MQ Jumping

Presented at DEF CON 15 (2007), Aug. 3, 2007, 2 p.m. (50 minutes)

Every day billions of dollars pass through middleware, the unglamorous component of most enterprise applications. Middleware may be unglamorous, but even if billions of dollars doesn't interest you, it's bound to attract someone's interest sooner or later. Often security is addressed in the front-end web server and back-end database but the other components are often ignored. The reason for this can be a lack of understanding of the risks or lack of knowledge of the middleware products and how they can be attacked. One important property of a multi-tier environment is the ability to reliably pass data between authorised system components and therefore messaging software is often required. A popular and widely deployed example of such a component is IBM's Websphere MQ (formally MQ Series). This software can be run across a number of platforms including Microsoft Windows, commercial and Open Source UNIX platforms and IBM \u2019s z/OS and i5 Operating Systems. Companies use the technology to pass messages between application components and it is widely deployed across a wide range of industry sectors including Finance, Retail, Healthcare and many others. During penetration tests conducted by MWR InfoSecurity against its clients it has been discovered that the security features provided by the product are either not utilised correctly or are not suitable for their intended use. This presentation will uncover the truth behind Websphere MQ security as it is deployed in the real world and will look at how the software can be abused by an attacker resulting in remote code execution. The talk will focus on methods for analysing the security controls that can be used to protect an installation of MQ and the limitations of each of them. Following on from this section of the talk a number of methods will be presented for compromising both the message data and the Operating System through the MQ service. This will culminate in a demonstration of some of the attacks presented in the talk, followed by a discussion about the methods that exist for protecting an installation and ensuring that security breaches do not occur.

Presenters:

• Martyn Ruks - Senior Security Consultant MWR InfoSecurity
  Martyn Ruks is an information security professional working for MWR Infosecurity in the UK. His primary interest is in weird networking protocols and the software that use them. His interest in Websphere MQ arose after being asked to test an installation for a client and the results encouraged him to investigate further. Martyn spoke at Defcon last year about IBM Networking Security and the fact that this year's talk is about Websphere MQ is just coincidence, or maybe its the fact that IBM occupy the office next to his, either way he hopes to show you cool stuff you can do when you produce your own code that communicates with someone else's software.

Links:

• https://defcon.org/html/defcon-15/dc-15-speakers.html#Ruks
• https://infocon.org/cons/DEF CON/DEF CON 15/DEF CON 15 video/DEF CON 15 - Martyn Ruks - MQ Jumping - Video.mp4
• https://www.youtube.com/watch?v=1b2XlrBlUlo

Similar Presentations:

• Black Hat USA 2011 / Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-Day Vulnerabilities
• AppSec USA 2017 / Test Driven Security in the DevOps pipeline
• AppSec USA 2013 / Go Fast AND Be Secure: Eliminating Application Risk in the Era of Modern, Component-Based Development