Java backdoors and Cross Framework Abuse
– Nicholas (aricon) Berthaume
Java has a number of different archive formats. This talk covers the J2SE / J2EE type archives. The goal here is to show how simple it is to add potentially malicious software to three of the most common format.
JAR – Java ARchive
Typical run in Java Virtual Machines on client system
ZIP files with manifests, metadata and Java byte-code
Can be digitally signed
WARs – Web application Archives
Typical run on Java application servers such as Tomcat
Run as the remote server user.
Can be digitally signed
EAR – Enterprise application ARchive
Very similar to WAR, but with extended enterprise features.
All three file formats when allowed to run can create sockets, interact with the filesystem outside of the respective virtual machines and execute commands there. This makes then perfectly suited for exploitation.
Run typical with full permissions of the user and display very few warnings. At most you receive a “run or don’t run” style prompt. Signing, even with a self-signed certificate, reduces these warnings.
AV engines rarely do effective heuristic analysis on known malicious code when it’s inserted into a Java Archive format.
JAR backdoor payloads
File droppers that execute arbitrary code.
WAR backdoor payloads
All of the same features of JAR files, but run on the remote server.
EAR backdoor payloads
Similar abuse to WAR, but also allow for greater reuse of classes and scaling across multiple servers and additional security roles.
Adding content to WAR files is often as simple as editing the manifest and adding the required backdoor code. EAR is however a little more complex due to the additional features. However it’s possible to set the security context used to run your backdoor code.
JAR is more complex however. The process involves extracting a JAR to use as the host, add files into the correct paths and edit the MANIFEST as required.
Tool designed to automate this functionality. Written in Python.
When combined with the JDK, this tools will give you the ability to add arbitrary Java to existing files.
Currently tested with EAR, WAR, JAR files using the JAVA meterpreter as the standard backdoor. However other can be used with minor modifications.
Due to the way code is run, closing the browser after infection leaves the code active on the system.
In additions to pure Java there are a number of extension APIs that are either included or installable.
Java Native Access (JNA)
Open-source utility for calling native and managed libraries/assemblies on nearly every platform that the JVM runs on.
.NET from the JNA
By using assembled code in .NET (using jython) it was possible to implement simple calls outside the framework without needing to recompile the classes due to the reasonable support found in the JNA.
From here the goal is to inject processes, hopefully using standard injection techniques to inject into .NET or inject a DLL into memory.
- Talk abstract –> HERE
- RAWJAR project –> HERE