Eclipse DLL Hijacking
Posted on 20 July 2016
Hi @ll, eclipse-inst-win32.exe (and of course eclipse-inst-win64.exe too) loads and executes multiple DLLs (in version 4.5 also CMD.EXE) from its "application directory". * version 4.5 ("Mars") on Windows 7: UXTheme.dll, WindowsCodecs.dll, AppHelp.dll, SrvCli.dll, Slc.dll, NTMarta.dll, ProfAPI.dll, SAMLib.dll * version 4.6 ("Neon") on Windows 7: IEFrame.dll, Version.dll * version 4.5 on Windows XP: ClbCatQ.dll, SetupAPI.dll, UXTheme.dll, RichEd20.dll (version 4.6 not tested on Windows Embedded POSReady 2009 alias Windows XP). For the vulnerable command line "cmd /c start <URL>" see <https://technet.microsoft.com/en-us/library/ms14-019.aspx> and CVE-2014-0315 For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art" about this well-known and well-documented vulnerability. If an attacker places the DLLs named above and/or CMD.EXE in the users "Downloads" directory (for example per drive-by download or social engineering) this vulnerability becomes a remote code execution. Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On a fresh (but fully patched) Windows installation (where a Java Runtime is NOT installed) perform the following actions: 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it as UXTheme.dll in your "Downloads" directory, then copy it as RichEd20.dll, SetupAPI.dll, ClbCatQ.dll, WindowsCodecs.dll, AppHelp.dll, SrvCli.dll, Slc.dll, NTMarta.dll, ProfAPI.dll, SAMLib.dll, IEFrame.dll, Version.dll; 2. Download <http://home.arcor.de/skanthak/download/SENTINEL.EXE> and save it as CMD.EXE in your "Downloads" directory; 3. download eclipse-inst-win32.exe and save it in your "Downloads" directory; 4. run eclipse-inst-win32.exe per double-click from your "Downloads" directory; 5. click [Yes] in the message box | Eclipse Installer | (?) The required 32-bit Java 1.7.0 virtual machine could not be found. | Do you want to browse your system for it? 6. notice the message boxes displayed from the DLLs placed in step 1 and CMD.EXE placed in step 2. PWNED! See <http://seclists.org/fulldisclosure/2015/Nov/101> and <http://seclists.org/fulldisclosure/2015/Dec/86> as well as <http://home.arcor.de/skanthak/sentinel.html> and the not yet finished <http://home.arcor.de/skanthak/!execute.html> for details about these well-known and well-documented BEGINNER'S errors! Mitigation: ~~~~~~~~~~~ DUMP executable installers, build packages for the target OS' native installer instead! See <http://home.arcor.de/skanthak/!execute.html> as well as <http://home.arcor.de/skanthak/sentinel.html> for the long sad story of these vulnerabilities. stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2016-02-12 vulnerability report sent to Eclipse Foundation NO RESPONSE 2016-02-22 vulnerability report resent to Eclipse Foundation 2016-02-23 answer from Eclipse Foundation: "we investigate" 2016-02-24 provided guidance to fix both vulnerabilities 2016-02-28 developer opens bug <https://bugs.eclipse.org/488644> 2016-07-01 second vulnerability report sent to Eclipse Foundation: recently released installer 4.6 "Neon" still vulnerable! 2016-07-12 answer from developer: "We analyzed this again and came to the conclusion that the code of our installer is now safe (i.e., with the fix from bug 488644). Indications are that your new check shows a problem much later in the process and that the list of loaded DLLs is totally different (i.e., not the one that you originally reported). Moreover we're convinced that it is a security problem in rundll32.exe itself." 2016-07-12 OUCH! It's DEFINITIVELY your "fixed" installer which STILL loads DLLs from its application directory; it's NOT safe, but VULNERABLE! NO RESPONSE 2016-07-19 report published