the jar of joy
DESCRIPTION
Presentation by Ian de Villiers at ZaCon 2 about exploiting java. This presentation is about instrumenting java applications. it begins with an explanation of what a jar file is. The difficulties in attacking java, such as signing and obfuscation are discussed. How to overcome these difficulties is also discussed. The presentation ends with a walkthrough example of how to instrument a java application.TRANSCRIPT
The JAR of Joy
SensePost - 2010
`whoami`
• SensePost • [email protected]
– Break some stuff – Write reports about breaking some stuff – Abuse the staff
SensePost - 2010
Why This Talk ?
• import disclaimer; • Not ground breaking stuff – no 0-day • Java applications and applets
appear to be popular again • Reversing Java applications can be
difficult • Tips for reversing Java in less time
(in my experience in any case)…
SensePost - 2010
The JAR File
• Java ARchive • Used to distribute Java applications /
applets etc. • ZIP file containing compiled classes,
libraries, settings, certificates, * • Trivial to extract • Normally disclose a vast amount of
information
SensePost - 2010
Attacking Java is fun
• Trivial to reverse engineer • Compiled applications are vulnerable
to virtually all attacks traditional web apps are vulnerable to…
• …but all wrapped up in increased sense of developer smugness
• Repurposed Java applications make *awesome* attack tools
SensePost - 2010
Difficulties Attacking Java • Many classes and libraries in JAR files of
complex applications • Class files often do not decompile cleanly • Impossible to fix all java sources in large
application • Applets and applications are frequently
signed • Obfuscated Code
• Frequently have to rely on other tools too…
SensePost - 2010
• Certificate information stored in META-INF
• MANIFEST.MF contains hashes for resources
• These files can easily be deleted…
Defeating Signing
SensePost - 2010
• Now possible to modify classes in JAR file
• Signing normally used specifically for Java applets – Allow applets to access network
resources – Allow applets to read / write files
• However, the applet runs on *my* machine – Can specify own security model…
What this Means
SensePost - 2010
Obfuscation
• Defeating Java obfuscation is difficult
• Depends on the obfuscation mechanism used
• In most cases, virtually impossible… • … however, the newer attack
methodologies outlined later will help
…but wait – there is more… SensePost - 2010
Obfuscation
• A bunch of classes depending on reflection methods and serialized objects can not normally be obfuscated…
• … in obfuscated applications this provides us with a nice area to attack
SensePost - 2010
Java Quick Kills
• Not necessary to fix all compiler errors
• Only need to fix specific classes with functionality you need – Sanitisation libraries – Network Stream libraries
• Updated classes can be recompiled with the original JAR file to satisfy dependancies
SensePost - 2010
Demo and Walkthrough
SensePost - 2010
• Decompile Application and export sources
Demo and Walkthrough
SensePost - 2010
• Identify key source files and include in project
Demo and Walkthrough
SensePost - 2010
• Remove compiled class files from original JAR
• Rebuild JAR file
Demo and Walkthrough
SensePost - 2010
• Link modified JAR file to compiler CLASSPATH
Demo and Walkthrough
SensePost - 2010
• Modify source code and run…
Demo and Walkthrough
SensePost - 2010
• Repurposing uses the same technique…
• … but changes the functionality in order to turn the application into an attack tool
Newer Attack Methods • New research and toolsets make
reversing and recompiling unneccessary…
• Also make it easier to attack obfuscated applications
• Cannot always be used for repurposing
SensePost - 2010
BlackHat Europe – 2010 • Manish Saindane
– Demonstrated attacks against serialized objects
– Provided Burp plug-in to view and modify serialized objects
http://www.blackhat.com/html/bh-eu-10/bh-eu-10-archives.html
SensePost - 2010
Demo – Serialized Objects
SensePost - 2010
BlackHat Las Vegas – 2010 • Arshan Dabirsiaghi
– JavaSnoop : How to Hack Anything Written in Java
• Stephen de Vries – Hacking Java Clients
• Both talks outlined new methods for attacking Java Applications
http://www.blackhat.com/html/bh-us-10/bh-us-10-archives.html
SensePost - 2010
Demo – JavaSnoop
SensePost - 2010
In Summary
• Java reversing is fun • Java reversing can be easy • Newer attack methodologies no
longer require attackers to reverse the application
• Traditional reversing techniques still normally apply for repurposing applications
SensePost - 2010
Ta Muchly
• ZaCon folkses
SensePost - 2010