LFI (local file inclusion) vulnerability in web console RunScript tool

[piuppi]

Hi Team,
during a security assessment I identified a local file inclusion vulnerability within the web console tools. in particular I verified that it is possible to read the contents of external files on the file system by manipulating the POST request. This triggers an syntax error by reflecting the contents of the file in the HTML DOM of the page.

Let me know if I can post the evidence here.

Thanks and Best Regards,
Gianluca

[katzyn]

In recent releases of H2 these tools are password-protected, but browser sessions opened from the system tray icon of H2 Console have a security key that allows access to these tools and some other features without any additional authentication.

In this case you may read files accessible by H2 in various ways, for example, with FILE_READ function. So there is nothing special with such misuse of Run Script tool, it doesn't give you any additional unexpected permissions.

[piuppi]

Hi katzyn, I agree with you about the impact mitigated by authentication and SQL functions to read the content of files that are expected (FILE_READ), but regardless of that, from a code security perspective, the vulnerability I identified is "Web" type and is due to the lack of validation of user input that reflect the content of an external file in the HTML DOM of the page (it shouldn't do that!), and is therefore NOT an expected feature but a programming error (an SQL error is triggered in the HTML DOM). However if it is not evaluated as vunlerability for you, no problem :)

Regards,

In recent releases of H2 these tools are password-protected, but browser sessions opened from the system tray icon of H2 Console have a security key that allows access to these tools and some other features without any additional authentication.

In this case you may read files accessible by H2 in various ways, for example, with FILE_READ function. So there is nothing special with such misuse of Run Script tool, it doesn't give you any additional unexpected permissions.

[grandinj]

Thanks for reporting this. We of course would be interested in the details so we can improve validation and error handling

[piuppi]

Hi grandinj, thanks,
by intercepting the request of the RunScript Tool it is possible to modify the argument '-script' within the parameter 'args' by passing the absolute path to a file on the file system. in this case I passed the file /etc/passwd. The RunScript function processes the file as an SQL file, and expects a specific SQL syntax to execute the script, generating an SQL syntax error and displaying the full contents of the file in the html dom of the page.

This behaviour in security is known as LFI (local file inclusion) since it allows a hypothetical attacker to read the content of a file external to the application (not expected) present on the server hosting it.

details below:

I remain at your disposal for any clarification.

Best Regards,
Gianluca

Thanks for reporting this. We of course would be interested in the details so we can improve validation and error handling

[attritionorg]

Can this be used to read /etc/shadow or another privileged file?

[piuppi]

Like any LFI, it depends on the privileges of the user running the web application.

Can this be used to read /etc/shadow or another privileged file?

[attritionorg]

Right, but per @katzyn's comments that this may not cross privilege boundaries, the question is if this can be used to read a privileged file. My question was in the context of a default installation according to documentation (e.g. if it explicitly says don't run as root). Using /etc/passwd as the determination of a vulnerability in this case isn't ideal as that file is 0644 and any user on the system can access it. So repeating the exploit using /etc/shadow would be helpful.

[katzyn]

You need superuser access to read /etc/shadow on all systems (unless somebody changed its permissions).

H2 doesn't have any official distributions for POSIX systems and you obviously should never run H2 Server process, other regular DBMS, application servers, and other similar software under root account.

[piuppi]

Hi @grandinj , do you think to fix this LFI vulnerability related to error handling in the RunScript Tool functionality?
I would like to request the CVE-ID to MITRE for this.

Please, let me know asap.

Thanks and Regards,
Gianluca

Thanks for reporting this. We of course would be interested in the details so we can improve validation and error handling

[grandinj]

Well, it's not a security issue, so a CVE is not warranted. It's just a bug.

[piuppi]

Hi @grandinj, thanks for your response.
However I disagree, even if the software allows, once authenticated, to be able to read anyway an arbitrary file on the file system using specific SQL functions (FILE_READ), this doesn't mean that the LFI that i have identified is not a software vulnerability. MITRE evaluates the vulnerabilities and not only the resulting security issues, so maybe the impact will be mitigated but it is still an LFI vulnerability on a feature that normally should not show you an arbitrary file on the filesystem.

Let me know what you think.

Thank you.

Well, it's not a security issue, so a CVE is not warranted. It's just a bug.

[piuppi]

Hi @grandinj, so you confirm that it is not a security issue for you? however, I would like to submit the issue to MITRE. You will be able to eventually dispute the CVE assignment. They will decide if it is a vulnerability or not. Regards.

[martin-traverse]

Hi, just wondering if there is any movement on this issue? The CVE is now showing up in the OWASP scanning tool for Java using the default configurations, following a recent update from SonarType to update the OSS Index API. It is possible to list the CVE as a false positive, but it would be better if security scans passed out-of-the-box.

https://jeremylong.github.io/DependencyCheck/
https://ossindex.sonatype.org/vulnerability/CVE-2018-14335

[katzyn]

Tools of H2 Console used by exploit from CVE-2018-14335 are protected since H2 1.4.198 Beta released more than three years ago, only 1.4.197 and older versions are affected. If some tool incorrectly marks new versions as affected, please report this in issue tracker of that tool.

[kelvinqian00]

^ I also encountered this CVE and, upon confirmation by @katzyn that this does not actually affect newer H2 versions, submitted a FP report to DependencyCheck. Ideally there should be an update to the underlying CVE database rather than DependencyCheck to not mark newer versions with this CVE, however.