Windows Java Usage Tracker Local Privilege Escalation Vulnerability Analysis (CVE-2018-3211)

Cyber Security
1

Windows Java Usage Tracker Local Privilege Escalation Vulnerability Analysis (CVE-2018-3211)

Foreword

A design flaw in the Java Usage Tracker has been discovered, allowing an attacker to create arbitrary files and gain local privilege escalation. This vulnerability can be exploited to access system resources that are usually protected or limited to specific applications or users. Oracle fixed this vulnerability in October 2018, and it is essential for individuals and businesses to update their Java version as soon as possible.

Java Usage Tracker

The Java Usage Tracker is a tracking system for Java use. It has the following features:

  1. By starting configuration parameters, it logs information about the Java Virtual Machine (JVM).
  2. It dumps data to a log file or redirects it to a UDP server.
  3. It allows the log value of the specified custom attributes Usage Tracker configuration.

The profile name for the Java Usage Tracker is usagetracker.properties. This file is located in the global default position, which varies depending on the operating system. For example, the default directory for Windows is %ProgramData%\\Oracle\\Java\\.

User-Controlled Parameters

The usagetracker.properties file contains two attributes that control the behavior of the Java Usage Tracker:

  • oracle.usagetracker.logToFile: allows the user to select any path in the system to save the log file.
  • oracle.usagetracker.additionalProperties: may contain any other custom attributes to be tracked.

With Custom Attributes to Achieve Exploits

An attacker can use custom attributes to achieve exploits by:

  1. Setting any log path.
  2. Setting any custom attribute.

Currently, this feature seems not to be available, but if combined with other security vulnerabilities, it can be exploited by attackers.

Create a Java Usage Tracker Log File

If the global configuration path (such as Windows, %ProgramData%\\Oracle\\Java) is saved, at system startup, the JVM reads the log file. After installing Tomcat, and using the global usagetracker.properties, trace logs are created (shown below) after the restart Tomcat.

Local Privilege Escalation

The Java Usage Tracker global configuration files are created in the default path %ProgramData%\\Oracle\\Java\\. The contents of this path, part of Java, was created during installation, but also part was created when executing Java commands (such as java -c). By default, %ProgramData% path only allows the system of “Users” to create the file. When Oracle or Java path is established, it will inherit the default permissions higher path.

To Sum Up

At present, the attacker through a variety of ways, abuse of Java Usage Tracker feature to achieve privilege escalation. Our research has been tested only in the Windows environment, but other operating systems may also be affected by this vulnerability. To achieve the attacker elevated privileges may use some combination of vulnerabilities, including:

  1. Any type of file to create: the vulnerability can be achieved by oracle.usagetracker.logToFile path. For example, you can create something similar to a script batch file.
  2. The injection parameters: the configuration achieved by oracle.usagetracker.additionalProperties.
  3. Local elevation of privilege: to achieve by weak permissions %ProgramData%\\Oracle\\Java in.