Java Client Side
Java Client Side
Java Client Side
About Foundstone Professional Services Foundstone Professional Services, a division of McAfee. Inc., offers expert services and education to help organizations continuously and measurably protect their most important assets from the most critical threats. Through a strategic approach to security, Foundstone identifies and implements the right balance of technology, people, and process to manage digital risk and leverage security investments more effectively. The companys professional services team consists of recognized security experts and authors with broad security experience with multinational corporations, the public sector, and the US military.
Introduction ............................................................................................................................................. 3 Java Web Start and JNLP .................................................................................................................... 3 Java Archives and META-INF ............................................................................................................... 4 Getting Started ......................................................................................................................................... 4 JDK Quick Install....................................................................................................................................... 5 Downloading and Extracting....................................................................................................................... 5 Dealing with Signed JARs........................................................................................................................... 6 Decompiling ............................................................................................................................................. 7 Recompiling and Re-JARing ....................................................................................................................... 7 Signing the JAR ........................................................................................................................................ 8 Making it work .......................................................................................................................................... 9 Enabling Verbose logging within Java ......................................................................................................... 9 Conclusion.............................................................................................................................................. 11 More Information .................................................................................................................................... 11
About Foundstone Professional Services Foundstone Professional Services, a division of McAfee. Inc., offers expert services and education to help organizations continuously and measurably protect their most important assets from the most critical threats. Through a strategic approach to security, Foundstone identifies and implements the right balance of technology, people, and process to manage digital risk and leverage security investments more effectively. The companys professional services team consists of recognized security experts and authors with broad security experience with multinational corporations, the public sector, and the US military.
Introduction
One of the major rules of security is Never trust client side security. Somehow this rule is often forgotten, especially when companies deploy client side Java applications. They can try their best to obfuscate every part of code, but in the end, its all run on the client side, which means the user has the ability to control everything. This brief document will teach you the first steps of picking apart the contents of a client side Java application, and hopefully lead you on your way to some great findings.
<!-- Disable DNS caching to allow Wide IP failover/load balancing --> <property name="networkaddress.cache.ttl" value="0"/> </resources> <application-desc main-class="com.fakecompany"/> </jnlp>
Getting Started
Since the JNLP is simply a XML file, we can download this file to get a list of all the JARs which comprise the application. Using the above java_app.jnlp example, we can see that this application is comprised of two JARs: app-core.jar and app-gui.jar. These two files will be extracted, and their contents decompiled so that we can further understand the way they work. Two important things well need to install to accomplish our mission will be the Java Development Kit (JDK), and the Java Decompiler (JAD). They can be found using the below links: JDK JAD http://java.sun.com http://www.kpdus.com/jad.html
Installation for both is relatively simple. Follow their instructions and it should be a snap. These can both be set up on Windows, but it is highly recommended to do this on a Linux box somewhere. Depending on the way application was written, it is possible to have multiple classes within the JAR whose filenames are case sensitive. For example, take a look at these two filenames: aA.class and Aa.class. Since Windows does not consider case in the filenames, it will overwrite aA.class with Aa.class, which can completely destroy our application. Linux, however does take the case of filenames into consideration, so that is why it is heavily recommended. All commands given below will be specifically for use under Linux; however it is possible they may work on Windows as well.
About Foundstone Professional Services Foundstone Professional Services, a division of McAfee. Inc., offers expert services and education to help organizations continuously and measurably protect their most important assets from the most critical threats. Through a strategic approach to security, Foundstone identifies and implements the right balance of technology, people, and process to manage digital risk and leverage security investments more effectively. The companys professional services team consists of recognized security experts and authors with broad security experience with multinational corporations, the public sector, and the US military.
About Foundstone Professional Services Foundstone Professional Services, a division of McAfee. Inc., offers expert services and education to help organizations continuously and measurably protect their most important assets from the most critical threats. Through a strategic approach to security, Foundstone identifies and implements the right balance of technology, people, and process to manage digital risk and leverage security investments more effectively. The companys professional services team consists of recognized security experts and authors with broad security experience with multinational corporations, the public sector, and the US military.
