Java J2EE PointBase Configuration Flaw Lets Remote Users Execute Arbitrary Binaries
SecurityTracker Alert ID: 1008491|
SecurityTracker URL: http://securitytracker.com/id/1008491
(Links to External Site)
Date: Dec 16 2003
Execution of arbitrary code via network|
Vendor Confirmed: Yes |
Version(s): 1.4 (with PointBase 4.6)|
A vulnerability was reported in the Java J2EE reference implementation when running the included PointBase database. A remote user can inject SQL commands to execute arbitrary binaries on the target system.|
Illegalaccess.org reported that a remote user can run specially crafted SQL statements to cause arbitrary executables on the target system to be executed.
The vulnerability is due to inadequate security settings and library bugs in the sun.* and org.apache.* packages in jdk 1.4.2_02 when running pointbase without a fine-tuned security manager, according to the report.
A remote user may also be able to cause denial of service conditions or gain information about the target system, the report said.
The vendor was reportedly notified on November 29, 2003.
A remote user can cause arbitrary binaries on the target system to be executed.|
No solution was available at the time of this entry. Accordiing to the report, the vendor has indicated that this is not a flaw in J2EE.|
A potential workaround is described in the Source Message.
Vendor URL: java.sun.com/j2ee/index.jsp (Links to External Site)
Access control error, Configuration error|
|Underlying OS: Windows (Any)|
|Underlying OS Comments: Tested on Windows XP|
Source Message Contents
Subject: J2EE 1.4 reference implementation: database component allows remote|
-----BEGIN PGP SIGNED MESSAGE-----
Illegalaccess.org security advisory i/12-2003 (www.illegalaccess.org)
J2EE 1.4 reference implementation: database component allows remote code
Product : J2EE reference implementation (java.sun.com/j2ee/download.html)
Component : pointbase 4.6 database component
Version : 1.4
Vendor : Sun Microsystems
Impact : Code injection, DoS, information leakage
Date : Public Release 12/16/2003, 11am GMT
By using special crafted SQL statements *arbitrary executables*
on the host executing the pointbase 4.6 database bundled with the
j2ee 1.4 reference implementation (j2ee/ri) *can be started*.
The vulnerability has been tested by illegalaccess.org on
windows xp and the bundled jdk 1.4.2_02 coming with the j2ee/ri.
A possible workaround is to create an adequate policy file
to configure a security manager object for pointbase.
Pointbase bundled with j2ee/ri does not include
a configuration so the policy settings have to evaluated
manually. Simply granting AllPermissions to the
pointbase jar codebase does not solve the problem.
With a proper setting installed the described attack
leads to a security exception thrown by pointbase instead of
starting the exe file which was desired by the attacker.
This text will be also available soon at
J2EE/RI 1.4 (windows version) which is available at www.sun.com
It cannot be ruled out that j2ee versions for other os contain similar
By using a special crafted SQL statement arbitrary executables
on the host executing the pointbase database coming with the
j2ee 1.4 reference implementation (j2ee/ri) can be started.
The exploit code is similar to the jboss/hsqldb exploit
discovered earlier this year. Furthermore this is a typical
case of exploit reuse as the sql statements only needed minor
adjustment from hsqldb function definition syntax to
pointbase function definition. The vulnerability is
resulting from inadequate security settings and library bugs in
sun.* and org.apache.* packages in jdk 1.4.2_02 when running
pointbase without a fine-tuned security manager.
In addition to the possibility of executing arbitrary executables,
denial-of-service attacks as well as information leakage scenarios
have been tested positively.
The vendor (Sun) has been provided with proof-of-concept SQL code
executing a notepad.exe on the machine executing the pointbase
database. Another proof-of-concept SQL statement crashes the
There is no fix available until today, as Sun is stating that the
problem "is not a security issuse with J2ee 1.4" functionality. But Sun
states that they "contacted pointbase regarding the issue".
On RSA Conference 2003 the problem areas in jdk 1.4 were presented
which allow remote code injection. A a report, testing three major
100% pure java databases against these vulnerabilities will be made
public in january. This work is part of my dissertation research and
therefore a non-profit project.
29 Nov 2003 Vendor (Sun) informed
05 Dec 2003 Vendor commits inadequate security manager settings in
allowing denial-of-service and remote code injection via jdbc
which comprimising j2ee security
16 Dec 2003 public release
to Johnny Cyberpunk and his S/390, to Dark Tangent still hiding my travel
and parking allowance, g0dzilla, km and halvar the viking
Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (AIX)
-----END PGP SIGNATURE-----