[NEWS] J2EE Database Component Remote Code Execution

From: SecuriTeam (support_at_securiteam.com)
Date: 12/17/03

  • Next message: SecuriTeam: "[EXPL] Windows Messenger Exploit Code (MS03-043)" 
    To: list@securiteam.com
Date: 17 Dec 2003 18:32:27 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      J2EE Database Component Remote Code Execution
    ------------------------------------------------------------------------

    SUMMARY

    By using special crafted SQL statements arbitrary executables on the host
    (running the pointbase 4.6 databases bundled with the j2ee 1.4-reference
    implementation) can be called, this means attackers can easily compromise
    the remote host.

    DETAILS

    Vulnerable systems:
     * J2EE Reference Implementation version 1.4 (Pointbase 4.6 Database
    Component)

    Technical details:
    By using a special crafted SQL statement arbitrary executables on the host
    can be started. The exploit code is similar to the jboss/hsqldb exploit
    discovered earlier this year. Further, this is a typical case of exploit
    reuse, as the SQL statements only needed minor adjustment from hsqldb
    function definition syntax to pointbase function definition. The
    vulnerability results from inadequate security settings and library bugs
    in sun.* and org.apache.* packages in JDK 1.4.2_02 when running pointbase
    without a fine-tuned security manager.

    Workaround:
    A possible workaround is to create an adequate policy file to configure a
    security manager object for pointbase. Pointbase bundled with j2ee/ri does
    not include a configuration so the policy settings have to be evaluate
    manually. Simply granting AllPermissions to the pointbase jar codebase
    does not solve the problem. With a proper setting installed the described
    attack leads to a security exception thrown by pointbase instead of
    starting the exe file that was desired by the attacker.

    Fix:
    No fix is available at the moment, as Sun is stating that the problem "is
    not a security issue with J2ee 1.4" functionality. However, Sun stated
    that they "contacted pointbase regarding the issue".

    Timeline:
    29 Nov 2003 Vendor (Sun) informed
    05 Dec 2003 Vendor commits inadequate security manager settings in
    pointbase, allowing denial-of-service, and remote code injection via JDBC
    that compromises j2ee security
    16 Dec 2003 public release

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:schonef@uni-muenster.de>
    Marc Schoenefeld.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] Windows Messenger Exploit Code (MS03-043)"

    Relevant Pages