SUN Jucheck.exe Untrusted Library Loading Execution Code

2011-08-17 / 2011-08-18
Risk: High
Local: No
Remote: Yes

Author(s): Ivan Sanchez & Hernan Hegykozi Contact Us: Versions: Oracle Corporation Date: 17/08/2011 Product: Java update Vendor: Notified BugId: We have discovered that the product “Java/Jucheck.exe” presents a big hole regarding a DLL hijacking;The basis of this exploit is the way in which Jucheck works and how it loads DLL files used by many applications, if an application calls a DLL without specifying an absolute path Windows will conduct a search for the DLL file in various set locations.This of course can and is being abused. Binary Affected: juchech.exe DLL Affected: peerdist.dll POC: \\Internet -Share\\juchech.exe+ peerdist.dll ( Dll affected will execute the evil code when the end user open /run the APP ) Vector Attack: Some interesting findings: Clicking a link to a remote shared folder on a web page will open this share in Windows Explorer without a warning for 67% of all Internet Explorer users. Clicking a link to a remote shared folder in an e-mail message will open this share in Windows Explorer without a warning for all Outlook, Windows Mail and Windows Live Mail users, regardless of their default web browser. (E-mail is the most likely vector for targeted attacks on corporate and government networks.) In contrast to Internet Explorer, we found no way to launch Windows Explorer via a hyperlink from Firefox, Chrome or Opera, while Safari does open a remote shared folder when the web page containing the link comes from a local drive (e.g., attacker sends an HTML file to the user via e-mail.) The Protected View makes Word 2010 and Excel 2010 less suitable for binary planting attacks, as documents originating from Internet or received via Outlook require the user to confirm a security warning before hyperlinks are enabled. All in all, it appears that most attack scenarios don’t include any security warnings. Users should therefore be careful when opening any hyperlinks – not just on web pages, but also in e-mail, documents and IM messages.

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024,


Back to Top