These objects can be stored in different naming or directory services such as RMI, CORBA, LDAP, or DNS.This talk will present a new type of vulnerability named "JNDI Reference Injection" found on malware samples attacking Java Applets (CVE-2015-4902).Most vendors positively confirmed the issues, and some have applied fixes.We summarize lessons learned from the study, hoping to provoke further thoughts about clear guidelines for OAuth usage in mobile applications JNDI (Java Naming and Directory Interface) is a Java API that allows clients to discover and look up data and objects via a name.Although regulations limiting the strength of cryptography that could be exported from the United States were lifted in 1999, and export ciphers were subsequently deprecated in TLS 1.1, Internet-wide scanning showed that support for various forms of export cryptography remained widespread, and that attacks exploiting export-grade cryptography to attack non-export connections affected up to 37% of browser-trusted HTTPS servers in 2015.In this talk, I'll examine the technical details and historical background for all three export-related vulnerabilities, and provide recent vulnerability measurement data gathered from over a year Internet-wide scans, finding that 2% of browser-trusted IPv4 servers remain vulnerable to FREAK, 1% to Logjam, and 16% to Drown.The talk will first present the basics of this new vulnerability including the underlying technology, and will then explain in depth the different ways an attacker can exploit it using different vectors and services.We will focus on exploiting RMI, LDAP and CORBA services as these are present in almost every Enterprise application.
We will analyze all attack vectors, root causes, exploitation techniques, and possible remediations for the vulnerabilities presented.
We then show several representative cases to concretely explain how real implementations fell into these pitfalls.
Our findings have been communicated to vendors of the vulnerable applications.
Kernel exploitation using the browser as an initial vector was a rare sight in previous contests.
This presentation will detail the eight winning browser to super user exploitation chains (21 total vulnerabilities) demonstrated at this year's Pwn2Own contest.