-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Illegalaccess.org security advisory i/12-2003 (www.illegalaccess.org) J2EE 1.4 reference implementation: database component allows remote code execution Brief ===== Product : J2EE reference implementation (java.sun.com/j2ee/download.html) Component : pointbase 4.6 database component Version : 1.4 Vendor : Sun Microsystems Impact : Code injection, DoS, information leakage Date : Public Release 12/16/2003, 11am GMT Summary ======= By using special crafted SQL statements *arbitrary executables* on the host executing the pointbase 4.6 database bundled with the j2ee 1.4 reference implementation (j2ee/ri) *can be started*. The vulnerability has been tested by illegalaccess.org on windows xp and the bundled jdk 1.4.2_02 coming with the j2ee/ri. Workaround ========== A possible workaround is to create an adequate policy file to configure a security manager object for pointbase. Pointbase bundled with j2ee/ri does not include a configuration so the policy settings have to evaluated manually. Simply granting AllPermissions to the pointbase jar codebase does not solve the problem. With a proper setting installed the described attack leads to a security exception thrown by pointbase instead of starting the exe file which was desired by the attacker. This text will be also available soon at http://www.illegalaccess.org Product ======= J2EE/RI 1.4 (windows version) which is available at www.sun.com It cannot be ruled out that j2ee versions for other os contain similar vulnerabilities. Details ======= By using a special crafted SQL statement arbitrary executables on the host executing the pointbase database coming with the j2ee 1.4 reference implementation (j2ee/ri) can be started. The exploit code is similar to the jboss/hsqldb exploit discovered earlier this year. Furthermore this is a typical case of exploit reuse as the sql statements only needed minor adjustment from hsqldb function definition syntax to pointbase function definition. The vulnerability is resulting from inadequate security settings and library bugs in sun.* and org.apache.* packages in jdk 1.4.2_02 when running pointbase without a fine-tuned security manager. Risk ==== In addition to the possibility of executing arbitrary executables, denial-of-service attacks as well as information leakage scenarios have been tested positively. Proof-Of-concept code ===================== The vendor (Sun) has been provided with proof-of-concept SQL code executing a notepad.exe on the machine executing the pointbase database. Another proof-of-concept SQL statement crashes the Fix === There is no fix available until today, as Sun is stating that the problem "is not a security issuse with J2ee 1.4" functionality. But Sun states that they "contacted pointbase regarding the issue". More Information ================ On RSA Conference 2003 the problem areas in jdk 1.4 were presented which allow remote code injection. A a report, testing three major 100% pure java databases against these vulnerabilities will be made public in january. This work is part of my dissertation research and therefore a non-profit project. History ======= 29 Nov 2003 Vendor (Sun) informed 05 Dec 2003 Vendor commits inadequate security manager settings in pointbase, allowing denial-of-service and remote code injection via jdbc which comprimising j2ee security 16 Dec 2003 public release Greetings ========= to Johnny Cyberpunk and his S/390, to Dark Tangent still hiding my travel and parking allowance, g0dzilla, km and halvar the viking - -- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (AIX) iD8DBQE/3sNUqCaQvrKNUNQRAmmfAJ98mfdPj8XIOqzL/PJuAcUfoffRYwCbBQGo OFFeDqfNQoIjAskif9QXjd0= =kAyS -----END PGP SIGNATURE-----
