Wassup MOM? Owning the Message Oriented Middleware

Presented at AppSec USA 2013, Nov. 21, 2013, 3 p.m. (50 minutes)

Audio of session: https://www.youtube.com/watch?v=09uc435FEWY&list=PLpr-xdpM8wG8ODR2zWs06JkMmlRiLyBXU&index=29 Message Oriented Middleware (MOM) allows disparate applications to communicate with each other by exchanging information in the form of messages. A MOM and its clients create an enterprise messaging application that forms the transactional backbone of several large organizations worldwide. Security is therefore an important aspect of these applications. This research analyzes enterprise messaging security from three different perspectives: 1. The first perspective derives from the fact that most of the enterprise messaging products support the vendor-agnostic Java Messaging Service (JMS) API and therefore focuses on the offensive uses of the JMS API to attack an enterprise messaging application. 2. The second perspective revolves around a JMS compliant message broker (or MOM) as message brokers form the core of the enterprise messaging. I chose ActiveMQ for my research as it is open source and among the most popular message brokers that support JMS API. I will discuss a few ActiveMQ 0days vulnerabilities, potential flaws in its various authentication schemes and its configuration defaults that can make it vulnerable to attacks. 3. The third perspective focuses on a new tool JMSDigger that can be leveraged to engage and assess enterprise messaging applications. Several live demonstrations will show attacks such as authentication bypass, JMS destination dumps, 0day vulnerabilities and JMSDigger etc...

Presenters:

• Gursev Singh Kalra - Senior Principal - Foundstone Professional Services, McAfee
  Gursev Singh Kalra serves as a Senior Principal with Foundstone Professional Services, a division of McAfee. Gursev has authored several security related whitepapers and his research has been voted among the top ten web hacks for 2011 and 2012. He loves to code and he has authored several free security tools like TesserCap, Oyedata, SSLSmart and clipcaptcha. He has spoken at conferences like BlackHat, ToorCon, OWASP, NullCon, Infosec Southwest etc...

Links:

• https://appsecusa2013.sched.com/event/13jcnW3/wassup-mom-owning-the-message-oriented-middleware
• https://infocon.org/cons/OWASP/AppSecUSA 2013/(Audio only) Wassup MOM Owning the Message Oriented Middleware - Gursev Singh Kalra.mp4
• https://www.youtube.com/watch?v=09uc435FEWY

Similar Presentations:

• Black Hat USA 2019 / Messaging Layer Security: Towards a New Era of Secure Group Messaging
• Black Hat USA 2016 / Pwning Your Java Messaging with Deserialization Vulnerabilities
• 33C3 (2016) / A look into the Mobile Messaging Black Box: A gentle introduction to mobile messaging and subsequent analysis of the Threema protocol.