SUN Jucheck.exe Untrusted Library Loading Execution Code

2011-08-17 / 2011-08-18

Credit: Ivan Sanchez & Hernan Hegykozi

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Author(s): Ivan Sanchez & Hernan Hegykozi
Contact Us: security@evilcode.com.ar
Versions: Oracle Corporation
Date: 17/08/2011
Product: Java update
Vendor: Notified
BugId: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7080023

We have discovered that the product &#8220;Java/Jucheck.exe&#8221; presents a big hole regarding a DLL hijacking;The basis of this exploit is the way in which Jucheck works and how it loads DLL files used by many applications, if an application calls a DLL without specifying an absolute path Windows will conduct a search for the DLL file in various set locations.This of course can and is being abused.


Binary Affected:

http://www.java.com/en/download/faq/jucheck.xml

juchech.exe

DLL Affected:
peerdist.dll

POC:

\\Internet -Share\\juchech.exe+ peerdist.dll
( Dll affected will execute  the evil code when the end user open /run the APP )

Vector Attack:

Some interesting findings:

Clicking a link to a remote shared folder on a web page will open this share in Windows Explorer without a warning for 67% of all Internet Explorer users.
Clicking a link to a remote shared folder in an e-mail message will open this share in Windows Explorer without a warning for all Outlook, Windows Mail and Windows Live Mail users, regardless of their default web browser. (E-mail is the most likely vector for targeted attacks on corporate and government networks.)
In contrast to Internet Explorer, we found no way to launch Windows Explorer via a hyperlink from Firefox, Chrome or Opera, while Safari does open a remote shared folder when the web page containing the link comes from a local drive (e.g., attacker sends an HTML file to the user via e-mail.)
The Protected View makes Word 2010 and Excel 2010 less suitable for binary planting attacks, as documents originating from Internet or received via Outlook require the user to confirm a security warning before hyperlinks are enabled.
All in all, it appears that most  attack scenarios don&#8217;t include any security warnings. Users should therefore be careful when opening any hyperlinks &#8211; not just on web pages, but also in e-mail, documents and IM messages.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

SUN Jucheck.exe Untrusted Library Loading Execution Code

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.