Scouting for bugs
Security researchers at Bishop Fox have developed a tool that can root out vulnerabilities in Java Remote Method Invocation (RMI), an API that performs remote procedure calls on Java server applications and allows client apps to invoke the services on a remote Java Virtual Machine (JVM).
Named RMIScout, the tool performs wordlist and brute-force attacks against exposed Java RMI interfaces to safely enumerate invokable methods and discover deserialization vulnerabilities in method parameters.
“Java RMI is a legacy design based on deserializing Java serialized objects that has risks that we better understand in a modern context,” Jake Miller, security researcher at Bishop Fox and developer of RMIScout, told The Daily Swig.
“Because of this design, there are more security considerations that are required for securely implementing a service using Java RMI, as opposed to a newer technology like gRPC.”
Today, deserialization attacks – where malicious actors use flaws in the parsing mechanism of parameter objects passed to functions to send malicious payloads to Java applications – are a well-known and well-documented threat.
But in the early days of Java, when RMI was introduced, little was known about deserialization vulnerabilities, and the protocol came with no safeguards against the threat.
“Now, 15-20 years later, changing the protocol would break backwards compatibility. So, user-configured process-wide deserialization filters were established as the best solution,” Miller said.
Developers, however, often neglect implementing filters for their applications.
Also, many Java RMI services have no authentication, session management, secure firewall rules, or process-wide deserialization filters. This practice leads to an attack surface out of the methods themselves, in addition to deserialization attacks on the protocols.
“Although RMI registries do not advertise a list of available functions to can be executed, once you know the signature of a method that will be sufficient to invoke it,” Miller said.
To execute remote methods, Java RMI clients submit a 64-bit hash of the method signature, which the server uses to identify the corresponding server-side method.
To create RMIScout, Miller analyzed over 15,000 method signatures scraped from open source projects in GitHub. He assembled these patterns into a wordlist that RMIScout uses to probe RMI servers for available methods.
RMIScout uses a special technique to validate the presence of remote methods without invoking them.
On top of the brute-force method signatures discovery, RMIScout can be combined with other tools such as GadgetProbe to perform deserialization attacks against services that either lack process-wide serialization filters or have them incorrectly configured.
READ MORE Latest web hacking tools – Q1 2020
“Previously, the best solutions to the problem of guessing signatures for invoking methods or performing deserialization attacks was to: A) get a copy of the software, or B) write custom code or use an awkward debugging harness to try and guess signatures,” Miller said.
RMIScout expedites the process and has been well received by the security community.
Miller said he will continue to expand RMIScout’s word list in the coming months and looks forward to contributions from the community.
Meanwhile, he stresses that the best way to protect your Java apps from remote code execution is to leverage newer and more secure technologies.
Says Miller: “If you can plan to migrate away from Java RMI, that's the best solution. But if you’re stuck with it: lock down the service with firewall rules, use an authenticated SSLRMISocketFactory, and implement process-wide deserialization filters.”