This delivered XML content is read by the client system with the product installed and parsed insecurely. If any affected product triggers an update check (scheduled or manually), the update server responds with a XML file containing information about available software versions withĪttributes pointing to the newest version, file hashes for verification etc. If connections to the update server are successfully controlled in some way. Products using install4j with its (automatic) update feature could be exploited, The latest version 10.0.4 (and former versions) of install4j is vulnerable to a XML External Entity (XXE) attack. Nevertheless, the Proof-of-Concept (PoC) exploitation will be shown against exactly this because it was my initial target. a badly configured SSL Inspection product in your company. This vulnerability is not applicable to Prosys OPC UA Simulation Server unfortunately except with e.g. BurpSuite :-P) which I wasn’t aware of in the beginning. Indeed, this installer software framework seems to be used a lot (e.g. Install4j is a powerful multi-platform Java installer builder that generates native installers and application launchers for Java applications. New Year’s Eve (2022/2023), the update function seemed to be a feasible victim to hunt for.Īs you will read in the following text, I did not manage to pwn the Prosys product properly but instead found a vulnerability in install4j which could presumably be applied in a lot of other software. Since I had only two days left ( lucky punch mode?!) between Christmas and Of several successful pwnages by former competitors targeting insecure update functions (all the love for curl -k & Co.). My primary motivation was not to participate myself but to get a feelingĪbout the difficulty level of the targets.ĭuring the installation routine on my Windows VM, the wizard closed with choosing an auto update interval. Several very skilled researchers partly pwned this in formerĬompetitions, at least parts of it with Denial-of-Service conditions, I think. I quickly chose my first (and only!) target: the Prosys OPC UA Simulation Server. This was the first time I wanted to look for vulnerabilities in their target list and thanks to some hints from friends It is related to a target of the upcoming Pwn2Own 2023 competition. (minimum version: 1.8, maximum version: 1.In this blog post I describe a vulnerability for which I got a little bit too excited in the beginning. I got a dialog message saying: "The install4j wizard could not find a Java(TM) Runtime Environment on your system. It should have installed successfully like previous 9.2.x.y Windows installers worked on previous versions of Java, but accepting Java 16. JRuby version ( jruby -v) and command line (flags, JRUBY_OPTS, etc): 9.3.0.0.I worked around this issue by dual-installing JDK 8, and then later changing JAVA_HOME to JDK 16 to make JRuby 9.3.0.0 work with JDK 16. It indicated JDK 8 was the minimum and maximum version the installer worked with. I tried to install JRuby 9.3.0.0 on Windows 10 圆4 and it complained about not having Java despite having JDK 16 installed.
0 Comments
Leave a Reply. |