Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

Achilles’ Heel – Hacking Through Java Protocols

Shay ChenHacktics L.T.Dshay@hacktics.com0546-680680

14/09/08

2OWASP

Agenda

Introduction to penetration testsAdvantages & disadvantages of

modern client server penetration testing techniques.

Runtime protocol analysis (RPA) – a new testing technique!

Live Demo

3OWASP

Introduction to Penetration Tests

Performing Penetration tests requires the tester to be able to manipulate the client’s originating communication, either by constructing independent requests or by altering the structure or values of an existing request.

When the tested application is a web application, such manipulations can be performed in numerous ways, including:

4OWASP

Testing Web Applications

Intercepting Proxies (Achilles, Web-scarab, Paros, Burp Suite...)

Manual request construction (generating independent forms or access URLs according to the information in the HTML)

Browser Add-Ons (Http View, Temper data, Hack-bar...)

Etc.

5OWASP

Testing Client Server Applications

However, tests on thick browser-add-on clients (applets, activeX, flash) and client-server applications are a bit more complicated:

The protocols aren’t always easy to understand and manipulate as clear http.

The client applications does not always support proxy configuration, making request interception very difficult.

In the case of binary protocols, most proxies do not support manipulation of binary values.

So, what should the tester do, in the day the proxy fails?

6OWASP

When will the proxy fail to work?

Applications without proxy support that use protocols that contain binary values.

Applications that use compacted protocols (zipped).

7OWASP

Advanced Testing Techniques

Sniffing, Editing and Re-transmitting requests (Replay)

Memory Debugging and Messaging

De-complication and Recompilation of code

8OWASP

Sniffing, Editing and Re-transmitting

The communication can be “sniffed” using tools such as Wireshark (formally ethereal), allowing the tester to isolate requests.

Requests can be isolated and edited by saving sniffed communication into files as RAW DATA and using an appropriate editor (text editor for clear text protocols, hexa-editor for binary protocols).

Edited requests can be re-sent independently to the server using tools such as Netcat.

9OWASP

Sniffing, Editing and Resending

Advantages: Enables manipulation of values in textual

requests. Enables limited manipulation of textual

values in binary requests. Enables performing various flow bypassing

checks. Disadvantages:

Does not enable the tester to understand the complete structure of binary protocols.

Does not allow “easy” manipulation of non textual values.

The textual manipulation is usually limited to the size of the original string (depends on the language).

Challenge response and signature mechanisms may pose a problem.

10OWASP

Memory Debugging and Messaging

Memory debuggers (such as OllyDbg) can be used to change values directly in memory.

Windows Messaging Features can be used to alter the values and properties of windows applications (for example, windows enabler).

11OWASP

Memory Debugging and Messaging

Advantages: Allows the tester to manipulate all the

relevant values in the tested client application directly in the memory.

Disadvantages: The time required to perform such

tests is relatively long. The structure of Java and other virtual

environment based technologies makes the process even harder, due to non-standard memory structure and lack of proper support in messaging.

12OWASP

De-compilation and Recompilation

Extremely effective in development technologies that compile to a mid level code, instead of compiling directly to machine code, such as Java and .Net.

Since java applications are not compiled to machine code directly, and are compiled to a middleware interpretation instead (byte-code), it is possible to decompile them to a source code that is almost identical to the original source .

The fact that in java, each class is compiled to a separate class file, allows the tester to re-compile only the classes that he wishes to manipulate, instead of re-compiling the entire application.

The re-complied classes can replace the original ones in the application JAR file.

13OWASP

DJ Java De-compiler In Action

14OWASP

De-compilation and Recompilation

Advantages: Allows the tester to gain full control

over the values and requests sent from the client to the server.

Allows the tester to bypass challenge response, traffic encryption and signature mechanisms.

Disadvantages: Obfuscated code can make the process

extremely difficult. Detecting the key classes may take

time in complex and large client applications.

15OWASP

Run-time Protocol Analysis

16OWASP

Run-time Protocol Analysis

The tester can combine several methods in order to perform an efficient penetration test on java based thick clients and client server application, by sniffing requests, analyzing & re-transmitting them using a custom protocol analyzer. This method will work without resulting in any manipulation limitations, even if there is no proxy support and the protocol is binary.

17OWASP

Run-time Protocol Analysis

Advantages: A method that is much faster & cost

affective when compared to other test methods, such as de-compilation and memory debugging (several minutes per request).

Enables the tester to perform unrestricted manipulations on any java serialized protocol, including binary protocols, encrypted protocols and compacted protocols (gzip).

Enables detailed logical analysis, reveals the logical structure of each request and may allow access to secret in-code features.

Disadvantages: Requires basic programming skills, since it

involves in-code manipulations.

