Wassup MOM? Owning the Message Oriented Middleware presented at AppSec USA 2013

by Gursev Singh Kalra,

Summary : Message Oriented Middleware (MOM) allows disparate applications to communicate with each other by exchanging information in the form of messages. A MOM and its clients create an enterprise messaging application that forms the transactional backbone of several large organizations worldwide. Security is therefore an important aspect of these applications.
This research analyzes enterprise messaging security from three different perspectives:
1. The first perspective derives from the fact that most of the enterprise messaging products support the vendor-agnostic Java Messaging Service (JMS) API and therefore focuses on the offensive uses of the JMS API to attack an enterprise messaging application.
2. The second perspective revolves around a JMS compliant message broker (or MOM) as message brokers form the core of the enterprise messaging. I chose ActiveMQ for my research as it is open source and among the most popular message brokers that support JMS API. I will discuss a few ActiveMQ 0days vulnerabilities, potential flaws in its various authentication schemes and its configuration defaults that can make it vulnerable to attacks.
3. The third perspective focuses on a new tool JMSDigger that can be leveraged to engage and assess enterprise messaging applications. Several live demonstrations will show attacks such as authentication bypass, JMS destination dumps, 0day vulnerabilities and JMSDigger etc...