#110 | pen11 – Google Web Toolkit

Hi everybody, today I’ll talk about Google Web Toolkit, or GWT. This is something I had in my current assessment and I never had to do it before.

 

Quick description

Google Web Toolkit is a set of tools used to create complex tools using JavaScript to interface with Java applications. It has a special way to communicate with the back-end (GWT-RPC), using a custom serializable data format. GWT will define a list of available classes and endpoints, so you won’t be able to do simple unserialize to RCE attacks.

 

Previous works

Here are a few articles I found very interesting:

The toolkit made by GDS Security from a few years ago still works partially. The parser still works, even if it has some trouble with double values. It is still useful to quickly find injection points.

 

Explaining serialized data

I will take the example from mr_me article.

7|0|6|http://127.0.0.1:8888/helloworld/|95F17E12D4B90695D035873A418208A8|com.example.test.client.GreetingService|greetServer|java.lang.String/2004016611|test|1|2|3|4|1|5|6|
  • 7 is the stream version, for reference the toolkit made by GDS is based on the version 4
  • 0 is the flags
  • 6 is the number of strings/data
  • http://.. is the enpoint [1]
  • 95F… is the strong name [2]
  • com.example… is the endpoint client [3]
  • greetServer is the function name (implemented by the client/server) [4]
  • java.lang.String… is the type of the first parameter [5]
  • test is the value of the first parameter [6]
  • 1|2|3|4 are the 4 first elements of the string
  • 1 is the number of arguments to the function
  • 5|6 is the parameter type and value

1, 2, 3, 4 then 5 and 6 are the keys as you probably guessed. The serialized data not containing a size value makes automated tools possible pretty easily.

 

Exploitation ideas

The general ideas to exploit GWT is to find the endpoints, try to find interesting functions (file functions and so on) then, since you control serializable data, you can inject what you want. Even if the endpoint is not specified client-side, if you’re able to find it (either with the cache.html file, or with a white box approach), you’ll be able to call methods in the classes specified in GWT.

Leave a Reply

Your email address will not be published.