Upload File

the jar of joy

25
The JAR of Joy SensePost - 2010

Upload: sensepost

Post on 12-Nov-2014

1.081 views

Category:

Technology


1 download

Report

DESCRIPTION

Presentation by Ian de Villiers at ZaCon 2 about exploiting java. This presentation is about instrumenting java applications. it begins with an explanation of what a jar file is. The difficulties in attacking java, such as signing and obfuscation are discussed. How to overcome these difficulties is also discussed. The presentation ends with a walkthrough example of how to instrument a java application.

TRANSCRIPT

Page 1: The jar of joy

The JAR of Joy

SensePost - 2010

Page 2: The jar of joy

`whoami`

•  SensePost •  [email protected]

– Break some stuff – Write reports about breaking some stuff – Abuse the staff

SensePost - 2010

Page 3: The jar of joy

Why This Talk ?

•  import disclaimer; •  Not ground breaking stuff – no 0-day •  Java applications and applets

appear to be popular again •  Reversing Java applications can be

difficult •  Tips for reversing Java in less time

(in my experience in any case)…

SensePost - 2010

Page 4: The jar of joy

The JAR File

•  Java ARchive •  Used to distribute Java applications /

applets etc. •  ZIP file containing compiled classes,

libraries, settings, certificates, * •  Trivial to extract •  Normally disclose a vast amount of

information

SensePost - 2010

Page 5: The jar of joy

Attacking Java is fun

•  Trivial to reverse engineer •  Compiled applications are vulnerable

to virtually all attacks traditional web apps are vulnerable to…

•  …but all wrapped up in increased sense of developer smugness

•  Repurposed Java applications make *awesome* attack tools

SensePost - 2010

Page 6: The jar of joy

Difficulties Attacking Java •  Many classes and libraries in JAR files of

complex applications •  Class files often do not decompile cleanly •  Impossible to fix all java sources in large

application •  Applets and applications are frequently

signed •  Obfuscated Code

•  Frequently have to rely on other tools too…

SensePost - 2010

Page 7: The jar of joy

•  Certificate information stored in META-INF

•  MANIFEST.MF contains hashes for resources

•  These files can easily be deleted…

Defeating Signing

SensePost - 2010

Page 8: The jar of joy

•  Now possible to modify classes in JAR file

•  Signing normally used specifically for Java applets – Allow applets to access network

resources – Allow applets to read / write files

•  However, the applet runs on *my* machine – Can specify own security model…

What this Means

SensePost - 2010

Page 9: The jar of joy

Obfuscation

•  Defeating Java obfuscation is difficult

•  Depends on the obfuscation mechanism used

•  In most cases, virtually impossible… •  … however, the newer attack

methodologies outlined later will help

…but wait – there is more… SensePost - 2010

Page 10: The jar of joy

Obfuscation

•  A bunch of classes depending on reflection methods and serialized objects can not normally be obfuscated…

•  … in obfuscated applications this provides us with a nice area to attack

SensePost - 2010

Page 11: The jar of joy

Java Quick Kills

•  Not necessary to fix all compiler errors

•  Only need to fix specific classes with functionality you need – Sanitisation libraries – Network Stream libraries

•  Updated classes can be recompiled with the original JAR file to satisfy dependancies

SensePost - 2010

Page 12: The jar of joy

Demo and Walkthrough

SensePost - 2010

•  Decompile Application and export sources

Page 13: The jar of joy

Demo and Walkthrough

SensePost - 2010

•  Identify key source files and include in project

Page 14: The jar of joy

Demo and Walkthrough

SensePost - 2010

•  Remove compiled class files from original JAR

•  Rebuild JAR file

Page 15: The jar of joy

Demo and Walkthrough

SensePost - 2010

•  Link modified JAR file to compiler CLASSPATH

Page 16: The jar of joy

Demo and Walkthrough

SensePost - 2010

•  Modify source code and run…

Page 17: The jar of joy

Demo and Walkthrough

SensePost - 2010

•  Repurposing uses the same technique…

•  … but changes the functionality in order to turn the application into an attack tool