18OWASP

The Scope of RPA Tests

RPA can be used in java based protocols in any of the following test cases:

In the case of transmissions that contain serialized objects (binary data), sent over HTTP from an applet (java browser plug-in) or a thin client application to a J2EE application server. The analyzer should be implemented as a JSP page or a servlet in a local application server.

In the case of transmissions that contain serialized objects that are used within a proprietary TCP/UDP protocol. The analyzer should be implemented as a TCP/UDP server socket that attempts to extract objects from streams it receives.

In the case of compacted protocols (gzip), which are sent through HTTP or through a proprietary protocol. The server should be implemented in a similar technology, including extraction code.

19OWASP

The Scope of RPA Tests , Cont.

Advanced usage of RPA can be performed in the following test cases:

In the case of transmissions that are sent through encrypted protocols (such as SSL), RPA can only be used if the tester can gain the decryption key, has control over a local DNS configuration interface, and has the ability to customize various code fragments in the listener code (custom listener).

In the case of transmissions that contain inconsistent types of data (not only classes but custom bytes as well), the protocol analyzer can attempt to extract classes from each byte, and skip bytes in the case of exceptions.

The protocol analyzer can be used alongside de-compilation & reflection in order to bypass class-level security restrictions that may prevent the tester from altering private/protected fields.

20OWASP

How Does It Work?

Java serialized objects are transmitted alongside most of their properties, including class names, structure, variable values, object hierarchy and so on.

In order to analyze a sniffed transmission, we will simply retransmit it to the analyzer, and extract the serialized objects from the stream, one by one.

21OWASP

How Does It Work? (Cont.)

The protocol analyzer can rely on exceptions that will result from improper casting & analysis of the java serialization structure; the structure of the request will be analyzed based on casting exceptions!

After the request is analyzed, the object values can be altered in the analyzer code, and then retransmitted to the original destination.

22OWASP

Sniffed Serialized Objects (Http)

23OWASP

Creating A Protocol Analyzer

Implement a server application that will analyze requests (interactively) that are sent to it.

The server application should be written in the same technology as the original server application (e.g sockets for proprietary protocols, servlets or jsp pages for HTTP/GZip over HTTP communication, etc).

Sniff legitimate requests, and send them to the protocol analyzer for detailed analysis, value manipulation and re-transmission to the original destination.

24OWASP

Run-time Protocol Analysis Steps

Step by Step Java Protocol Analysis: “Sniff” a valid request and save the raw data to

file. In the case of HTTP wrapped requests, Edit the

destination of the request using an hexa editor, and replace it with the URL of the protocol analyzer.

Include the tested application client side code (jar/ class) in the analyzer class-path.

Resend the “sniffed” request to the local analysis jsp/servlet/socket.

Use casting exceptions to analyze the protocol structure.

Insert manipulation code into the analyzer. Resend the manipulated request from the

analyzer to the original destination.

25OWASP

Sniffed Request (Http)

26OWASP

Manipulating the Request Destination

27OWASP

Basic Protocol Analysis Code

28OWASP

Analyze Structure via Casting Errors

29OWASP

Manipulate and Send to the Original Server

30OWASP

Live Demo

31OWASP

The Account Viewer Demo Application

A sample application that allows users to view their account information.

A Thick client that is implemented as a java applet – java code that is dynamically downloaded and executed in the client side through a browser, which uses the embedded applet as an independent and separate part of the HTML page, that runs in the context of the JVM.

Since the applet does not support a proxy, and sends binary classes over HTTP, we cannot use simple pen-testing methods, and thus, we will use a custom analyzer instead.

32OWASP

The Protocol Analyzer Demo

The current sample protocol analyzer resides on tomcat, and is written as a JSP file.

Attempts to “cast” objects from request streams sent to it into a general Object, in order to intentionally cause casting exception that will reveal the name of the actual objects transmitted.

Casting exceptions will be presented on tomcat’s console, allowing the tester to alter the analyzer code to handle additional objects and manipulate their content.

33OWASP

The Phases of the Test

access the application download the client side application jar/s,

and place them in the analyzer class-path ([path]/WEB-INF/lib/).

sniff a valid request, Follow the TCP stream and save the request data as RAW data.

edit the request with a hexa editor, isolate one request by deleting the others and change the destination URL to that of the analyzer (currently found in: /StreamAnalyzer/StreamAnalyzer.jsp)

Run the test server & base analyzer transmit the request using Netcat analyze the request:

34OWASP

Detailed Request analysis

watch the analyzer console for exceptions. import any needed packages from the

tested client application code to the analyzer (the java import command).

alter the analyzer code to retrieve additional classes from the request and repeat the previous processes.

manipulate the values in the classes retrieved.

resend the manipulated information from the analyzer, back to the original destination.

35OWASP

Questions?

Thank You!For additional information:Email: shay@hacktics.comWeb: www.hacktics.com