• Welcome to Valhalla Legends Archive.
 

RMI and security

Started by iago, January 26, 2004, 09:47 AM

Previous topic - Next topic

iago

There are some RMI functions that I have in this code that seem to have security problems.  How difficult is it, without knowledge of function names, or parameters, or anything like that, to be able to execute arbitrary RMI commands on a machine?

The set up right now is internet <--> Frodo <--> dev2, where frodo and dev2 communicate with rmi calls.  As it stands, they are on a test network (not the internet), but dev2 can also be seen from the rest of the network.

now, at least a couple of the functions have code like this to transfer a file to dev2 from frodo:
       public void putFile(File fName, byte[] fBytes) throws RemoteException
       {
               verifyUser();
               fName = makeSpacesIntoUnderscore(fName);
               verifyFile(fName);

               try
               {
                       FileOutputStream fos = new FileOutputStream(fName);
                       fos.write(fBytes);
                       fos.close();
                       giveFile(fName);
               }


verifyFile just makes sure the filename is non-null.  giveFile() looks like this:
      private void giveFile(File target) throws RemoteException, IOException
       {
               rt.exec("chown "+userName+" "+target.toString() );
       }


Although the filename is checked on the client, it is not checked on the server.  So bottom line is this:
If somebody can execute arbitrary RMI calls, they will be able to not only upload, but execute an arbitrary file with root permissions.  

Should I be worried? :)
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


iago

This worries me more:

The ip for dev2 is passed to a Servlet in a form (don't ask why; it pretty much has to be done like this).

Is it a danger that somebody could change that ip to some third party computer and bounce the packets back, modifying their contents?  Should this be a concern?
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Banana fanna fo fanna

#2
You really should stop using RMI :) You're quickly discovering why no one uses it outside of a firewall. It's slow, a pain, and not secure.

May I suggest XML-RPC?

iago

It would be a huge task to move away from RMI.  I'll just have to talk to the admins tomorrow about how it'll be firewalled to make sure this is safe.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Banana fanna fo fanna

Deep in the docs for RMI, you'll find something about writing your own transport for RMI. Perhaps there lies the answer.