JNLP is essentially Java’s version of Flash. It runs as a web link and caches a copy locally. Now since we can decompile Java this leaves room for attacks similar to the old fashion flash game cheating. Many of these Jar files are stored in common temp directories. Once the Jar file is located the modifications can begin.

Nothing in here is really hacking at all, I just wanted to combine some known Java functionality and craft it into something that could be used in an attack. There are two main ways we can go about this. One is to decompile the code and recompile with the changes or actually do binary manipulation in IDA. I will not talk about any details on binary manipulation.

First lets talk about if a Jar file is signed. When the Jar file is signed, any modifications you try to make to the code will fail on an MD5 check. To get around this you can make your own keys and sign it with them after you have made your modifications.

JAR Signing

Note: These tools are located in the JDK bin section.

1. Create Your Own Keys

keytool -genkey -keystore mykeystore -alias test

2. Sign Modified JAR File

jarsigner -keystore mykeystore –signedjar app-signed.jar new-app.jar test

3. Verify Signing

jarsigner -verify -keystore mykeystore app-signed.jar

Decompiling JARs

This first method of decompiling JAR file is the easiest to modify code.  Some problems may arise depending on java versions and libraries.  You can extract the JAR file with many programs such as 7zip. The extracted copy is where you will replace your modified java files. Remember to remove the META-INF data if you plan to sign the JAR with your own keys.

You can now decompile your JAR file to view the code. In the below example I am using JD-GUI .  Another nice decompiler is JAD.  Once you decompile you can view and export the specific Java files you would like to modify.

Make your modifications and replace the original with your modified version in the area you extracted the JAR to.

Compile and Sign

javac -cp .;c:\Progra~1\Java\jdk1.5.0_17\lib;C:\app newfile.java

JAR Binary Modifications

This section is a little trickier since you have make changes in a binary disassembled form. To make it easier read though the code with a java decompiler and look for functions you want to modify.  Once you know what you want to modify search for those functions in the disassembler to find the correct offset. Once the offset is found, you can modify the JAR with a hex editor.

Note: This document does not discuss any reverse engineering techniques.

1.  Find function you would like to modify and load into IDA.

2.   Now you have find the offset of this function in IDA. This offset will be used to  modify the binary with a hex editor.  Open the Jar file in a hex editor and search for that offset to make your changes. In the example below I used HxD . Check out the security tube link below for more details.

References:

–        http://www.owasp.org/index.php/Signing_jar_files_with_jarsigner

–        http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html

–        http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html

–        http://www.securitytube.net/Java-and-JNLP-Application-Hacking-video.aspx