 hours. It’s Thursday.
THERE’S NOT ENOUGH TIME
![Page 25: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/25.jpg)
Why hacking Java apps is practically difficult
Showing how JavaSnoop solves the problem
Demos, videos, details
Agenda
![Page 26: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/26.jpg)
Step #1: Startup JavaSnoop
Okay, I can do that.
![Page 27: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/27.jpg)
Step #2: Startup target
Okay, that’s easy too. Can I call myself a hacker now?
![Page 28: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/28.jpg)
Step #3: Attach evil agent to target VM
Hurry up, only 8 hours left.
JavaAgent
![Page 29: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/29.jpg)
Aside: how do I know which Java process to target?
![Page 30: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/30.jpg)
Step #4: pick a method to hack and how
Let’s check “Tamper with parameters”. Clock is ticking.
![Page 31: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/31.jpg)
Step #5: JavaSnoop inserts a callback into method, which soon gets called
Can I start name dropping yet?Better yet, will you name drop me?
JavaAgent
![Page 32: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/32.jpg)
Step #6: Tamper with the data
Parameter #
Parameter value
Parameter type
![Page 33: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/33.jpg)
Aside: JavaSnoop has custom views for editing Lists, Maps, Java primitives, arrays, byte arrays, and even custom objects
![Page 34: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/34.jpg)
Step #7: Edit that carp.
I’ll change that byte that contains my user ID, and hopefully the chat message will look like it came from Alice!
![Page 35: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/35.jpg)
Step #8: Profit.
You spoofed the message. A serious flaw.
Time left: 2 hours. That was close.
![Page 36: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/36.jpg)
Why hacking Java apps is practically difficult
Showing how JavaSnoop solves the problem
Demos, videos, details
Agenda
![Page 37: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/37.jpg)
demo
![Page 38: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/38.jpg)
Aside: How do I know which method to hook? Answer #1
Browse classes and their methods
Search bymethod name
Search by return type
![Page 39: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/39.jpg)
Aside: How do I know which method to hook? Answer #2
![Page 40: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/40.jpg)
Aside: How do I know which method to hook? Answer #3
![Page 41: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/41.jpg)
Dailydaver’s guide to applets
Bootstrapclassloader
System classloader
Core Java classes(/jre/lib)
Java VM
Extensionclassloader
Supporting classes
(/jre/lib/ext)
Ring0
Runlevel 0 Runlevel 1 Runlevel 2
Applet classloader
Applet classes(sun.applet.*, sun.plugin2 .a
pplet.*)
Userland
Your classes (codebase
param)
ACL-atraz
![Page 42: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/42.jpg)
Remember that evil Java agent we install in our target program?
That little guy requires a lot of privileges to do the things he does
Those privileges aren’t usually granted to untrusted applets (which is smart)
How come JavaSnoop turns off Java security when it runs?
![Page 43: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/43.jpg)
JavaSnoop doesn’t create new vulnerabilities.
It just makesfinding and exploiting
flaws in Java apps possible.
And practical.
![Page 44: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/44.jpg)
Supported Operating Systems
Windows XP/Vista/7Mac OSXLinux
![Page 45: JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra](https://reader030.vdocument.in/reader030/viewer/2022032516/56649c735503460f94924ccd/html5/thumbnails/45.jpg)
That’s all. Thanks to Dave (Wichers|Anderson|Lindner), Jeff
Williams, Nick Sanidas, Mike Fauzy, Jon Passki, Jason Li, Eric Sheridan, basically all the engineers at Aspect Security and Marcin Weilsdfisdfsdklfsdf of GDS for help/feedback/code
RIP #madcircle #dwordCheck it out for yourself:
http://www.aspectsecurity.com/tools/javasnoop/
http://i8jesus.com/
http://twitter.com/nahsra
Arshan Dabirsiaghi