I am basically walking the LDAP tree in Active Directory.
At each level I query for "(objectClass=*)". When I do this on the root eg "dc=example,dc=com" I get the exception below. This works fine on our other LDAP instances. For some reason only on our Active Directory server I get this exception. I also get the same exception when using JXplorer on our Active Directory server.
From reading around online I found people saying you should turn on following, not sure what that means... So on my controls object (javax.naming.directory.SearchControls) that I pass with the query I call searchControls.setDerefLinkFlag(true). I also have tried setting it to false with the same result. Any a suggestions on what else could cause this? Maybe how I could fix it?
Note: In this post I changed the baseDn from dc=<my company domain> to example for my companies privacy.
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'dc=example,dc=com'
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1826)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1749)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:321)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248)
at com.motio.pi.gui.panels.useraccess.ldap.LDAPConnector.query(LDAPConnector.java:262)
at com.motio.pi.gui.selector.directory.CognosDirectoryBrowserController.expandCognosTreeNode(CognosDirectoryBrowserController.java:99)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.motio.pi.utils.PIThreadDelegate$1.run(PIThreadDelegate.java:54)
at java.lang.Thread.run(Thread.java:662)
So when I was creating my naming context with the method:
javax.naming.ldap.InitialLdapContext.InitialLdapContext(
Hashtable<?, ?> environment, Control[] connCtls)
In the argument environment there is a property with the name Context.REFERRAL and its value should be set to: follow. This was the setting that I needed.
If you get an exception while referral usage in follow (for example: connection timed out) you can use referral ignore but you dont want to get partial exception you can use 3268 port number instead of 389 this port is using global catalog for ldap. You can find info from following link;
https://technet.microsoft.com/en-us/library/how-global-catalog-servers-work(v=ws.10).aspx
Related
I'm trying to access the deserialize static method within the hsqldb (2.5.1) InOutUtil class. When I run it, java -cp hsqldb.jar:. testcode
I get:
java.sql.SQLSyntaxErrorException: user lacks privilege or object not found: org.hsqldb.lib.InOutUtil.deserialize
at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source)
at org.hsqldb.jdbc.JDBCUtil.sqlException(Unknown Source)
at org.hsqldb.jdbc.JDBCStatement.fetchResult(Unknown Source)
at org.hsqldb.jdbc.JDBCStatement.execute(Unknown Source)
at testcode.main(testcode.java:58)
Caused by: org.hsqldb.HsqlException: user lacks privilege or object not found: org.hsqldb.lib.InOutUtil.deserialize
at org.hsqldb.error.Error.error(Unknown Source)
at org.hsqldb.result.Result.getException(Unknown Source)
... 4 more
Code:
...
connection = DriverManager.getConnection(dburl, "sa", "");
statement = connection.createStatement();
statement.execute("call \"java.lang.System.setProperty\"('org.apache.commons.collections.enableUnsafeSerialization','true')");
statement.execute("call \"org.hsqldb.lib.InOutUtil.deserialize\"('" + my_object +"');");
...
This is the offending line that throws the exception:
statement.execute("call \"org.hsqldb.lib.InOutUtil.deserialize\"('" + my_object +"');");
What I'm trying to do is reproduce this exploit, https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902, on a local instance of hsqldb.
Not sure what I'm doing wrong. Thanks!
The exploit you linked to refers to HSQLDB version 1.8.0 which has been obsolete since the release of version 2.0 in 2010. However, aspects of the the security framework remain the same up to the latest version of HyperSQL.
A database user with even the DBA credentials cannot execute any arbitrary static method that happens to be in the classpath of the database server. A sysadmin who starts the database server can issue an allow-list of the specific static methods that are allowed to run as callable procedures, using the hsqldb.method_class_names Java System property with the list. See: http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control
The listed safe static methods can then be turned into SQL callable procedures only by DBA credentials. EXECUTE privileges on the procedures are granted by the DBA.
Versions 2.x of HyperSQL generally improve upon the older security framework, for example allows secure password hash algorithms, password check and retention policies, including external authentication via LDAP and other frameworks.
You may succeed if you "try harder" and find the way HSQLDB expects parameter type definitions.
