lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.A41.4.44.0312160931150.94530-100000@zivunix.uni-muenster.de>
Date: Tue, 16 Dec 2003 09:33:05 +0100 (MEZ)
From: Marc Schoenefeld <schonef@...-muenster.de>
To: bugtraq@...urityfocus.com
Subject: J2EE 1.4 reference implementation: database component allows remote
 code execution


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Illegalaccess.org security advisory i/12-2003 (www.illegalaccess.org)

J2EE 1.4 reference implementation: database component allows remote code
execution

Brief
=====

Product   : J2EE reference implementation (java.sun.com/j2ee/download.html)
Component : pointbase 4.6 database component
Version   : 1.4
Vendor    : Sun Microsystems
Impact    : Code injection, DoS, information leakage
Date      : Public Release 12/16/2003, 11am GMT

Summary
=======
By using special crafted SQL statements *arbitrary executables*
on the host executing the pointbase 4.6 database bundled with the
j2ee 1.4 reference implementation (j2ee/ri) *can be started*.
The vulnerability has been tested by illegalaccess.org on
windows xp and the bundled jdk 1.4.2_02 coming with the j2ee/ri.

Workaround
==========
A possible workaround is to create an adequate policy file
to configure a security manager object for pointbase.
Pointbase bundled with j2ee/ri does not include
a configuration so the policy settings have to evaluated
manually. Simply granting AllPermissions to the
pointbase jar codebase does not solve the problem.
With a proper setting installed the described attack
leads to a security exception thrown by pointbase instead of
starting the exe file which was desired by the attacker.

This text will be also available soon at
http://www.illegalaccess.org

Product
=======
J2EE/RI 1.4 (windows version) which is available at www.sun.com
It cannot be ruled out that j2ee versions for other os contain similar
vulnerabilities.

Details
=======
By using a special crafted SQL statement arbitrary executables
on the host executing the pointbase database coming with the
j2ee 1.4 reference implementation (j2ee/ri) can be started.
The exploit code is similar to the jboss/hsqldb exploit
discovered earlier this year. Furthermore this is a typical
case of exploit reuse as the sql statements only needed minor
adjustment from hsqldb function definition syntax to
pointbase function definition. The vulnerability is
resulting from inadequate security settings and library bugs in
sun.* and org.apache.* packages in jdk 1.4.2_02 when running
pointbase without a fine-tuned security manager.

Risk
====
In addition to the possibility of executing arbitrary executables,
denial-of-service attacks as well as information leakage scenarios
have been tested positively.

Proof-Of-concept code
=====================
The vendor (Sun) has been provided with proof-of-concept SQL code
executing a notepad.exe on the machine executing the pointbase
database. Another proof-of-concept SQL statement crashes the

Fix
===
There is no fix available until today, as Sun is stating that the
problem "is not a security issuse with J2ee 1.4" functionality. But Sun
states that they "contacted pointbase regarding the issue".

More Information
================
On RSA Conference 2003 the problem areas in jdk 1.4 were presented
which allow remote code injection. A a report, testing three major
100% pure java databases against these vulnerabilities will be made
public in january. This work is part of my dissertation research and
therefore a non-profit project.

History
=======
29 Nov 2003 Vendor (Sun) informed
05 Dec 2003 Vendor commits inadequate security manager settings in
pointbase,
            allowing denial-of-service and remote code injection via jdbc
            which comprimising j2ee security
16 Dec 2003 public release

Greetings
=========
to Johnny Cyberpunk and his S/390, to Dark Tangent still hiding my travel
and parking allowance, g0dzilla, km and halvar the viking


- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (AIX)

iD8DBQE/3sNUqCaQvrKNUNQRAmmfAJ98mfdPj8XIOqzL/PJuAcUfoffRYwCbBQGo
OFFeDqfNQoIjAskif9QXjd0=
=kAyS
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