Search code examples
javahsqldb

need to access hsqldb static method but get java.sql.SQLSyntaxErrorException: user lacks privilege or object not found

I'm trying to access the deserialize static method within the hsqldb (2.5.1) InOutUtil class. When I run it, java -cp hsqldb.jar:. testcode

I get:

java.sql.SQLSyntaxErrorException: user lacks privilege or object not found: org.hsqldb.lib.InOutUtil.deserialize
    at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source)
    at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source)
    at org.hsqldb.jdbc.JDBCStatement.fetchResult(Unknown Source)
    at org.hsqldb.jdbc.JDBCStatement.execute(Unknown Source)
    at testcode.main(testcode.java:58)
Caused by: org.hsqldb.HsqlException: user lacks privilege or object not found: org.hsqldb.lib.InOutUtil.deserialize
    at org.hsqldb.error.Error.error(Unknown Source)
    at org.hsqldb.result.Result.getException(Unknown Source)
    ... 4 more

Code:

...

connection = DriverManager.getConnection(dburl, "sa", "");
statement = connection.createStatement();
statement.execute("call \"java.lang.System.setProperty\"('org.apache.commons.collections.enableUnsafeSerialization','true')");
statement.execute("call \"org.hsqldb.lib.InOutUtil.deserialize\"('" + my_object +"');");
    
...

This is the offending line that throws the exception:

statement.execute("call \"org.hsqldb.lib.InOutUtil.deserialize\"('" + my_object +"');");

What I'm trying to do is reproduce this exploit, https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902, on a local instance of hsqldb.

Not sure what I'm doing wrong. Thanks!

Solution

  • The exploit you linked to refers to HSQLDB version 1.8.0 which has been obsolete since the release of version 2.0 in 2010. However, aspects of the the security framework remain the same up to the latest version of HyperSQL.

    1. A database user with even the DBA credentials cannot execute any arbitrary static method that happens to be in the classpath of the database server. A sysadmin who starts the database server can issue an allow-list of the specific static methods that are allowed to run as callable procedures, using the hsqldb.method_class_names Java System property with the list. See: http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control

    2. The listed safe static methods can then be turned into SQL callable procedures only by DBA credentials. EXECUTE privileges on the procedures are granted by the DBA.

    3. Versions 2.x of HyperSQL generally improve upon the older security framework, for example allows secure password hash algorithms, password check and retention policies, including external authentication via LDAP and other frameworks.