J2EE 1.4 reference implementation: database component allows remote code execution

[Marc Schoenefeld <schonef () uni-muenster de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Illegalaccess.org security advisory i/12-2003 (www.illegalaccess.org)

J2EE 1.4 reference implementation: database component allows remote code
execution

Brief
=====

Product   : J2EE reference implementation (java.sun.com/j2ee/download.html)
Component : pointbase 4.6 database component
Version   : 1.4
Vendor    : Sun Microsystems
Impact    : Code injection, DoS, information leakage
Date      : Public Release 12/16/2003, 11am GMT

Summary
=======
By using special crafted SQL statements *arbitrary executables*
on the host executing the pointbase 4.6 database bundled with the
j2ee 1.4 reference implementation (j2ee/ri) *can be started*.
The vulnerability has been tested by illegalaccess.org on
windows xp and the bundled jdk 1.4.2_02 coming with the j2ee/ri.

Workaround
==========
A possible workaround is to create an adequate policy file
to configure a security manager object for pointbase.
Pointbase bundled with j2ee/ri does not include
a configuration so the policy settings have to evaluated
manually. Simply granting AllPermissions to the
pointbase jar codebase does not solve the problem.
With a proper setting installed the described attack
leads to a security exception thrown by pointbase instead of
starting the exe file which was desired by the attacker.

This text will be also available soon at
http://www.illegalaccess.org

Product
=======
J2EE/RI 1.4 (windows version) which is available at www.sun.com
It cannot be ruled out that j2ee versions for other os contain similar
vulnerabilities.

Details
=======
By using a special crafted SQL statement arbitrary executables
on the host executing the pointbase database coming with the
j2ee 1.4 reference implementation (j2ee/ri) can be started.
The exploit code is similar to the jboss/hsqldb exploit
discovered earlier this year. Furthermore this is a typical
case of exploit reuse as the sql statements only needed minor
adjustment from hsqldb function definition syntax to
pointbase function definition. The vulnerability is
resulting from inadequate security settings and library bugs in
sun.* and org.apache.* packages in jdk 1.4.2_02 when running
pointbase without a fine-tuned security manager.

Risk
====
In addition to the possibility of executing arbitrary executables,
denial-of-service attacks as well as information leakage scenarios
have been tested positively.

Proof-Of-concept code
=====================
The vendor (Sun) has been provided with proof-of-concept SQL code
executing a notepad.exe on the machine executing the pointbase
database. Another proof-of-concept SQL statement crashes the

Fix
===
There is no fix available until today, as Sun is stating that the
problem "is not a security issuse with J2ee 1.4" functionality. But Sun
states that they "contacted pointbase regarding the issue".

More Information
================
On RSA Conference 2003 the problem areas in jdk 1.4 were presented
which allow remote code injection. A a report, testing three major
100% pure java databases against these vulnerabilities will be made
public in january. This work is part of my dissertation research and
therefore a non-profit project.

History
=======
29 Nov 2003 Vendor (Sun) informed
05 Dec 2003 Vendor commits inadequate security manager settings in
pointbase,
            allowing denial-of-service and remote code injection via jdbc
            which comprimising j2ee security
16 Dec 2003 public release

Greetings
=========
to Johnny Cyberpunk and his S/390, to Dark Tangent still hiding my travel
and parking allowance, g0dzilla, km and halvar the viking


- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (AIX)

iD8DBQE/3sNUqCaQvrKNUNQRAmmfAJ98mfdPj8XIOqzL/PJuAcUfoffRYwCbBQGo
OFFeDqfNQoIjAskif9QXjd0=
=kAyS
-----END PGP SIGNATURE-----