Java RMI Deserialization Attack Analysis
RMI Overview
Java Remote Method Invocation (RMI) enables distributed computing by allowing objects in one JVM to invoke methods on objects residing in another JVM. A typical RMI application consists of:
- A server that creates and exports remote objects
- A client that looks up and invokes methods on these remote objects
- A registry service that facilitates object discovery
Basic Implementation Example
Here's a simple RMI implementation demonstrating the core components:
// Remote interface definition
public interface Calculator extends Remote {
String processInput(String data) throws RemoteException;
}
// Server-side implementation
public class CalculatorImpl extends UnicastRemoteObject implements Calculator {
protected CalculatorImpl() throws RemoteException {
super();
}
@Override
public String processInput(String data) throws RemoteException {
System.out.println(data);
return "Processed: " + data;
}
}
// Server startup
public class ServerApp {
public static void main(String[] args) throws Exception {
Calculator service = new CalculatorImpl();
Registry registry = LocateRegistry.createRegistry(1099);
registry.bind("calculatorService", service);
}
}
// Client usage
public class ClientApp {
public static void main(String[] args) throws Exception {
Registry registry = LocateRegistry.getRegistry("localhost", 1099);
Calculator calc = (Calculator) registry.lookup("calculatorService");
String result = calc.processInput("test data");
System.out.println(result);
}
}
RMI Execution Flow Analysis
The RMI communication process involves several key stages:
1. Object Export Process
When a remote object is created, it must be exported to make it available for remote calls. This involves:
- Creating a
UnicastServerRefreference containing network endpoint information - Generating dynamic proxy classes for remote method invocation
- Establishing TCP transport listeners via
TCPTransport.listen() - Registering the object target in the global object table
2. Registry Creation and Binding
The RMI registry serves as a naming service:
Registry registry = LocateRegistry.createRegistry(1099);
registry.bind("calculatorService", remoteObject);
This process creates a registry skeleton for dispatching incoming requests and stores the binding relationship in a hash table.
3. Client Lookup Operation
Clients locate remote objects through the registry:
Registry registry = LocateRegistry.getRegistry("server", 1099);
Calculator service = (Calculator) registry.lookup("calculatorService");
The lookup operation involves:
- Creating a registry stub for client-side communication
- Serializing the lookup parameter (service name)
- Sending request to the registry server
- Deserializing the returned remote object stub
4. Stub Return Mechanism
The registry returns a dynamically generated stub object that acts as a client-side proxy. This stub contains:
- Network connection information to reach the remote object
- Method hash mappings for identifying remote methods
- Serialization logic for parameter marshaling
5. Direct Service Communication
Once the client obtains the stub, subsequent method calls bypass the registry:
String response = service.processInput("sample");
This direct communication flow includes:
- Method parameter serialization on the client side
- Network transmission to the server endpoint
- Parameter deserialization on the server side
- Acctual method execution on the server
- Return value serialization and transmission back to client
Vulnerability Points
RMI's deserialization mechanisms create multiple attack surfaces:
- Registry attacks: Malicious serialized objects can be sent during lookup/bind operations
- Client-side attacks: Servers can send malicious objects during stub return
- Service-level attacks: Parameter deserilaization during direct method calls
- Method hash manipulation: Bypassing security checks by modifying method identifiers
Each interaction point represents a potential vector for deserialization-based exploits, making proper input validation and secure configuration critical for RMI applications.