With HSQLDB 2.7.1 the maintainer's answer is enforced by either the absence or the presence of the server's system property (in addition to the connecting user's privilege needed to execute procedures). The server requires an explicit permission in its own Java properties such as -Dhsqldb.method_class_names="org.hsqldb.lib.StringConverter.*". (Using just the class name did not enable its static methods for me).
$ java -jar ~/hsqldb-svn-trunk/lib/sqltool.jar --inlineRc="url=jdbc:hsqldb:hsql://localhost/test,user=sa,password=" --sql="CALL \"org.hsqldb.lib.StringConverter.getUTFSize\"('java.class.path');"
15
With older HSQLDBs (or with a dangerously wide class name permission in 2.7.1), the only hurdle is to correctly declare the Java method's parameter types. I already figured that byte corresponds to TINYINT. I just need to learn the array mapping.
$ nl=$'\n'; java -cp ~/hsqldb-svn-trunk/lib/sqltool.jar org.hsqldb.cmdline.SqlTool --inlineRc="url=jdbc:hsqldb:hsql://localhost/test,user=sa,password=" --sql="CREATE FUNCTION TEST (BINARY) RETURNS BINARY NO SQL LANGUAGE JAVA EXTERNAL NAME 'CLASSPATH:org.hsqldb.lib.InOutUtil.deserialize';${nl}.;"
Feb 14, 2023 2:29:58 PM org.hsqldb.cmdline.SqlTool objectMain
SEVERE: SQL Error at '--sql' line 2:
"CREATE FUNCTION TEST (BINARY) RETURNS BINARY NO SQL LANGUAGE JAVA EXTERNAL NAME 'CLASSPATH:org.hsqldb.lib.InOutUtil.deserialize';"
user lacks privilege or object not found: org.hsqldb.lib.InOutUtil
org.hsqldb.cmdline.SqlTool$SqlToolException
we are trying to connect to SFTP server using spring integration [SFTP outbound-gateway] to download all files with the following directory expression '/*/*/foo/' . unfortunately we are getting different exceptions :
Caused by: org.springframework.core.NestedIOException: Failed to list files; nested exception is 2: No such file
at org.springframework.integration.sftp.session.SftpSession.list(SftpSession.java:103)
at org.springframework.integration.sftp.session.SftpSession.list(SftpSession.java:50)
at org.springframework.integration.file.remote.gateway.AbstractRemoteFileOutboundGateway.listFilesInRemoteDir(AbstractRemoteFileOutboundGateway.java:582)
at org.springframework.integration.file.remote.gateway.AbstractRemoteFileOutboundGateway.ls(AbstractRemoteFileOutboundGateway.java:551)
at org.springframework.integration.file.remote.gateway.AbstractRemoteFileOutboundGateway.mGetWithRecursion(AbstractRemoteFileOutboundGateway.java:753)
at org.springframework.integration.file.remote.gateway.AbstractRemoteFileOutboundGateway.mGet(AbstractRemoteFileOutboundGateway.java:713)
at org.springframework.integration.file.remote.gateway.AbstractRemoteFileOutboundGateway$3.doInSession(AbstractRemoteFileOutboundGateway.java:455)
at org.springframework.integration.file.remote.gateway.AbstractRemoteFileOutboundGateway$3.doInSession(AbstractRemoteFileOutboundGateway.java:451)
at org.springframework.integration.file.remote.RemoteFileTemplate.execute(RemoteFileTemplate.java:334)
... 33 more
Caused by: 2: No such file
at com.jcraft.jsch.ChannelSftp.throwStatusError(ChannelSftp.java:2833)
at com.jcraft.jsch.ChannelSftp._stat(ChannelSftp.java:2185)
at com.jcraft.jsch.ChannelSftp._stat(ChannelSftp.java:2202)
at com.jcraft.jsch.ChannelSftp.ls(ChannelSftp.java:1566)
at com.jcraft.jsch.ChannelSftp.ls(ChannelSftp.java:1527)
at org.springframework.integration.sftp.session.SftpSession.list(SftpSession.java:91)
... 41 more
we are using the following :
<int-sftp:outbound-gateway session-factory="sftpFactory" request-channel="download"
command="mget" command-options="-R" expression="'/*/*/foo/'" remote-file-separator="/"
local-directory-expression="'${local.dir}'+ #remoteDirectory" reply-channel="outputChannel"
auto-create-local-directory="true" />
Only simple wildcards are supported, such as /foo/* - meaning fetch recursively from /foo - the * is actually not needed in this case, /foo/ will do the same thing.
