Auditing JDBC Drivers at Scale with AI led to 85000 bounty
2 days ago
- #JDBC Drivers
- #Bug Bounty
- #Hacktron CLI
- Collaboration on a bug bounty event focusing on JDBC drivers for potential RCE or server-side vulnerabilities.
- Use of Hacktron CLI to automate auditing of JDBC drivers, significantly reducing manual review time.
- Discovery of vulnerabilities in Databricks JDBC driver, including arbitrary file reads/writes via the 'StagingAllowedLocalPaths' property.
- Exploitation of file read/write primitives to achieve RCE by manipulating Git repository configurations.
- Identification of vulnerabilities in other JDBC drivers like Exasol (arbitrary file read) and Teradata (command injection).
- Total earnings of $85,000 in bug bounties from discovered vulnerabilities.
- Reflection on the evolving landscape of vulnerability research with AI-assisted tools like Hacktron CLI.