[UNIX] Paros Proxy Blank Password



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Paros Proxy Blank Password
------------------------------------------------------------------------


SUMMARY

<http://www.parosproxy.org/> Paros is "an intercepting HTTP/HTTPS proxy
for use in security testing web applications".

Paros contains a flaw that allows a remote attacker to connect to a
database port opened on the machine running Paros, without supplying any
credentials.

DETAILS

Vulnerable Systems:
* Paros version 3.2.5 and below

The problem stems from use of a blank "sa" password on the open-source
database ("HSQLDB") which is integrated with Paros.

The database server (which is written in Java) contains functionality for
executing arbitrary Java statements. This is how HSQLDB provides Stored
Procedure functionality.

The issue may result in disclosure of confidential data, and possible
execution of commands on the victim machine.

A remote attacker may find credentials for web applications, valid session
IDs, and confidential data downloaded from the website being tested with
Paros. This information is is present in the database.

Additionally, the possibility of executing Java statements on the database
server may mean that an attacker can gain access to files or execute
command at the OS level (by performing the Java equivalent of a "system()"
call). This has not been investigated fully, but appears possible.

Disclosure Timeline:
03.10.05 - Problem discovered / reported
07.10.05 - Issue re-reported via sourceforge, as mail appeared lost in
transit
07.10.05 - Paros developer releases updated version where DB listens on
localhost only

Proof of concept:
To demonstrate this, first start Paros on the victim host (here,
192.168.0.1).

On the attacking host, ensure HSQLDB is installed, and add the following
lines to the file $HOME/sqltool.rc on the attacking host:

# connect to victimhost as sa, victimhost has IP 192.168.0.1
urlid victimhost-sa
url: jbdc:hsqldb:hsql://192.168.0.1
username sa
password

To connect using the "victimhost-sa" block above run:
java -jar $HSQLDB_HOME/jsqldb.jar victimhost-sa

At this point, it is possible to pull data from the tables in the database
(browsing state, history, credentials).

The page at <http://hsqldb.org/doc/guide/ch09.html#call-section>
http://hsqldb.org/doc/guide/ch09.html#call-section also states it is
possible to execute Java statements by writing them in the format
"java.lang.Math.sqrt"(2.0).


ADDITIONAL INFORMATION

The information has been provided by <mailto:anc@xxxxxxxxxxxxxxx> Andrew
Christensen.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NEWS] Oracle Database DBMS_AQELM Package Buffer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Oracle Database DBMS_AQELM Package Buffer Overflow Vulnerability ...
    (Securiteam)
  • [NEWS] Default Username/Password Pairs in ON Command CCM 5.x Database Backend
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ON Command CCM ... passwords for local administrators, ... Four default username/password pairs are present in the Sybase database ...
    (Securiteam)
  • [NEWS] Oracle 10g R2 PITRIG_DROPMETADATA Buffer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Oracle 10g R2 PITRIG_DROPMETADATA Buffer Overflow Vulnerability ... Oracle Database Server is "a family of database products that range from ... session to execute arbitrary code in the context of the database account. ...
    (Securiteam)
  • [NT] Microsoft JET Multiple Vulnerabilities (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft JET database is "a lightweight database widely used by MS Office ... MSAccess offset for stable jmp edx ...
    (Securiteam)
  • [NT] Multiple Vulnerabilities in ASPRunner
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... pages, users can search, sort, edit, delete and add data into a database. ... attacker to perform SQL Injection and XSS attacks as well as gather ... Every Page is vulnerable to SQL Injection attacks. ...
    (Securiteam)