Page 18: The jar of joy

Newer Attack Methods •  New research and toolsets make

reversing and recompiling unneccessary…

•  Also make it easier to attack obfuscated applications

•  Cannot always be used for repurposing

SensePost - 2010

Page 19: The jar of joy

BlackHat Europe – 2010 •  Manish Saindane

–  Demonstrated attacks against serialized objects

–  Provided Burp plug-in to view and modify serialized objects

http://www.blackhat.com/html/bh-eu-10/bh-eu-10-archives.html

SensePost - 2010

Page 20: The jar of joy

Demo – Serialized Objects

SensePost - 2010

Page 21: The jar of joy

BlackHat Las Vegas – 2010 •  Arshan Dabirsiaghi

–  JavaSnoop : How to Hack Anything Written in Java

•  Stephen de Vries –  Hacking Java Clients

•  Both talks outlined new methods for attacking Java Applications

http://www.blackhat.com/html/bh-us-10/bh-us-10-archives.html

SensePost - 2010

Page 22: The jar of joy

Demo – JavaSnoop

SensePost - 2010

Page 23: The jar of joy

In Summary

•  Java reversing is fun •  Java reversing can be easy •  Newer attack methodologies no

longer require attackers to reverse the application

•  Traditional reversing techniques still normally apply for repurposing applications

SensePost - 2010

Page 24: The jar of joy

Ta Muchly

•  ZaCon folkses

SensePost - 2010

Page 25: The jar of joy

Questions ?

[email protected]

SensePost - 2010


How to Please God?. The Joy of Love Joy of Repentance Joy of Faith Joy of serving Joy of Purity Joy of Sacrifices

THE JOY OF CHRISTIANITY THE JOY OF BEING A CHRISTIAN FATHER THE JOY OF CHRISTIANITY THE JOY OF BEING A CHRISTIAN FATHER

A Jar of Honey

Engineering Software Development in Java€¦ · 9.2 Working with JAR Files 7 Creating JAR files 7 Inspecting the Contents of a JAR File 7 Using the code within a JAR file 8 Extracting

Songbook - Jar Of Flies

The Evolution of Jar Machine - Society for Historical ... Evolution of Jar Machine Barry Bernas [Originally published in the 2011 Fruit Jar Annual] Most fruit, packer and product jar

VoIP Wars: Destroying Jar Jar Lync (Filtered version)

A Jar of Marmalade

“The joy of the Lord is your strength” “Joy” “Joy” is cheerfulness, calm delight. “The joy of the Lord” “The joy of the Lord” is a metonym for the cause

The jar of tassai

Jar of hearts(final)

Joy of Livni g Finding Joy

Smartware Jar File Programmers Guide Jar File/Smartware Jar File... · Smartware Jar File Programmer's Guide Page 5 Overview of the Smartware R2 Jar File The Smartware R2 Jar File

Christina Perri - Jar of Hearts

Conclusion. Killing Jar “Academic religion is the killing jar of Spirit.”

Jar of Hearts

Jar of Hearts 0001

 · anochecer, con músicos o usando una cinta del estilo de Jar Jar Jar Jar Gobinde, Jar Jar Jar Jar Mucande, este tipo de sonido, ... añade leche (de vaca, de soja, de almendras,

Jar Testing of Chemical Dosages

Joy of Six - Discover the Joy of Perl 6

The Joy of Research The Joy of Research

Qui-Gon Jinn and Jar Jar Binks - Weebly

Bid Board 1...jar of Zucchini Relish, Pint jar of Pickled Green Tomatoes & Peppers, Pint jar of Chow-Chow, Pint jar of "Dilly Beans", Pint jar of Pickled Banana Peppers and one loaf

Dialogues of Joy: Shared Moments of Joy Between Teachers

JAR-23: NORMAL, UTILITY, AEROBATIC, AND …a.moirier.free.fr/R%e9glementation/JAR%2023/JAR%2023-1.pdf · JAR 23.25 Weight limits 1–B–1 JAR 23.29 Empty weight and corresponding

Story of a jar

Hadoop 1.2.1 installation - University of Michigan · Let’s run an example! There is an example jar file under ~/hadoop hadoop-examples-1.2.1.jar hadoop jar hadoop-examples-1.2.1.jar

Jar of Hearts Sheet Music

VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)

Jesu Joy of Mans Desiring - timberwindsquintet.comtimberwindsquintet.com/MusicCatalog/Jesu Joy of... · Jesu, Oboe Joy Of Man's Desiring ... J.S.Bach Arr. by Bill ... Jesu, Joy Of

Jar of Hearts Partitura

JAR-OPS 1 & JAR-OPS 3ww1.jeppesen.com/company/publications/documents/... · JAR-OPS 1 & JAR-OPS 3 JAR-OPS 1 (Aeroplane) GENERAL The following is an excerpt based on JAR-OPS 1 Subpart

Singles Edition - myspbc.org · choosing joy. Talk to each other each day, and ask about your “joy” experiences. Place pocket change in the jar for each time you or your friend

Jar of Beans

CROMHALL FLOWER SHOW & VILLAGE FAYREmaterial but plant material must always be dominant. ... 65 Jar of soft fruit jam 66 Jar of lemon curd 67 Jar of jelly 68 Jar of marmalade 69 Jar