About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The JNDI Strikes Back – Unauthenticated RCE in H2 Database Console- 731

Andrey Polkovnychenko & Shachar Menashe - JFrogPosted 4 Years Ago
  • Log4Shell was a vulnerability in the Log4J library in Java. By simply adding a special format string to the logging output, the Java Naming and Directory Interface (JNDI) queries. This interface is quite powerful and can lead to remote code execution when it reaches out for a remote Java class to execute. JDNI injection is a bug class in itself that has been seen before.
  • Since the Log4Shell vulnerability, the authors of this post decided to look into other similar vulnerabilities. They started scanning open source repository for JNDI injection vulnerabilities by searching for the dangerous sink javax.naming.Context.lookup. They found a very similar bug: several code paths path unfiltered attacker-controlled URLs to the javax.naming.Context.lookup function.
  • As a result, a JDBC URL can be specified by the attacker. Once this is executed, a Java class can be returned, which will be executed, leading to code execution. They found this vulnerability in several places within the H2 database engine.
  • In the H2 web based console, upon attempting to login, there are two fields that are interesting: Driver Class and JDBC URL. By specifying a malicious class to be loaded pre-auth code execution (almost by design) within the application. By default, only default connections for this are allowed and the console should run only on localhost.
  • While looking through the SQL handling, they also noticed that the LINK_SCHEMA stored procedure passes driver and URL arguments directly into a vulnerable function. By setting this up properly, code execution can be achieved. However, this does require the ability to execute arbitrary queries on the database, which makes this unlikely to occur.
  • The fix for this is to prevent remote JNDI queries. It should only allow for local calls. To me, this seems feeble but we will see if it stands the test of time.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed