JNDI (Java Naming and Directory Interface) is a Java API that allows clients to discover and look up data and objects via a name. These objects can be stored in different naming or directory services such as RMI, CORBA, LDAP, or DNS.
This talk will present a new type of vulnerability named "JNDI Reference Injection" found on malware samples attacking Java Applets (CVE-2015-4902). The same principles can be applied to attack web applications running JNDI lookups on names controlled by attackers. As we will demo during the talk, attackers will be able to use different techniques to run arbitrary code on the server performing JNDI lookups.
The talk will first present the basics of this new vulnerability including the underlying technology, and will then explain in depth the different ways an attacker can exploit it using different vectors and services. We will focus on exploiting RMI, LDAP and CORBA services as these are present in almost every Enterprise application.
LDAP offers an alternative attack vector where attackers not able to influence the address of an LDAP lookup operation may still be able to modify the LDAP directory in order to store objects that will execute arbitrary code upon retrieval by the application lookup operation. This may be exploited through LDAP manipulation or simply by modifying LDAP entries as some Enterprise directories allow.
Alvaro Muñoz (@pwntester) works as Principal Software Security Researcherwith HP Security Research (HPSR). His research focuses on differentprogramming languages and web application frameworks searching forvulnerabilities or unsafe uses of APIs. Before joining the HPSR team, heworked as an Application Security Consultant helping enterprises to deploytheir application security programs. Muñoz has presented at many Securityconferences including Defcon, RSA, AppSecEU, Protect, DISCCON, etc and holdsseveral infosec certifications, including CISSP, GWAPT and OSCP, and is aproud member of int3pids CTF team. He blogs at http://www.pwntester.com.
Oleksandr Mirosh has over 8 years of computer security experience, includingvulnerability research, penetration testing, reverse engineering, fuzzing,developing exploits and consulting. He is working for HPE Software SecurityResearch team investigating and analyzing new threats, vulnerabilities,security weaknesses, new techniques of exploiting security issues anddevelopment vulnerability detection, protection and remediation rules. In thepast, he has performed a wide variety of security assessments, includingdesign and code reviews, threat modelling, testing and fuzzing in order toidentify and remove any existing or potentially emerging security defects inthe software of various customers.