lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <OF6EE738A3.06AAB0EA-ONC125709F.004C57D9-C125709F.004E3377@fortconsult.net>
Date: Wed Oct 19 16:18:20 2005
From: anc at fortconsult.net (Andrew Christensen)
Subject: paros proxy v3.2.5 and below blank "sa" password

Title:        Paros proxy 3.2.5 and below blank "sa" database password 

Summary: 

       Paros is an intercepting HTTP/HTTPS proxy for use in security 
testing web applications. 

       Paros version 3.2.5 and below  may contain a flaw where a remote 
attacker can connect to a 
       database port opened on the machine running Paros, without 
supplying any credentials. 

       The problem stems from use of a blank "sa" password on the 
open-source database ("HSQLDB") 
       which is integrated with Paros. 

       The database server (which is written in Java) contains 
functionality for executing arbitrary Java 
       statements. This is how HSQLDB provides Stored Procedure 
functionality. 


Impact of successful exploitation: 

       The issue may result in disclosure of confidential data, and 
possible execution of commands on 
       the victim machine. 

       A remote attacker may find credentials for web applications, valid 
session IDs, and confidential 
       data downloaded from the website being tested with Paros. This 
information is is present in the 
       database. 

       Additionally, the possibility of executing Java statements on the 
database server may mean that 
       an attacker can gain access to files or execute command at the OS 
level (by performing the 
       Java equivalent of a "system()" call). This has not been 
investigated fully, but appears possible.


History: 

       The overall time-to-correction was EXCEEDINGLY fast:

       October 3rd 2005:        Problem discovered / reported 
       October 7th 2005:        Issue re-reported via sourceforge, as mail 
appeared lost in transit 
       October 7th 2005:        Paros developer releases updated version 
where DB listes on localhost only


Countermeasures: 

       Upgrade to version 3.2.6. 
       Firewall the host running Paros. 


Demonstration: 

To demonstrate this, first start Paros on the victim host (here, 
192.168.0.1).

On the attacking host, ensure HSQLDB is installed, and add the following 
lines to the file 
$HOME/sqltool.rc on the attacking host: 

       # connect to victimhost as sa, victimhost has IP 192.168.0.1 
       urlid victimhost-sa 
       url: jbdc:hsqldb:hsql://192.168.0.1 
       username sa 
       password   

To connect using the "victimhost-sa" block above run: 
 
       java -jar $HSQLDB_HOME/jsqldb.jar victimhost-sa 

At this point, it is possible to pull data from the tables in the database 
(browsing state, history, credentials). 

The page at http://hsqldb.org/doc/guide/ch09.html#call-section also states 
it is possible to execute Java statements 
by writing them in the format "java.lang.Math.sqrt"(2.0). 


Andrew Christensen
FortConsult ApS
Tranevej 16-18
2400 K?benhavn NV
tlf. (+45) 7020 7525
www.fortconsult.net 

FortConsult er som de f?rste i Skandinavien blevet certificeret af VISA og 
MasterCard til at udf?re sikkerhedsgennemgange af virksomheders kritiske 
betalingssystemer.
FortConsult is the only Scandinavian firm certified by VISA to perform 
security audits on critical card-payment systems. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051019/00bd66a3/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5730 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051019/00bd66a3/smime.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