Eclipse DLL Hijacking

2016.07.20
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-426


CVSS Base Score: 6.9/10
Impact Subscore: 10/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Hi @ll, eclipse-inst-win32.exe (and of course eclipse-inst-win64.exe too) loads and executes multiple DLLs (in version 4.5 also CMD.EXE) from its "application directory". * version 4.5 ("Mars") on Windows 7: UXTheme.dll, WindowsCodecs.dll, AppHelp.dll, SrvCli.dll, Slc.dll, NTMarta.dll, ProfAPI.dll, SAMLib.dll * version 4.6 ("Neon") on Windows 7: IEFrame.dll, Version.dll * version 4.5 on Windows XP: ClbCatQ.dll, SetupAPI.dll, UXTheme.dll, RichEd20.dll (version 4.6 not tested on Windows Embedded POSReady 2009 alias Windows XP). For the vulnerable command line "cmd /c start <URL>" see <https://technet.microsoft.com/en-us/library/ms14-019.aspx> and CVE-2014-0315 For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <http://seclists.org/fulldisclosure/2012/Aug/134> for "prior art" about this well-known and well-documented vulnerability. If an attacker places the DLLs named above and/or CMD.EXE in the users "Downloads" directory (for example per drive-by download or social engineering) this vulnerability becomes a remote code execution. Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On a fresh (but fully patched) Windows installation (where a Java Runtime is NOT installed) perform the following actions: 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it as UXTheme.dll in your "Downloads" directory, then copy it as RichEd20.dll, SetupAPI.dll, ClbCatQ.dll, WindowsCodecs.dll, AppHelp.dll, SrvCli.dll, Slc.dll, NTMarta.dll, ProfAPI.dll, SAMLib.dll, IEFrame.dll, Version.dll; 2. Download <http://home.arcor.de/skanthak/download/SENTINEL.EXE> and save it as CMD.EXE in your "Downloads" directory; 3. download eclipse-inst-win32.exe and save it in your "Downloads" directory; 4. run eclipse-inst-win32.exe per double-click from your "Downloads" directory; 5. click [Yes] in the message box | Eclipse Installer | (?) The required 32-bit Java 1.7.0 virtual machine could not be found. | Do you want to browse your system for it? 6. notice the message boxes displayed from the DLLs placed in step 1 and CMD.EXE placed in step 2. PWNED! See <http://seclists.org/fulldisclosure/2015/Nov/101> and <http://seclists.org/fulldisclosure/2015/Dec/86> as well as <http://home.arcor.de/skanthak/sentinel.html> and the not yet finished <http://home.arcor.de/skanthak/!execute.html> for details about these well-known and well-documented BEGINNER'S errors! Mitigation: ~~~~~~~~~~~ DUMP executable installers, build packages for the target OS' native installer instead! See <http://home.arcor.de/skanthak/!execute.html> as well as <http://home.arcor.de/skanthak/sentinel.html> for the long sad story of these vulnerabilities. stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2016-02-12 vulnerability report sent to Eclipse Foundation NO RESPONSE 2016-02-22 vulnerability report resent to Eclipse Foundation 2016-02-23 answer from Eclipse Foundation: "we investigate" 2016-02-24 provided guidance to fix both vulnerabilities 2016-02-28 developer opens bug <https://bugs.eclipse.org/488644> 2016-07-01 second vulnerability report sent to Eclipse Foundation: recently released installer 4.6 "Neon" still vulnerable! 2016-07-12 answer from developer: "We analyzed this again and came to the conclusion that the code of our installer is now safe (i.e., with the fix from bug 488644). Indications are that your new check shows a problem much later in the process and that the list of loaded DLLs is totally different (i.e., not the one that you originally reported). Moreover we're convinced that it is a security problem in rundll32.exe itself." 2016-07-12 OUCH! It's DEFINITIVELY your "fixed" installer which STILL loads DLLs from its application directory; it's NOT safe, but VULNERABLE! NO RESPONSE 2016-07-19 report published


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top