|
|
|
|
| |
| By using special crafted SQL statements arbitrary executables on the host (running the pointbase 4.6 databases bundled with the j2ee 1.4-reference implementation) can be called, this means attackers can easily compromise the remote host. |
| |
Credit:
The information has been provided by Marc Schoenefeld.
|
| |
Vulnerable systems:
* J2EE Reference Implementation version 1.4 (Pointbase 4.6 Database Component)
Technical details:
By using a special crafted SQL statement arbitrary executables on the host can be started. The exploit code is similar to the jboss/hsqldb exploit discovered earlier this year. Further, this is a typical case of exploit reuse, as the SQL statements only needed minor adjustment from hsqldb function definition syntax to pointbase function definition. The vulnerability results from inadequate security settings and library bugs in sun.* and org.apache.* packages in JDK 1.4.2_02 when running pointbase without a fine-tuned security manager.
Workaround:
A possible workaround is to create an adequate policy file to configure a security manager object for pointbase. Pointbase bundled with j2ee/ri does not include a configuration so the policy settings have to be evaluate manually. Simply granting AllPermissions to the pointbase jar codebase does not solve the problem. With a proper setting installed the described attack leads to a security exception thrown by pointbase instead of starting the exe file that was desired by the attacker.
Fix:
No fix is available at the moment, as Sun is stating that the problem "is not a security issue with J2ee 1.4" functionality. However, Sun stated that they "contacted pointbase regarding the issue".
Timeline:
29 Nov 2003 Vendor (Sun) informed
05 Dec 2003 Vendor commits inadequate security manager settings in pointbase, allowing denial-of-service, and remote code injection via JDBC that compromises j2ee security
16 Dec 2003 public release
|
|
|
|
|
|
|
|
|
|
