lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <681DA769-B42C-43EA-912D-EAD61DCAC4C2@dataix.net>
Date: Wed, 10 Feb 2016 14:45:22 -0600
From: Jason Hellenthal <jhellenthal@...aix.net>
To: Stefan Kanthak <stefan.kanthak@...go.de>
Cc: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: Re: [FD] [CVE-2016-0602, CVE-2016-0603] Executable installers are vulnerable^WEVIL (case 24): Oracle Java 6/7/8 SE and VirtualBox

In 2019 you say huh. Damn future tellers !!! I need to get one of those !!!

-- 
 Jason Hellenthal
 JJH48-ARIN

On Feb 5, 2016, at 15:50, Stefan Kanthak <stefan.kanthak@...go.de> wrote:

Hi @ll,

the installers or Oracle's Java 6/7/8 for Windows and VirtualBox for
Windows load and execute several DLLs from their "application directory".

* The online installer jxpiinstall.exe:
 UXTheme.dll and RASAdHlp.dll plus
 (on Windows XP) SetupAPI.dll, HNetCfg.dll and XPSP2Res.dll
 (on Windows Vista and above) ProfAPI.dll, Secur32.dll, NTMarta.dll
 and Version.dll

* The offline installer jre-8u66-windows-i586.exe:
 UXTheme.dll, RASAdHlp.dll, NTMarta.dll, Secur32.dll, WinHTTP.dll,
 NetUtils.dll, ProfAPI.dll and WindowsCodecs.dll

* VirtualBox-5.0.12-104815-Win.exe:
 UXTheme.dll, MSIHnd.dll and MSI.dll plus
 (on Windows XP) SFC_OS.dll, ClbCatQ.dll, XPSP2Res.dll, WS2_32.dll
 and WS2Help.dll
 (on Windows 7) PropSys.dll, ProfAPI.dll and DWMAPI.dll


For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for
"prior art" about this well-known and well-documented vulnerability.


Oracle published an advisory and new installers for Java SE today:
<http://www.oracle.com/technetwork/topics/security/alert-cve-2016-0603-2874360.html>

Oracle published updated versions of VirtualBox on 2019-01-19:
<http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html>


stay tuned
Stefan Kanthak

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