Background
To connect to a database, Java applications usually use JDBC framework. Part of the framework is JDBC drivers, that are usually supplied by the DMBS vendor. Applications would often require administrator to download the needed JDBC driver separately due to the licensing restrictions not allowing the software vendor to redistribute the driver with their software.
Some software would allow administrator to upload the JDBC driver through the UI to make the configuration process easier. The software then places the driver into the appropriate directory so it can be used at runtime. By doing that, the application essentially allows upload of any code that may be executed by the application backend, triggered by database operations. The purpose of jdbc-backdoor is to illustrate this attack.
Inner Workings of JDBC
Don’t expect a ton of details, just wanted to provide enough information so it’s easier to understand how jdbc-backdoor works.
JDBC drivers should be a subclass of java.sql.Driver. When the JDBC driver class is loaded, it will run code to register the driver with the java.sql.DriverManager by calling registerDriver static method.
When the application tries to make a JDBC connection, the driver manager will loop through the list of registered drivers until it finds a driver that indicates that it can accept the connection string (something like jdbc:mysql://localhost/test).
To load the driver explicitly, application can just load the class using Class.forName("some.class.Name"). JDBC drivers can be loaded automatically from JAR files that are in the application’s classpath. This happens if the JAR file contains a META-INF/services/java.sql.Driver file with the class name of the driver in it (i.e. single line).
jdbc-backdoor
jdbc-backdoor is a simple implementation of the java.sql.Driver interface that executes OS commands when its connect method is called. You can find jdbc-backdoor here: https://github.com/airman604/jdbc-backdoor
I’ve named the class so it is the same as the name of the Oracle JDBC driver class name, just in case the application checks that. Run make to build jdbc-backdoor, it will create jdbcbackdoor.jar. The JAR file contains the compiled class as well as the java.sql.Driver file mentioned above. To run a test (careful, it will run the payload on your machine!) execute make test.
Conclusion
As a conclusion, I think there’s a couple things DBMS vendors can do to make everyone’s life easier:
- Please reconsider licensing of your JDBC drivers and allow ISVs to redistribute them. This post would be non-existent if the drivers came packaged with the software.
- If you are not signing your JDBC driver JARs, you should be!
