Vulnerability Summary
Title: Oracle Java Installer Adds a System Path Which is Writable by All Users
Release Date: 21 January 2015
Reference: NCC00767
Discoverer: Edd Torkington
Vendor: Oracle
Vendor Reference: S0514586
Systems Affected: Oracle Java 8 Version 25
CVE Reference: CVE-2015-0421
Risk: High
Status: Fixed
Resolution Timeline
Discovered: 18 November 2014
Reported: 18 November 2014
Released: 21 November 2014
Fixed: 20 January 2015
Published: 21 January 2015
Vulnerability Description
“Java Platform, Standard Edition (Java SE) lets you develop and deploy Java applications on desktops and servers, as well as in today’s demanding embedded environments. Java offers the rich user interface, performance, versatility, portability, and security that today’s applications require.”
The Oracle Java Version 8 update 25 installer was found to add a system path which was writable by all users.
Technical Details
The vulnerability can be confirmed as shown below:
C:>path
PATH=C:ProgramDataOracleJavajavapath;C:Progra….
C:>cacls C:ProgramDataOracleJavajavapath
C:ProgramDataOracleJavajavapath NT AUTHORITYSYSTEM:(OI)(CI)(ID)F
BUILTINAdministrators:(OI)(CI)(ID)F
CREATOR OWNER:(OI)(CI)(IO)(ID)F
BUILTINUsers:(OI)(CI)(ID)R
BUILTINUsers:(CI)(ID)(special access:)
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_WRITE_ATTRIBUTES
This would allow an attacker to trivially elevate privileges by abusing processes with high privileges which rely on or load components from the system path.
Fix Information
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
NCC Group
Twitter: @NCCGroupInfoSec
Open Source: https://github.com/nccgroup
Blog: /en/blog/cyber-security/
SlideShare: http://www.slideshare.net/NCC_Group/
