SSN Project Proposal: (In)security of Java within middleware

Transcription

1 SSN Project Proposal: (In)security of Java within middleware Yonne de Bruijn Xander Lammertink Diana Rusu University of Amsterdam Master : System and Network Engineering

2 Introduction JBoss and Tomcat [1][2] are both frameworks widely used and deployed by organizations to host applications. These frameworks are used to serve up Java Server Pages (JSP) [4]. These pages are used to create dynamic web content and, due to their Java-base, are cross-platform compatible. In the previous years these applications have been hardened and secured, but has every aspect been considered? Is the usage of Java secure within these kind of applications? 2

3 Contents 1 Research 4 2 Research Question 5 3 Approach 5 4 Planning 5 5 Implications 6 6 Ethics 6 7 End Product 6 3

4 1 Research The focus of this research will be at the two previously mentioned Java EE server applications: JBoss Tomcat Previous work has been performed regarding these systems, and it has been shown that their security lacks on multiple parts of the software. For example, in 2010, a full lecture was held at Defcon on how to compromise a JBoss install [5]. One of the main methods to compromise a server running JBoss was by implementing a shell which directly executes commands on the server running JBoss [6]. Usage of this method would result in full control over the server. The vulnerabilities exposed can be found within JBoss version 4 and 5. Version 6 and 7 have removed and patched features crucial to this attack [7], but this does not mean that these versions are automatically secure. The previous described attack is based on RMI. RMI is used for communication between two Java Virtual Machines (JVM). Within JBoss and Tomcat, for example, it can be used to connect to the JMX. The JMX in turn can be used to integrate modules, containers and plug-ins [8][9]. This provides an interesting access point to further investigate, as RMI has been implemented in most (if not all) of the Java EE server applications. This is one of the known ways to compromise a i.e. JBoss install. This research will try to determine other methods. 4

5 2 Research Question How (in)secure is the usage if Java within Java EE middleware applications? This research topic can be split up in to several sub-questions, which will be further investigated during the security audit of the aforementioned applications: Can RMI be used to compromise Java EE server applications? What are the known attacks on Java, and can these be used to exploit JBoss and Tomcat? Are any security measures implemented to prevent attacks on the Java base of these applications? 3 Approach Get familiar with old vulnerabilities by examining OWASP [10] Prepare (virtual) servers to test vulnerabilities on Tomcat and JBoss If possible, create a script to generalize found exploits to be used on other Java EE middleware applications. 4 Planning Week 1 Set up server with Tomcat and JBoss Read vulnerabilities and test them Make script for testing them Install older version so test script is tested Install latest version and define new exploits Possible exploits Expand script with new tests 5

6 5 Implications If flaws within the security of Java are exposed, this could have some heavy implications. Many applications in daily use rely heavily on Java or have an entire Java base. When security issues are found, these applications are under risk of being compromised. 6 Ethics There will be no personal data involved throughout this research. Tests will be performed on a specifically setup system (not exposed to the public internet). When issues are found, they will be disclosed in a responsible way. Manufactures will be contacted by the UvA so they can act on the matters before the research will be published. 7 End Product When this research shows that weaknessess are found in these Java applications, an advice will be formed to try to prevent this. This could imply a change to the default configuration, installation instruction or even the core of the applications it self. 6

7 References [1] Overview, R. and Software, U. (2014). JBoss Technology. [online] JBoss Developer. Available at: [Accessed 18 Nov. 2014]. [2] Project, A. (2014). Apache Tomcat - Welcome!. [online] Tomcat.apache.org. Available at: [Accessed 18 Nov. 2014]. [3] Oracle.com, (2014). Java Platform, Enterprise Edition (Java EE) Oracle Technology Network Oracle. [online] Available at: [4] Oracle.com, (2014). JavaServer Pages Technology. [online] Available at: [5] Anon, (2014). [online] Available at: presentations/krpata/defcon-18-krpata-attacking-jboss.pdf [6] Dark Reading, (2014). Who s The Boss Over Your JBoss Servers?. [online] Available at: [7] Hsc.fr, (2014). HSC - Presentations - Hacking and securing JBoss AS. [online] Available at: [Accessed 18 Nov. 2014]. [8] Docs.jboss.org, (2014). Chapter 2. The JBoss JMX Microkernel. [online] Available at: [9] Tomcat.apache.org, (2014). Apache Tomcat 7 (7.0.57) - Monitoring and Managing Tomcat. [online] Available at: [Accessed 19 Nov. 2014]. 7

8 [10] Owasp.org, (2013). OWASP Top PDF. [online] Available at: % pdf [Accessed 19 Nov. 2014]. 8