-
Bug
-
Resolution: Not an Issue
-
P3
-
7
-
x86
-
windows_xp
FULL PRODUCT VERSION :
Java (TM) 6 Update 30
Java (TM) 7 update 2
Other version may be vulnerable
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP Professional
5.1.2600 Service Pack 3 Build 2600
A DESCRIPTION OF THE PROBLEM :
The installation of jre-7u2-windows-i586.exe (or of the version 6 update 30) will create a service named "Java Quick Starter" (command line "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf").
The jqs.exe file load in an insecure manner some system dll (in this example I used SETUPAPI.dll) looking into the executable path for it so, putting into "C:\Program Files\Java\jre7\bin\" a dll named SETUPAPI.dll, will load and run anything with SYSTEM privilege.
This lead into a privilege escalation allowing, in the case of Windows XP, to Power Users (default setting in XP), to run arbitrary code in the SYETEM user context.
This is the version of jqs.exe:
--------------------------------------------------------------------------------------------
FILE INFO:
--------------------------------------------------------------------------------------------
File: C:\Program Files\Java\jre7\bin\jqs.exe
InternalName: jqs
OriginalFilename: jqs.exe
FileVersion: 10.2.0.13
FileDescription: Java(TM) Quick Starter Service
Product: Java(TM) Platform SE 7 U2
ProductVersion: 7.0.20.13
Debug: False
Patched: False
PreRelease: False
PrivateBuild: False
SpecialBuild: False
Language: Language Neutral
MD5 hash: 973db7ac74c554c546f8b0b7b98fb855
--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Copy a fake SETUPAPI.dll to C:\Program Files\Java\jre7\bin2) Restart the service "Java Quick Starter" or restart pc
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
System dll should be loaded from system path
REPRODUCIBILITY :
This bug can be reproduced always.
Java (TM) 6 Update 30
Java (TM) 7 update 2
Other version may be vulnerable
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP Professional
5.1.2600 Service Pack 3 Build 2600
A DESCRIPTION OF THE PROBLEM :
The installation of jre-7u2-windows-i586.exe (or of the version 6 update 30) will create a service named "Java Quick Starter" (command line "C:\Program Files\Java\jre7\bin\jqs.exe" -service -config "C:\Program Files\Java\jre7\lib\deploy\jqs\jqs.conf").
The jqs.exe file load in an insecure manner some system dll (in this example I used SETUPAPI.dll) looking into the executable path for it so, putting into "C:\Program Files\Java\jre7\bin\" a dll named SETUPAPI.dll, will load and run anything with SYSTEM privilege.
This lead into a privilege escalation allowing, in the case of Windows XP, to Power Users (default setting in XP), to run arbitrary code in the SYETEM user context.
This is the version of jqs.exe:
--------------------------------------------------------------------------------------------
FILE INFO:
--------------------------------------------------------------------------------------------
File: C:\Program Files\Java\jre7\bin\jqs.exe
InternalName: jqs
OriginalFilename: jqs.exe
FileVersion: 10.2.0.13
FileDescription: Java(TM) Quick Starter Service
Product: Java(TM) Platform SE 7 U2
ProductVersion: 7.0.20.13
Debug: False
Patched: False
PreRelease: False
PrivateBuild: False
SpecialBuild: False
Language: Language Neutral
MD5 hash: 973db7ac74c554c546f8b0b7b98fb855
--------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Copy a fake SETUPAPI.dll to C:\Program Files\Java\jre7\bin2) Restart the service "Java Quick Starter" or restart pc
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
System dll should be loaded from system path
REPRODUCIBILITY :
This bug can be reproduced always.