the jar of joy

Report

Post on 12-Nov-2014

1.083 Views

Category:

Technology

1 Downloads

Preview:

Click to see full reader

DESCRIPTION

Presentation by Ian de Villiers at ZaCon 2 about exploiting java. This presentation is about instrumenting java applications. it begins with an explanation of what a jar file is. The difficulties in attacking java, such as signing and obfuscation are discussed. How to overcome these difficulties is also discussed. The presentation ends with a walkthrough example of how to instrument a java application.

TRANSCRIPT

The JAR of Joy

SensePost - 2010

`whoami`

•  SensePost •  ian@sensepost.com

– Break some stuff – Write reports about breaking some stuff – Abuse the staff

SensePost - 2010

Why This Talk ?

•  import disclaimer; •  Not ground breaking stuff – no 0-day •  Java applications and applets

appear to be popular again •  Reversing Java applications can be

difficult •  Tips for reversing Java in less time

(in my experience in any case)…

SensePost - 2010

The JAR File

•  Java ARchive •  Used to distribute Java applications /

applets etc. •  ZIP file containing compiled classes,

libraries, settings, certificates, * •  Trivial to extract •  Normally disclose a vast amount of

information

SensePost - 2010

Attacking Java is fun

•  Trivial to reverse engineer •  Compiled applications are vulnerable

to virtually all attacks traditional web apps are vulnerable to…

•  …but all wrapped up in increased sense of developer smugness

•  Repurposed Java applications make *awesome* attack tools

SensePost - 2010

Difficulties Attacking Java •  Many classes and libraries in JAR files of

complex applications •  Class files often do not decompile cleanly •  Impossible to fix all java sources in large

application •  Applets and applications are frequently

signed •  Obfuscated Code

•  Frequently have to rely on other tools too…

SensePost - 2010

•  Certificate information stored in META-INF

•  MANIFEST.MF contains hashes for resources

•  These files can easily be deleted…

Defeating Signing

SensePost - 2010

•  Now possible to modify classes in JAR file

•  Signing normally used specifically for Java applets – Allow applets to access network

resources – Allow applets to read / write files

•  However, the applet runs on *my* machine – Can specify own security model…

What this Means

SensePost - 2010

Obfuscation

•  Defeating Java obfuscation is difficult

•  Depends on the obfuscation mechanism used

•  In most cases, virtually impossible… •  … however, the newer attack

methodologies outlined later will help

…but wait – there is more… SensePost - 2010

Obfuscation

•  A bunch of classes depending on reflection methods and serialized objects can not normally be obfuscated…

•  … in obfuscated applications this provides us with a nice area to attack

SensePost - 2010

Java Quick Kills

•  Not necessary to fix all compiler errors

•  Only need to fix specific classes with functionality you need – Sanitisation libraries – Network Stream libraries

•  Updated classes can be recompiled with the original JAR file to satisfy dependancies

SensePost - 2010

Demo and Walkthrough

SensePost - 2010

•  Decompile Application and export sources

Demo and Walkthrough

SensePost - 2010

•  Identify key source files and include in project

Demo and Walkthrough

SensePost - 2010

•  Remove compiled class files from original JAR

•  Rebuild JAR file

Demo and Walkthrough

SensePost - 2010

•  Link modified JAR file to compiler CLASSPATH

Demo and Walkthrough

SensePost - 2010

•  Modify source code and run…

Demo and Walkthrough

SensePost - 2010

•  Repurposing uses the same technique…

•  … but changes the functionality in order to turn the application into an attack tool

Newer Attack Methods •  New research and toolsets make

reversing and recompiling unneccessary…

•  Also make it easier to attack obfuscated applications

•  Cannot always be used for repurposing

SensePost - 2010

BlackHat Europe – 2010 •  Manish Saindane

–  Demonstrated attacks against serialized objects

–  Provided Burp plug-in to view and modify serialized objects

http://www.blackhat.com/html/bh-eu-10/bh-eu-10-archives.html

SensePost - 2010

Demo – Serialized Objects

SensePost - 2010

BlackHat Las Vegas – 2010 •  Arshan Dabirsiaghi

–  JavaSnoop : How to Hack Anything Written in Java

•  Stephen de Vries –  Hacking Java Clients

•  Both talks outlined new methods for attacking Java Applications

http://www.blackhat.com/html/bh-us-10/bh-us-10-archives.html

SensePost - 2010

Demo – JavaSnoop

SensePost - 2010

In Summary

•  Java reversing is fun •  Java reversing can be easy •  Newer attack methodologies no

longer require attackers to reverse the application

•  Traditional reversing techniques still normally apply for repurposing applications

SensePost - 2010

Ta Muchly

•  ZaCon folkses

SensePost - 2010

Questions ?

ian@sensepost.com

SensePost - 2010

top related

“the joy of the lord is your strength” “joy”...
Documents
engineering software development in java€¦ · 9.2...
Documents
jar testing of chemical dosages
Documents
ekladata.comekladata.com/.../partition-accordeon-gratuite-the-joy-of-pop-tunes.pdf ·...
Documents
a jar of marmalade
Documents
jar of hearts(final)
Self Improvement
story of a jar
Spiritual
the joy of christianity the joy of being a christian father...
Documents
songbook - jar of flies
Documents
jar of hearts partitura
Documents
bid board 1...jar of zucchini relish, pint jar of pickled...
Documents
voip wars: destroying jar jar lync (filtered version)
Technology
jar of hearts 0001
Documents
hadoop 1.2.1 installation - university of michigan ·...
Documents
the evolution of jar machine - society for historical ......
Documents
jar-ops 1 & jar-ops...
Documents
how to please god?. the joy of love joy of repentance joy...
Documents
qui-gon jinn and jar jar binks - weebly
Documents
the jar of tassai
Education
jar 4 has arrived! thank you for subscribing to...
Documents