Burp Suite User Forum

Login to post

Plugin's Java runnable processes keep running, even after fully removing the plugin.

Stan | Last updated: Aug 22, 2019 02:07PM UTC

Using Burp Suite v2.1.03, runnable Java processes (Java: ScheduledFuture) are not killed or interrupted, when stopping or even removing the plugin. Reproduction: 1. Install Logger++ from the BApp store. 2. Enter an Elasticsearch server under options, this server must be over v 7.0.0 (not compatible for the plugin). 3. Press the start button. You should receive an error, but the runnable process is created; /src/main/java/loggerplusplus/ElasticSearchLogger.java: 63 indexTask = executorService.scheduleAtFixedRate(new Runnable() { @Override public void run() { indexPendingEntries(); } }, prefs.getEsDelay(), prefs.getEsDelay(), TimeUnit.SECONDS); 4. Fully remove or disable the plugin. 5. Now at the chosen interval time, a request will be sent to the Elasticsearch server, amounting to 100's of requests in a day in this case. This runnable process can only be stopped by fully exiting out of Burp Suite. Possible remedies: Run plugins in a sandbox that can be killed by Burp Suite at any time.

Mike, PortSwigger Agent | Last updated: Aug 23, 2019 01:53PM UTC

Hi Stan, have you been able to reproduce this issue with other extensions? or just Logger++?

Burp User | Last updated: Aug 26, 2019 08:53AM UTC

Hello Mike, I have written my own plug-in quickly, which reproduces the same issue, but only uses System.out to demonstrate the functionality. You can view the code on this github page: https://github.com/StanHVA/Burp-Runnable-Demo . Thanks in advance.

Mike, PortSwigger Agent | Last updated: Aug 27, 2019 10:03AM UTC

Hi Stan, Thank you for your example code. Looking at your sample extension code, you are using a ScheduledExecutorService thread pool to schedule a task to run at a set interval. As we don't execute extensions as individual run times, when we un-load the extension, the thread will continue to run as the Runnable() instance has not been explicitly told to stop, so this is correct behavior as something is missing. In our extension API, we have an interface named IExtensionStateListener that you can implement on your BurpExtender class, once registered with the callbacks instance using IBurpExtenderCallbacks.registerExtensionStateListener() you can use it's IExtensionStateListener.extensionUnloaded() method to implement cleanup code to explicitly command the executor object to cancel it's running tasks. Which will prevent the thread from running once the extension has been unloaded as that method will be called when the extension is unloaded.

Burp User | Last updated: Aug 27, 2019 03:17PM UTC

Hello Mike, Thank you for your response and the solution, but my main concern still stands. Let's say someone writes a malicious plug-in or updates an existing plug-in with malicious code. With this method they could keep their code running in the background, while the user is under the impression that the plug-in has been closed. I would personally like to see this changed. Is there any chance that that will happen in the future? Stan.

Mike, PortSwigger Agent | Last updated: Aug 28, 2019 01:55PM UTC

Hi Stan, I agree, there is a potential for malicious code to continue executing after the plugin has been un-loaded with this setup. However we have a review process that all BApps undergo before they are eligible to be listed on our BApp store within Burp Suite, so this is something we will look for and would require fixing before we would allow it to be listed. In regards to open source extensions that you load manually, it is up to the user of the extension to examine the extension to ensure it is safe to use before they load it into their environment as it has not been reviewed by our support team. So as with any software you would use those extensions at your own risk. However, this is something that we would like to improve in the future, so I have logged a request with the development team and if this change get's implemented then we will notify you when it's available. Please let us know if you need any further assistance.

Burp User | Last updated: Aug 30, 2019 08:53AM UTC

Hello Mike, Thanks for your extensive replies and clearing up the situation. I have no further questions regarding this topic. Stan

Mike, PortSwigger Agent | Last updated: Aug 30, 2019 12:38PM UTC

Hi Stan, No problem. Please let us know if you need any further assistance. Have a good day!

You need to Log in to post a reply. Or register here, for free.