![]() : The issue has been confirmed by the vendor.: The issues have been documented and reported.Additionally if any vulnerable Java application is running as privileged application (SYSTEM, local admin, domain admin) this issue can also be used to escalate one’s permissions vertically. Thereby code can be injected into other user’s Windows sessions. The screenshot below shows the opened dialog.Īs the newly created Program%20Files folder is located on the drive’s root, this issue affects any local user. I verified this myself by building a simple placeholder DLL.Īfter launching Burp the DLL got loaded and executed. ![]() Thereby, any local user can place a malicious DLL into C:\Program%20Files\Java\jre1.8.0_101\lib\ext. This is most likely caused by some kind of encoding issue as %20 represents an URL-encoded space.Īs any local user is allowed to append new folders to the C: drive’s root, the Program%20Files folder can be created. Technically, the issue is that DLLs (namely sunec.dll and sunmscapi.dll) are loaded from the non-existing folder C:\Program%20Files\Java\jre\lib\ext. I think it depends on the imported frameworks if an application triggers the problem. The issue is not triggered by all Java application, however Burp and the 32bit version of Angry IP Scanner have been verified to be vulnerable. At the time of writing it has been verified with the latest stable 64bit Java version 1.8.0_101 on both a fully patched Windows 7 and a fully patched Windows 2008R2 operating system. It allows any local user to inject code in Java processes of other users. This blog post is about a DLL sideloading vulnerability in the 64bit Windows version of Oracle Java.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |