44CON 2017 has ended
Back To Schedule
Wednesday, September 13 • 18:45 - 19:44
Nicky Bloor - BaRMIe - Poking Java's Back Door

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Java’s Remote Method Invocation (RMI) enables developers to seamlessly interact with objects that reside within another Java Virtual Machine (JVM), potentially on a remote server. As is often the case, the trade-off for seamless remote method invocation is security. While many consider RMI to be outdated and uninteresting, many in-service implementations remain trivial to exploit, and there are many questions to consider. How common is RMI? How many RMI services are making the same mistakes when it comes to security? What else could I do with arbitrary RMI services? Can RMI services be secured, and if so, how?

I set about finding answers to those questions. Along the way I wrote a tool to help with enumeration of RMI services, called BaRMIe, which eventually became an exploitation tool following the discovery of vulnerabilities within Java itself.

During this talk I’ll look at the work I did and present the results of my research including answers to my original questions and the exploitation tool I wrote, BaRMIe.


Wednesday September 13, 2017 18:45 - 19:44 BST
*Track 1*