A Novel Attack Surface: Java Authentication and Authorization Service (JAAS)

Java Authentication and Authorization Service (JAAS) is a Java framework used for authentication and authorization. It is widely used in various Java applications. By using JAAS, developers are able to flexibly use various authentication mechanisms, including username/password, LDAP and Kerberos. However, behind the power of JAAS lies a potential security risk. In 2023, security researcher Jari Jääskelä discovered a JNDI injection vulnerability in Kafka which will be triggered when the client authenticates with the server using JAAS, which can further lead to Remote Command Execution (RCE)[1]. Unfortunately, people have only focused on the vulnerability itself, while seriously underestimating the security risks arising from the improper use of JAAS. We found that the issue with Kafka client is not an isolated case, many Java libraries face the same risks. We classify these risks as a novel attack surface in the realm of Java security: JAAS Attack. Subsequently, we conducted a comprehensive exploration of this new attack surface and performed an in-depth analysis of the Java libraries used in popular Java applications. Ultimately, we uncovered numerous vulnerabilities. Affected vendors include Amazon, Cloudera, IBM, Microsoft. What's more, our research demonstrated that the fix solution of Kafka client is insecure and we have already reported to Apache. In this conference, we will publicly disclose this new attack surface and the details of related vulnerabilities for the first time. Furthermore, we will also share how these vulnerabilities can be exploited in real-world scenarios, highlighting the practical value of this novel attack surface. During this session, attendees will learn about a new attack surface in the realm of Java security and acquire new technique to achieve RCE. Additionally, attendees will be able to understand the security design principles of JAAS and know how to securely integrate JAAS into Java libraries. Last but not least, attendees will gain valuable insight to broaden their perspectives in security research, explore more potential possibilities, and identify new attack surfaces. [1] https://ift.tt/xrsQoJp By: ZiYang Li | security engineer, alibaba cloud Ji'an Zhou | security engineer, alibaba cloud Ying Zhu | security engineer, alibaba cloud Full Abstract and Presentation Materials: https://ift.tt/RwvLm8D

source https://www.youtube.com/watch?v=2FwUAVmUUVY