But, there's no way to wild-card higher level directories.
Depending on how complex your tree is, you might be able to use a custom filter instead - the filter is invoked during each recursion (where each directory is listed, filter applied, then files fetched).
Good afternoon,
When I attempt to use the SMTP Appender, I get an odd error in the console. The error appears to occur when the XML file is loaded, as it isn't logged via any output stream except stdout. The contents of the appender are as follows (and I have confirmed that the error is in this block of XML). I've removed our server information.
<SMTP name="Mailer">
<Subject>[ERROR] (software name) on ${hostName} has thrown a fatal error</Subject>
<To>(a valid email in the form of a#a.com)</To>
<From>(a valid email in the form of a#a.com)</From>
<SMTPHost>(The Internal IP address of a server in the form of 192.168.0.1)</SMTPHost>
<SMTPPort>587</SMTPPort>
<BufferSize>512</BufferSize>
</SMTP>
Whether or not it is referenced in a logger, I receive the following error immediately upon running the program and running getLogger from the log manager. I've removed a couple of the file names and replaced them with a rough description of what the file is doing at that point.
2015-05-19 19:08:18,812 ERROR Unable to invoke factory method in class class org.apache.logging.log4j.core.appender.SmtpAppender for element SMTP. java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.apache.logging.log4j.core.config.plugins.util.PluginBuilder.build(PluginBuilder.java:137)
at org.apache.logging.log4j.core.config.AbstractConfiguration.createPluginObject(AbstractConfiguration.java:766)
at org.apache.logging.log4j.core.config.AbstractConfiguration.createConfiguration(AbstractConfiguration.java:706)
at org.apache.logging.log4j.core.config.AbstractConfiguration.createConfiguration(AbstractConfiguration.java:698)
at org.apache.logging.log4j.core.config.AbstractConfiguration.doConfigure(AbstractConfiguration.java:358)
at org.apache.logging.log4j.core.config.AbstractConfiguration.start(AbstractConfiguration.java:161)
at org.apache.logging.log4j.core.LoggerContext.setConfiguration(LoggerContext.java:361)
at org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:426)
at org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:442)
at org.apache.logging.log4j.core.LoggerContext.start(LoggerContext.java:138)
at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:147)
at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:41)
at org.apache.logging.log4j.LogManager.getContext(LogManager.java:175)
at org.apache.logging.log4j.LogManager.getLogger(LogManager.java:426)
at (Our Log Interface Class, which essentially just returns the log passed by the Apache log manager)
at (The global variable definition file, the first method to use getLogger)
at (The main method for our software, where the globals are loaded)
Caused by: java.lang.NoSuchMethodError: javax.mail.Session.setProtocolForAddress(Ljava/lang/String;Ljava/lang/String;)V
at org.apache.logging.log4j.core.net.SmtpManager$SMTPManagerFactory.createManager(SmtpManager.java:325)
at org.apache.logging.log4j.core.net.SmtpManager$SMTPManagerFactory.createManager(SmtpManager.java:299)
at org.apache.logging.log4j.core.appender.AbstractManager.getManager(AbstractManager.java:71)
at org.apache.logging.log4j.core.net.SmtpManager.getSMTPManager(SmtpManager.java:124)
at org.apache.logging.log4j.core.appender.SmtpAppender.createAppender(SmtpAppender.java:142)
... 21 more
2015-05-19 19:08:18,814 ERROR Null object returned for SMTP in Appenders.
2015-05-19 19:08:18,819 ERROR Unable to locate appender Mailer for logger fatalerror
The details of the configuration are correct (I know it's a valid IP, etc) - they worked in log4j 1. The error log tells me virtually nothing about the error, so I am hoping someone has heard of this before. Thanks everyone!
This is the important line from your stacktrace:
Caused by: java.lang.NoSuchMethodError: javax.mail.Session.setProtocolForAddress(Ljava/lang/String;Ljava/lang/String;)V
The setProtocolForAddress method has been part of JavaMail since version 1.4, so this suggests to me that you are using an old version of that JAR. If you are, try upgrading to a later version.