Now youll have the two JARs in your current directory, and theyll need to be extracted. Extracting the JARs
root@jdkdemo:/home/user# mkdir app-gui root@jdkdemo:/home/user# cp app-gui.jar app-gui root@jdkdemo:/home/user# cd app-gui root@jdkdemo:/home/user/app-gui# jar xf app-gui.jar root@jdkdemo:/home/user/app-gui# rm app-gui.jar root@jdkdemo:/home/user/app-gui# cd .. root@jdkdemo:/home/user# mkdir app-core root@jdkdemo:/home/user# cp app-core.jar app-core root@jdkdemo:/home/user# cd app-core root@jdkdemo:/home/user/app-core# jar xf app-core.jar root@jdkdemo:/home/user/app-core# rm app-core.jar root@jdkdemo:/home/user/app-core# cd ..
Obviously, the only command that needs to be executed is the jar xf jarfile.jar, but I added all the extra commands so we can have a nice neat directory structure.
This will give you a good amount of information if the JAR is actually signed. If it does not, then most likely the JAR is not signed and it will state that clearly near the bottom of the command output. As mentioned above, it is important to determine if the JAR was signed because with a signed JAR, the MANIFEST.MF will contain a SHA1 digest of each file within itself. If we update a particular file, the digest will not match the one in the MANIFEST.MF, and the application may fail to run (again, this is only if the JAR was signed). Also if we recompile and re-sign any one particular JAR, we are required to recompile and resign every other JAR that is specified within the same JNLP. Finally, it is not uncommon for the Java application to require complete access to the local system through the <all-permissions> security directive. If this directive is set, the JAR must be signed.
About Foundstone Professional Services Foundstone Professional Services, a division of McAfee. Inc., offers expert services and education to help organizations continuously and measurably protect their most important assets from the most critical threats. Through a strategic approach to security, Foundstone identifies and implements the right balance of technology, people, and process to manage digital risk and leverage security investments more effectively. The companys professional services team consists of recognized security experts and authors with broad security experience with multinational corporations, the public sector, and the US military.
Decompiling
Now that we have extracted the JAR and identified if it has been signed, our next step is to decompile whichever classe(s) wed like to investigate. This is where JAD comes in. JADs usage is very simple and straightforward. You can decompile everything within a certain directory, source tree, or an individual file. JAD does not decompile JAR files directly so you need to extract the JAR first as detailed above. We would recommend dissecting everything for your investigation. Later on, if you plan on modifying something specifically, re-extract the JAR and only decompile that particular class as it makes things less complicated with the recompile. You can also avoid these complications by decompiling to completely different directory. Decompiling Individual files
root@jdkdemo:/home/user/app-gui/classes# jad classfile.class
Decompile all class files within a source tree to a different directory, renaming them to .java files
root@jdkdemo:/home/user/app-gui/classes# jad r sjava d/home/user/app-gui/src /home/user/appgui/classes/*.class
By default JAD will output a .jad file for the source code that can be read or modified. JAD can also decompile directly to .java files by using the s option. The destination for source files can be set with d, and the package directory structure is restored with r. Other JAD options can be displayed by calling jad with no arguments. The applications source is now available for you to dissect and investigate. If there is a particular function that is getting in your way by making some obscure check, why not take it out! The power is yours! It may be a good idea to make a minor change in the logging portion of the application, and you can verify that its working through the Java logging console. One quick note, if youre making any changes, remove the original .class and leave the .java in the same directory. If you decompiled to a different directory, after you modify it, copy the .java over to the compile directory when ready to recompile. It will make the recompile process smoother.
