SecuriTeam - Paros Proxy Blank Password

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

Paros is "an intercepting HTTP/HTTPS proxy for use in security testing web applications".

Paros contains a flaw that allows a remote attacker to connect to a database port opened on the machine running Paros, without supplying any credentials.

Credit:
The information has been provided by Andrew Christensen.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* Paros version 3.2.5 and below

The problem stems from use of a blank "sa" password on the open-source database ("HSQLDB") which is integrated with Paros.

The database server (which is written in Java) contains functionality for executing arbitrary Java statements. This is how HSQLDB provides Stored Procedure functionality.

The issue may result in disclosure of confidential data, and possible execution of commands on the victim machine.

A remote attacker may find credentials for web applications, valid session IDs, and confidential data downloaded from the website being tested with Paros. This information is is present in the database.

Additionally, the possibility of executing Java statements on the database server may mean that an attacker can gain access to files or execute command at the OS level (by performing the Java equivalent of a "system()" call). This has not been investigated fully, but appears possible.

Disclosure Timeline:
03.10.05 - Problem discovered / reported
07.10.05 - Issue re-reported via sourceforge, as mail appeared lost in transit
07.10.05 - Paros developer releases updated version where DB listens on localhost only

Proof of concept:
To demonstrate this, first start Paros on the victim host (here, 192.168.0.1).

On the attacking host, ensure HSQLDB is installed, and add the following lines to the file $HOME/sqltool.rc on the attacking host:

       # connect to victimhost as sa, victimhost has IP 192.168.0.1
       urlid victimhost-sa
       url: jbdc:hsqldb:hsql://192.168.0.1
       username sa
       password

To connect using the "victimhost-sa" block above run:
       java -jar $HSQLDB_HOME/jsqldb.jar victimhost-sa

At this point, it is possible to pull data from the tables in the database (browsing state, history, credentials).

The page at http://hsqldb.org/doc/guide/ch09.html#call-section also states it is possible to execute Java statements by writing them in the format "java.lang.Math.sqrt"(2.0).

	Publique! CMS and SQL Injection Vulnerabilities
	Files2Links F2L-3000 SQL Injection Vulnerability
	HP-UX Running Apache Data Injection and DoS Vulnerability
	MIT krb5 KDC denial of service in cross-realm referral processing
	AproxEngine Multiple Vulnerabilities
	APC Switched Rack PDU XSS Vulnerability
	HP-UX Running OpenSSL Unauthorized Data Injection and Denial of Service
	HP OpenView NNM snmpviewer.exe CGI Host Header Stack Overflow Vulnerability
	HP OpenView NNM ovwebsnmpsrv.exe OVwSelection Stack Overflow Vulnerability
	HP-UX Running VRTSweb Remote Execution of Arbitrary Code and Privilege Escalation
	FreeBSD SSL and TLS Session Renegotiation vulnerability
	CoreHTTP Web Server Buffer Overflow Vulnerability
	HP OpenView Network Node Manager DoS Vulnerability
	ToutVirtual VirtualIQ Multiple Vulnerabilities
	Transport Layer Security Renegotiation Vulnerability