Java Remote Method Invocation (RMI)
Java RMI is a Java API that enables an object running in one Java Virtual Machine (JVM) to invoke methods on an object residing in another JVM, potentially on a different machine. It is a mechanism for building distributed applications in Java, providing a seamless way to perform remote procedure calls (RPC) while preserving the object-oriented model.
Here a standard flow is depicted for invoking a method login on a LoginService object:
Things to look for
Remote service rebind
Rebind an existing RMI service to e.g. establish a man-in-the-middle (MITM) position:
Vulnerable deserialization
Abuse server-loaded gadget libraries (for example commons-collections) to exploit deserialization. When the RMI server deserializes untrusted data, this could allow attackers to execute arbitrary code remotely.
Exploit existing methods
Look for exposed service methods or objects that can be accessed via RMI and are "juicy". This could lead to all kinds of vulnerabilities (privilege escalation, credential exposure, RCE, etc.).
Tools for exploration
RMIScout
RMIScout enables wordlist and brute force attacks against exposed Java RMI interfaces to safely guess method signatures without invocation. It supports multiple Java RMI protocols, method invocation, and exploitation.
Custom RMI client
If you need to access a specific method or object via RMI in an application you’re testing, it’s usually best to implement your own PoC RMI client. You can use LLMs to help with this by providing them with the relevant interfaces so they can generate code needed to interact with and invoke the RMI service methods you want to access.