Note that log4j2 has many lookups, not just system properties. So you need to convert ${hostName} to ${sys:hostName}, and if you are using a lookup for the IP address, this may be the cause of the issue. (Try hardcoding all lookup values to exclude this possibility.)
While starting the play server, we are getting the exception "config locations must not be null", Can anyone let me know what's going wrong?
Exception
Starting gpp-web at port 9000... ERROR
java.lang.IllegalArgumentException: Config locations must not be null
at org.springframework.util.Assert.noNullElements(Assert.java:241)
at org.springframework.context.support.AbstractRefreshableConfigApplicationContext.setConfigLocations(AbstractRefreshableConfigApplicationContext.java:77)
at org.springframework.context.support.ClassPathXmlApplicationContext.<init>(ClassPathXmlApplicationContext.java:137)
at org.springframework.context.support.ClassPathXmlApplicationContext.<init>(ClassPathXmlApplicationContext.java:83)
at Global.onStart(Global.java:15)
at play.core.j.JavaGlobalSettingsAdapter.onStart(JavaGlobalSettingsAdapter.scala:18)
at play.api.GlobalPlugin.onStart(GlobalSettings.scala:203)
at play.api.Play$$anonfun$start$1$$anonfun$apply$mcV$sp$1.apply(Play.scala:88)
at play.api.Play$$anonfun$start$1$$anonfun$apply$mcV$sp$1.apply(Play.scala:88)
at scala.collection.immutable.List.foreach(List.scala:318)
at play.api.Play$$anonfun$start$1.apply$mcV$sp(Play.scala:88)
at play.api.Play$$anonfun$start$1.apply(Play.scala:88)
at play.api.Play$$anonfun$start$1.apply(Play.scala:88)
at play.utils.Threads$.withContextClassLoader(Threads.scala:18)
at play.api.Play$.start(Play.scala:87)
at play.core.StaticApplication.<init>(ApplicationProvider.scala:52)
at play.core.server.NettyServer$.createServer(NettyServer.scala:243)
at play.core.server.NettyServer$$anonfun$main$3.apply(NettyServer.scala:279)
at play.core.server.NettyServer$$anonfun$main$3.apply(NettyServer.scala:274)
at scala.Option.map(Option.scala:145)
at play.core.server.NettyServer$.main(NettyServer.scala:274)
at play.core.server.NettyServer.main(NettyServer.scala)
Thanks James,
But found the problem, actually we build three different configuration file for play depend on environment like dev, UAT & Prod.
I forgot to add the "spring.context.location="applicationContext.xml" the parameter in configuration file & error has been popping up.
But thanks for suggestion .....
Gladiator
I'm running the following tutorial:
http://download.oracle.com/javase/6/docs/technotes/guides/security/jgss/tutorials/BasicClientServer.html
I'm getting the following prompts:
Connected to server localhost/127.0.0.1
Kerberos username [login]: {I enter my username here}
Kerberos password for login: {I enter my password here}
I get the following error:
Can you ascertain the root cause of this?
Exception in thread "main" GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:333)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:128)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:172)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:209)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at demo.SampleClient.main(SampleClient.java:145)
Caused by: javax.security.auth.login.LoginException: Message stream modified (41)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:246)
at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:136)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:328)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:325)
... 7 more
Caused by: KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:53)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:96)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:410)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:378)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
... 23 more
I got exceptions “Message stream modified (41)”, when the Kerberos realm didn’t match. The realm (in system property java.security.krb5.realm) has to match exactly, including upper/lower case.
I'm wondering if this is a possibility (ie even if registry key is set, locked out for local administrators):
http://cr.openjdk.java.net/~weijun/special/krb5winguide-2/raw_files/new/kwin
Known Issues
If an AD account is also added into local administrator group on the
client PC, Microsoft restricts such client from getting the session key
for tickets (even if you set the allowtgtsessionkey registry key to 1).
The workaround is: Just forget you're a logged in user, call kinit.exe.
Do not depends on LSA credential cache.
I cannot confirm that issue. I do have admin rights on my machine and still are able to obtain the session key from the LSA. You should enable full debug ouput on JGSS and the Krb5LoginModule. Share your krb5.ini and login.conf too. I hope your are aware that the above example cannot work because your client cannot obtain a ticket for a local host. It has to be a FQDN with an appropriate SPN set in the Active Directory.