Java RMI vulnerable to SSRF
Share this:
Java RMI services can be attacked through SSRF attacks, its an object-oriented Remote Procedure Call mechanism available in most Java installations. Software developers can use the technology to make functions available over a network.
For communication, Java RMI relies on serialized Java objects a mechanism that attackers are often able to target, despite the fact that the technology has gone through a process of hardening and tempering over recent years.
SSRF attacks in general allow an attacker to trick a server-side application to make HTTP requests to a domain selected by an attacker, a behaviour that open the door to all manner of malfeasance.
Securing RMI properly is not that intuitive and there is a lot of hidden attack surface. Instead of configuring it properly, administrators often take the easy route and only allow access from trusted networks or clients.
The most commonly used RMI service is JMX. It was possible to compromise a backend JMX service via SSRF, but only providing the system returns responses from the backend service and accept arbitrary bytes within them.
SSRF-based attacks on default RMI components, such as the RMI registry, are also possible, though only where the system allows arbitrary bytes to be sent to the backend service. Java RMI is a binary protocol and requires all sorts of different data types during communication.
Mitigations
Susceptibility to SSRF attacks is symptomatic of wider insecurities that are all-too common place. Services may expose dangerous methods, do not implement deserialization filters, or are outdated and contain known vulnerabilities.
Ennabling TLS protected communication for all RMI endpoints, using deserialization filters, and adding stronger authentication controls.
