JVM debug connector internals and security

Question

I recently came across the question: Debug a java application without starting the JVM with debug arguments

Reading more about the various connectors and transports offered by JVM at https://docs.oracle.com/javase/7/docs/technotes/guides/jpda/conninv.html, I am now trying to find answers to the below questions:

Docs say that for SADebugServerAttachingConnector and SAPIDAttachingConnector :

The process to be debugged need not have been started in debug mode(ie, with -agentlib:jdwp or -Xrunjdwp)

So:

1) Why do debug options like Xrunjdwp exist in the first place then?

2) How does SADebugServerAttachingConnector work without taking a port number in the arguments?

3) Documentation does not say anything about requiring root privileges. Is it not a serious privilege escalation vulnerability to allow arbitrary debugging of jvm instances not started in debug mode, by unprivileged users?

Answer 1

I will focus on the SADebugServerAttachingConnector case.

Here are some more quotes from the Java 11 version of the document you linked to:

SA Debug Server Attaching Connector

This connector can be used by a debugger application to debug a process or core file on a machine other than the machine upon which the debugger is running.

This connector uses RMI to communicate with a 'debug server' running on the remote machine. Before the attach() method on this connector is called, the debug server must be started on the remote machine and told what process or corefile is to be debugged.

A process to be debugged need not have been started in debug mode(ie, with -agentlib:jdwp or -Xrunjdwp).

---

1) Why do debug options like Xrunjdwp exist in the first place then?

The SA Debug Server method allows you to debug a Java process where you either didn't want to launch with an agent (e.g. for security reasons), or you didn't have the foresight to do that.

Conversely, the agent approach is for cases where you don't want the hassle of setting up an SA Debug Server to debug your Java app.

It is "horses for courses" ... as they say.

2) How does SADebugServerAttachingConnector work without taking a port number in the arguments?

Your debugger is using the RMI default port to talk to the SA Debug Server. The SA Debug Server is attaching to the target JVM using a mechanism that is known to the server and the target. It is likely to be an OS-specific mechanism under the hood. For example, on Linux it could use ptrace(2) APIs. Network sockets and ports need not be involved.

3) Documentation does not say anything about requiring root privileges. Is it not a serious privilege escalation vulnerability to allow arbitrary debugging of jvm instances not started in debug mode, by unprivileged users?

The documentation states that you need to specifically set up the linkage between the SA Debug Server and the target VM. This is done when you start the SA Debug Server.

OS-level access controls won't allow a non-root SA Debug Server to use (for example) ptrace syscalls access a Java process belonging to another user / user id. And the OS won't let you start a root SA Debug Server unless you already have root privilege. So there is no escalation of privilege, either in the root or non-root cases.

(Modulo any undisclosed or unpatched OS-level root escalation bugs ... of course.)