One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 1236820 |
| Date de publication | 2019-08-01 14:54:08 (vue: 2019-08-01 15:01:38) |
| Titre | Exploiting H2 Database with native libraries and JNI |
| Texte | Techniques to gain code execution in an H2 Database Engine are already well known but require H2 being able to compile Java code on the fly. This blog post will show a previously undisclosed way of exploiting H2 without the need of the Java compiler being available, a way that leads us through the native world just to return into the Java world using Java Native Interface (JNI). Introduction Last week, the blog post Jackson gadgets - Anatomy of a vulnerability by Andrea Brancaleoni of Doyensec was published. It describes how a setter-based vulnerability in the Jackson library can be exploited if the libraries of Logback and H2 Database Engine are available. In short, it exploits the feature of H2 to create user defined functions with Java code that get compiled on the fly using the Java compiler. This is not But what if the Java compiler is not available? This was the exact case in a recent engagement where a H2 Dabatase Engine instance version 1.2.141 on a Windows system was exposing its web console. We want to walk you through the journey of finding a new way to execute arbitrary Java code without the need of a Java compiler on the target server by utilizing native libraries (.dll or .so) and the Java Native Interface (JNI). Assessing the Capabilities of H2 Let's assume the CREATE ALIAS … AS … command cannot be used as the Java compiler is not available. A reason for that may be that it's not a Java Development Kit (JDK) but only a Java Runtime Environment (JRE), which does not come with a compiler. Or the PATH environment variable is not properly set up so that the Java compiler javac cannot be found. However, the CREATE ALIAS … FOR … command can be used: When referencing a method, the class must already be compiled and included in the classpath where the database is running. Only static Java methods are supported; both the class and the method must be public. So every public static method can be used. But in the worst case, only h2-1.2.141.jar and JRE are available. And additionally, only supported data types can be used for nested function calls. So, what is left? While browsing the candidates in the Java runtime library rt.jar, the System.load(String) method stood out. It allows the loading of a native library. That would instantly allow code execution via the library's entry point function. But how can the library be loaded to the H2 server? Although Java on Windows supports UNC paths and fetches the file, it refuses to actually load it. And this also won't work on Linux. So how can one write a file to the H2 server? Writing arbitrary Files with H2 A brief look into the H2 functions reference shows that there is a FILE_WRITE function. Unfortunately, FILE_WRITE was introduced in 1.4.190. So we better only check those functions that are available in 1.2.141. The CSVWRIT |
| Envoyé | Oui |
| Condensat | &/g 0x&/g 0x22 141 177 190 256 3/1 8859 able achieve actually added additionally alias all allow allows almost already also although anatomy andrea another anything arbitrary are as: assessing assume attach available based basically being better between bin bin$ bin4916d6bdb7f78e6803698cab32d1586ea457dfc8 bin:49 binary bit blank blog both brancaleoni brief browsing built but byte c8certutil: call call: calling calls callstaticmethod/callmethod came can candidates cannot capabilities case certutil char check checksum: chr class classloader classpath code code: column columnname columns come comes command commands/code compile compiled compiler completed concat console contain could covers create creating csv csvwrite current custom dabatase data database defineclass defined describes development disable disk dll does done double doyensec engagement engine entering entry environment escape evaluates even every everything exact execute execution exploited exploiting exploits exposing feature feedback fetches fielddelimiter fieldseparator file files finally findclass finding first fly following found from function functions further gadgets gain generate get getcreatedjavavms gets getstaticmethodid/getmethodid> getsystemclassloader grammar handle has hash hashfile have header how however idea idea: identical identifier import included inject inside instance instance: instantly int interact interaction interface introduced introduction iso it: its jackson jar java javac javascript jdk jni jnienv jniscriptengine journey jre just jvm kit known last leads left length let libraries library like lineseparator linux load loaded loader loading logback look looking machine maximum may method methods mimics must name names native need nested new not now null obtain octets: once one only option options other out passed path paths perfect plan point pointer possibly post previously printed properly public published put putting python query: quick quote quoted quotes range reason recent reference referencing refuses require return running runtime s/$/ s/^ s/char safe same script scriptengine sed see seem select sensitive series server set setter sha1sha1 sha1sum short show showed shows single sounds spaces sql static stdout step stood string successfully such supported supported; supports sys sys; system take target techniques temp temp> test them then those thread through together: two types unc undisclosed unfortunately use used used: user using utilizing variable version virtual vulnerability walk want ware way web week well what when where which will windows without won work world worst would write writecolumnheader writing written xxd |
| Tags | Vulnerability Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.