The security hole left with JNDI for server resources

In Java world, JNDI (Java Naming and Directory Interface) is one very common method for applications to access server resources like data sources, EJB's, JMS queues, file stores etc.
The security risk is that: Not only JNDI can be called by applications hosted in the same container, but also remotely.
In an organization, application server admins do not take care of security risks unknowingly or neglect by assuming they or on a secure LAN. This exposes the resources to grave risk as anyone within LAN can access unauthorized data without being detected and abuse the system.


ctx = null;
Properties env = new Properties();
env.put(Context.INITIAL_CONTEXT_FACTORY, "CONTEXT_FACTORY");
env.put(Context.PROVIDER_URL, "CONTEXT_PROVIDER_URL");
DataSource datasource = (DataSource)initialContext.lookup("DATASOURCE_CONTEXT_NAME");
try {
    ctx = new InitialContext(env);
    Connection conn = datasource.getConnection();
    //perfrom queries with the connection
    conn.close();
} catch (Exception e) {
    e.printStackTrace();
}

So one can query the database just by knowing three things.
  1. Context.INITIAL_CONTEXT_FACTORY : this is container object reference
  2. Context.PROVIDER_URL : remote url of the container
  3.  DATASOURCE_CONTEXT_NAME : name of the datasource configured in container
One can know about INITIAL_CONTEXT_FACTORY if they know the type of container, example it would be "com.ibm.websphere.naming.WsnInitialContextFactory"

Provider URL is the URL of the container, also provide the port of the container.

Datasource name is little tricky to know, but assume you know it (by guessing it, by asking or by reading it from some other place), you can connect to database without knowing database username and password.

Server administrators need to set following parameters to avoid this kind of bypass

Context.SECURITY_PRINCIPAL
Context.SECURITY_CREDENTIALS
 
This attack is limited in Intranet environment only.

Comments

Post a Comment

Popular posts from this blog

Caused by: java.sql.SQLTimeoutException: ORA-01013: user requested cancel of current operation

Many times we encounter this error and think that there might be some JPA issue or network issue. However, the error is pretty explicit in its nature, but still not clear to ring the bell very first time. As the error says there is a timeout, and since Oracle is saying, we shall accept it. Another clue is "user requested cancel of current operation". This means that the connection was closed by the application server not the database server, hence it can be safely concluded that application has configured timeouts on transactions at its end. However, if you feel that this transaction should have been concluded within the application server limits, your doubt might be true. This problem can arise in case there is a lock on the record being updated by JPA or lock on the table in which JPA is attempting to insert. The lock is most probably being held by some other application, and since application server configuration is on aggressive SLA, the transaction is waiting its
Read more

HashiCorp Vault Integration with Ansible Etower using approle

Image
HashiCorp Vault is  a secrets management tool specifically designed to control access to sensitive credentials in a low-trust environment . It can be used to store sensitive values and at the same time dynamically generate access for specific services/applications on lease.  Integrating the vault with Ansible Etower provides robust and secure automation. Following is the step-by-step guide for the integration. Enable key-value secret engine in Hashi Vault (also known as "kv" engine). Let's call the engine, the "kv" engine. Create a secret inside "kv". A secret can be a collection of key-value pairs or a JSON for nested structure.            Lets assume that secrets are stored as JSON  in the format   { "my_app":{ "service_account_name": "some_service", "service_account_password": "some_password" } } Create a secret policy defining what can be done with the above-defined secret. Create an
Read more

utility to extract date from text with java

Image
A date pattern recognition algorithm to not only identify date pattern but also fetches probable date in Java date format. This algorithm is very fast and lightweight. The processing time is linear and all dates are identified in a single pass. Algorithm resolves date using tree traverse mechanism. Tree data structures are custom created to build supported date, time and month patterns. Following Trees are used (Note: ^ sign denotes complete pattern) DATE PATTERN TREE Month Pattern Tree (Jan and January both are valid, identified using ^ sign) Time pattern (Identified as suffix to Date, $ sign indicates SPACE character) Tree structures are used in the following algorithm.  Date Part Identification algorithm flowchart Time part identification algorithm flowchart These flow charts are self-explanatory in most part. --> sign is used to denote next match in respective tree structures. The algorithm also acknowledges multipl
Read more