MagicHat - Insomni'hack teaser 2018 writeup

Transcript

1. MagicHat Insomni’hack teaser 2018

2. Challenge overview • Given a Jar (Java archive) file •

   Client application for Java RMI (Java version of RPC) • Server is hosted remotely

3. Class structure • Artifact ◦ Broomstick ◦ Frog ◦ .

   ◦ . ◦ Wand ◦ Hat - contains an instance of HashBag where Artifacts can be added Broomstick, Frog, …., Wand, Hat all inherit from Artifact (an abstract class)

4. Java RMI (Remote Method Invocation)

5. Challenge goal • Given access to only those 3 functions,

   get remote shell [The solution is independent of the functioning provided by the three functions. It only relies on the fact that ‘Hat’ object can be sent to the server which contains a ‘HashBag’ object.]

6. Dummy Server

7. Vulnerability • HashBag can contain any type of objects •

   Java RMI serializes and deserializes objects when transmitting over the network • Java serialization opens up possibilities for exploits similar to python’s pickle, ruby’s marshall and php’s serialization.

8. Java Serialization

9. Java Serialization

10. • We can only craft the data members of the

    objects, not code or functions • Whatever types of objects we use, corresponding readObject() will be called • No trivial solution exists - No class has any readObject() function passing data members to the shell We have to somehow ‘chain’ existing code pieces (gadgets) that are called during the process of deserialization that achieve arbitrary code execution and craft our payload accordingly - Property Oriented Programming (similar to ROP)

11. Libraries loaded Libraries used by client program (server will rely

    on a superset of these) alongwith classes in each from where gadgets will be used: • JRE System Libraries (default, available in every Java program) - HashMap • commons-collections-3.2.2.jar - Transformer, ConstantTransformer, InvokerTransformer, ChainedTransformer, LazyMap, TiedMapEntry, HashBag • commons-lang3-3.7.jar The last two libraries are quite famous (part of Apache Software Foundation). Exact versions can be found by unzipping the given ‘jar’ file.

12. Background • Java Reflection API • Transformers • Lazy Map

13. Java Reflection API • Code that can inspect other code

    in the same system • API: ◦ java.lang.Object (abstracts an object) ▪ java.lang.Class (abstracts a class / interface) ▪ java.lang.reflect.AccessibleObject • java.lang.reflect.Method (abstracts a function)

14. Java Reflection API

15. org.apache.commons.collections.Transformer • Interface with one function: Object transform(Object input) •

    Classes inherit from this to create concrete Transformers • A Transformer transforms an input object to an output object • Doesn’t change the input object • Mainly used for: ◦ Type conversion ◦ Extracting parts of an object

16. org.apache.commons.collections.Transformer

17. ConstantTransformer • Always returns the same object specified during initialization

18. InvokerTransformer • Takes a method name with optional parameters during

    initialization • On transform, calls that method for the object provided with the parameters

19. ChainedTransformer • Takes an array of transformers during initialization and

    chains them

20. LazyMap • A type of ‘Map’ which creates a value

    if there’s no value for the requested key • This generation is done through a ‘transformer’ on the ‘key’

21. Primitive for executing shell system(command); In Java Runtime.getRuntime().exec(command); Slight difference:

    It does not redirect stdin/stdout to the shell and silently executes the command Difficult to construct gadgets to run this directly. Instead, we’ll use reflection API.

22. Primitive for executing shell • Runtime.getRuntime().exec(command);

23. None
24. None

25. • Now, we have a primitive for running arbitrary commands

    in shell • All our state is in object variables, no code! Hence, can be passed as part of a serialized object • Our goal is to somehow trigger `lazyMap.get(...)` during the deserialization process

26. Some more background ... • TiedMapEntry • HashMap • HashBag

27. TiedMapEntry • A class implementing Map’s Entry interface - ‘Key

    Value Pair’ • Tied to an underline Map • TiedMapEntry(Map map, Key key) • getKey() { return key; } • getValue() { return map.get(key); } • setValue(value) { map.put(key, value); } • hashCode: ◦ public int hashCode() { final Object value = getValue(); return (getKey() == null ? 0 : getKey().hashCode()) ^ (value == null ? 0 : value.hashCode()); }

28. HashMap • Hash based implementation of Map interface • Internally

    stores entries in a ‘table’: ◦ Entry[] table • Look up and updates implemented by calculating a hash of the ‘key’ and indexing into the ‘table’. • While calculating hash, calls ‘hashCode’ for the underlying ‘key’

29. HashBag • A Collection that counts the number of times

    an object appears in the collection • Backed by an internal HashMap object ‘map’

30. Approach • Create a TiedMapEntry with the underlying map as

    our `lazyMap` and key ‘foo’ • Create a HashBag instance • Set HashBag’s underlying HashMap’s entry table’s first entry’s key to be our TiedMapEntry. • Set hat’s HashBag to the one created above • During deserialization of the Hat following will happen: ◦ HashBag.readObject() // Hat has a HashBag ◦ HashMap.readObject() // HashBag has a HashMap ◦ HashMap.put(key, value) // Any entry read will be inserted in HashMap ◦ key.hashCode() <=> tiedMapEntry.hashCode() // Key here will be our TiedMapEntry ◦ tiedMapEntry.getValue() ◦ map.getKey(key) <=> lazeMap.get(“foo”) • Note: Here, we have a key value entry, who’s key is a TiedMapEntry

31. Final Exploit

32. References https://github.com/p4-team/ctf/tree/master/2018-01-20-insomnihack/pwn_magic_h at [Writeup] https://www.youtube.com/watch?v=KSA7vUkXGSg [Talk on deserialization issues] https://github.com/frohoff/ysoserial

    [Collection of payloads and gadget chains for different libraries]