goodies that are particular to the JAR. Since were recompiling the entire archive, we can take it out, as it will be added automatically when we recompile. Here are our steps for recompiling and reJARing. We took a hypothetical file, classfile.java (was decompiled with JAD) within the gui/ and core/ directories, respectively. Recompiling and reJARing
root@jdkdemo:/home/user# cd app-gui/ root@jdkdemo:/home/user/app-gui# rm classes/classfile.class root@jdkdemo:/home/user/app-gui# javac cp . classes/classfile.java root@jdkdemo:/home/user/app-gui# rm rf META-INF root@jdkdemo:/home/user/app-gui# jar cvf app-gui.jar . root@jdkdemo:/home/user/app-gui# cd ../app-core/ root@jdkdemo:/home/user/app-core# rm classes/classfile.class root@jdkdemo:/home/user/app-core# javac cp . clasees/classfile.java root@jdkdemo:/home/user/app-core# rm rf META-INF root@jdkdemo:/home/user/app-core# jar cvf app-gui.jar
We removed the preexisting class files as a matter of organization, and so we can verify they were created after the recompiling process. Great! So now we modified our class, recompiled it, and re-JARed it. Depending on how the application was initially set up, you could be done! Just give it a run and see if it worked out! However, its more likely that it was signed, so lets get to the annoying part.
What is the two-letter country code for this unit? [Unknown]: Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yes Enter key password for <myAlias> (RETURN if same as keystore password):[Press Enter button]
Your keystore has now been created. Look for the file myKeyStore in your current directory. Now we can sign the JAR (assuming myKeyStore is in the same directory you started in)! Sign the JAR
cd app-core/ jarsigner -keystore ../myKeyStore -storepass <password> app-core.jar myAlias cd ../app-gui jarsigner -keystore ../myKeyStore -storepass <password> app-gui.jar myAlias
Just verify using the jarsigner tool mentioned above and youre ready to put it all into action.
Making it work
You can go back to your Windows box and do some basic tests to figure out where the application is saving itself once it downloads to your machine. You can use Filemon (www.sysinternals.com) or just simply search for the .jar on your machine (usually in c:\documents and settings\<user>\application data\ ). Once you figure this out, simply replace those with your repacked and resigned JARs. Double click the JNLP to launch the application, and hopefully your modification will work! You may see a Java warning message complaining that the application is signed by an unknown authority, but you can safely ignore that, as youre that unknown authority!
Expand the Trees under Debugging and Java Console. Under Debugging, mark the Enable Tracing, Enable Logging, and Show applet lifecycle exceptions checkboxes. Under Java console mark the Show console radio button. Hit OK
About Foundstone Professional Services Foundstone Professional Services, a division of McAfee. Inc., offers expert services and education to help organizations continuously and measurably protect their most important assets from the most critical threats. Through a strategic approach to security, Foundstone identifies and implements the right balance of technology, people, and process to manage digital risk and leverage security investments more effectively. The companys professional services team consists of recognized security experts and authors with broad security experience with multinational corporations, the public sector, and the US military.
Conclusion
Excellent job! You have successfully decompiled your JAR, figured out how to recompile it, and learned how to resign it if necessary. Now its up to you to closely analyze the application and figure out what you can to with the decompiled JAR to identify vulnerabilities in the application. The important thing to remember here is that because this is client side, all the power is now in your hands. For example, if the application waits for a server response to validate authentication, try to change that check to automatically return true. This way you can see the application functionality without actually logging in. Thats just one very simple idea - go ahead, play around, and most importantly, HAVE FUN!
More Information
If youre new to Java or would like to get more oriented with Java development, check out the following links: The Java Tutorials http://java.sun.com/docs/books/tutorial/ OWASP Guide - General Web Application Testing http://www.owasp.org/index.php/OWASP_Guide_Project Java Programming Resources http://www.apl.jhu.edu/~hall/java/
Learn More For additional information about Foundstone consulting, please contact your local sales representative: Phone: 1.877.91.FOUND Email: [email protected]
About Foundstone Professional Services Foundstone Professional Services, a division of McAfee. Inc., offers expert services and education to help organizations continuously and measurably protect their most important assets from the most critical threats. Through a strategic approach to security, Foundstone identifies and implements the right balance of technology, people, and process to manage digital risk and leverage security investments more effectively. The companys professional services team consists of recognized security experts and authors with broad security experience with multinational corporations, the public sector, and the US military.