Keynote SSTIC 2009 – Macaron, a backdoor for all JavaEE applications

Presentation : Philippe PRADOS

Not widely used by hackers, but an important possibility for insider attacks (unscrupulous developers).
The backdoor is installed very simply, without code modification, by adding a simple archive, considered safe, to the web application; the backdoor is then put in place without warning.

Once triggered (specific user input for example) the entire application is corrupted, and potentially everything connected to it (databases, server, etc., and depending on the rights, access to the OS).

The channel is hidden through, for example, the field used to trigger the backdoor, thus avoiding strange pages or detectable links.

The backdoor presented aims to qualify a web application against this threat; it is available and very verbose.

Countermeasures exist, such as Java permissions, security modes that limit access rights, etc. But they are rarely used (only in case the application doesn't support them).
And indeed, in real life, setting up permissions is quite tedious, and developers often prefer an "allow for all" "because it works well that way".

Patches have been sent to SUN, which is currently working on these vulnerabilities.

Ultimately, we can clearly see the power of the backdoor developed, especially since it finds the best way to infiltrate the system on its own, and the risks inherent in web application technologies, which are often obscure and controlled solely by their developers.