SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Red Hat JBoss Vendors:   JBoss Group
JBoss Java Server 'hsqldb' Service Default Configuration Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1007887
SecurityTracker URL:  http://securitytracker.com/id/1007887
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 6 2003
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.2.1
Description:   A vulnerability was reported in the JBoss Java server. A remote user can execute arbitrary commands on the target system.

Illegalaccess.org reported that a remote user can connect to the target JBoss system on TCP port 1701 and send a specially crafted series of SQL statements to execute arbitrary code with the privileges of the java process executing JBoss. A remote user can also cause denial of service conditions, inject messages into the log file, and obtain information from the target system, according to the report.

The primary flaw reportedly resides in the hsqldb service, which can be accessed by remote users. If the default username and password for this service has not been changed, a remote user can access the service. Then, the remote user can exploit various programming errors in the sun.* classes and various logic errors in the org.apache.* classes of the JDK to attack the target system, the report said.

Default installations of JBoss version 3.2.1 running on JDK 1.4.x are affected, the report said.

Impact:   A remote user can cause denial of service conditions, inject messages into the log file, obtain information from the target system, and execute arbitrary code on the target system. The code will run with the privileges of the target Java application.
Solution:   The vendor has described a fix, available at:

http://sourceforge.net/docman/display_doc.php?docid=19314&group_id=22866

Vendor URL:  www.jboss.org/index.html (Links to External Site)
Cause:   Configuration error
Underlying OS:  Java, Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  JBoss 3.2.1: Remote Command Injection


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

================================
Illegalaccess.org Security Alert
================================

Date        : 10/04/2003
Application : JBoss, java server for running J2EE enterprise
              applications
Version     : 3.2.1
Website     : http://www.jboss.org
Problems    : Denial-Of-Service,
              Log Manipulation,
              Manipulation of Process variables,
              Arbitrary Command Injection


Illegalaccess.org has discovered a critical security
vulnerability in the latest production version of JBoss J2EE
application server. The vulnerability affects default
installations of JBoss 3.2.1 running on JDK 1.4.x. We were able
to design proof of concept code for this issue, which allows
remote attack resulting in several compromises, ranging from
information disclosure over log manipulation and manipulating
java process properties to execution of any commands on the
(windows) system with the privileges of the JBoss process. We do
not rule out the possibility of remotely controlled code
execution on JBoss servers running on top of other operating
systems (such as Linux, Solaris, Mac, OS/390).

The existence of the vulnerability has been confirmed by Marc
Fleury and Scott Stark of the JBoss Group. This report is part of
the coordinated release of information about this new threat. The
appropriate security bulletin for the jboss system as well as a
configuration fix for the affected version 3.2.1 are available
for download from the JBoss web site  (see URL below).

It should be stated, that the reaction time of the JBoss group
was exemplary in providing an immediate correction of the default
configuration which was causing the problem.

Description
This is a command injection vulnerability that exists in an
integral component of the JBoss server, HSQLDB, an SQL database
managing JMS connections. In a combined result of programming
errors in the sun.* classes and logic errors in the org.apache.*
classes of the JDK and settings in the default configuration of
JBoss, remote attackers can obtain remote access to vulnerable
JBoss systems. Our tests confirmed that this vulnerability
affects all default installations of JBoss 3.2.1 and potentially
every other system using TCP/IP based connections to HSQLDB.

Risk Analysis
The impact of this vulnerability should be considered as
critical. Throughout its exploitation, any user can gain complete
control over a vulnerable system by the means of a remote attack.
By sending specially crafted sequence of SQL statements to the
TCP port 1701 of the vulnerable JBoss system, an attacker can
exploit the vulnerabilities and in worst case execute any code
with the privileges of the java process executing JBoss.

Scope
This vulnerability affects every installation of JBoss 3.2.1
application server not protected by additional hardening
mechanisms for network access protection and boundary control
such as firewall systems.

Code Availability
We were able to develop a fully functional 100%-java proof of
concept code for JBoss 3.2.1 running on any Java 1.4.x-enabled
platform. The base functionality for every operating system
includes Denial-Of-Service, Information Disclosure, Log Message
Injection and Resource Consumption. It makes use of some unique
exploitation techniques and are based on a detailed analysis of
the JDK 1.4.x class structure (available for download mid
November 2003) by Illegalaccess.org. In the case of the host
operating system being Windows 2000/XP, an additional
exploitation is possible executing arbitrary executables and even
registered file types. The attack may be performed unnoticed,
without any abuse to the operation of the
target system.

Due to the unique nature and in-depth-impact of this
vulnerability, illegalaccess.org has decided not to publish
exploit code or any technical details helpful for replay with
regard to this vulnerability at the moment. Parallel we are
preparing a more detailed technical description of the
vulnerability which is due to be released to the public when its
impact will be reduced through propagation of appropriate fixes
by the JBoss Group.

Solution
It should be emphasized that this vulnerability poses a critical
threat and appropriate patches provided by JBoss (see below)
should be immediately applied. The patch available at present
is available at

http://
sourceforge.net/docman/display_doc.php?docid=19314&group_id=22866

and describes the fix which is to limit the HSQLDB to in-memory
mode.

=======start of snippet from updated jboss documentation=========
The default configuration of the hsqldb service allows for
interaction with the database over TCP/IP and can enable arbitary
code to be executed if the default username/password has not be
changed. JBoss does not need the socket based access mode so one
can disable this through two changes to the deploy/hsqldb-ds.xml
configuration.


I) First, change:
<!-- for tcp connection, other processes may use hsqldb -->
  <connection-url>
    jdbc:hsqldb:hsql://localhost:1701
  </connection-url>

to:

<!-- for in-process db with file store, saved when jboss
stops. The org.jboss.jdbc.HypersonicDatabase is unnecessary -->

<connection-url>
   jdbc:hsqldb:localDB
</connection-url>

II) Next, comment out or remove this section:

  <!-- this mbean should be used only when using tcp connections -->
  <mbean code="org.jboss.jdbc.HypersonicDatabase"
    name="jboss:service=Hypersonic">
    <attribute name="Port">1701</attribute>
    <attribute name="Silent">true</attribute>
    <attribute name="Database">default</attribute>
    <attribute name="Trace">false</attribute>
    <attribute name="No_system_exit">true</attribute>
  </mbean>

=======end of snippet from updated jboss documentation=========

Marc Schoenefeld, www.illegalaccess.org  (marc@illegalaccess.org)

- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (AIX)
Comment: For info see http://www.gnupg.org

iD8DBQE/gJALqCaQvrKNUNQRAiFqAJ9GYSd38BKgL2tYWp/U0r/KtdbO0ACdFz6V
39E+YTxnfgaf0NDpjXSfnLY=
=Eb08
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC