Vulners
Lucene search
Eclipse DLL Hijacking
🗓️ 19 Jul 2016 00:00:00Reported by Stefan KanthakType 
packetstorm🔗 packetstormsecurity.com👁 82 Views
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | Microsoft Windows Unsafe Handling Practices Vulnerability | 27 Jul 202000:00 | – | zdt |
 | Microsoft Windows File Handling Component Remote Code Execution (MS14-019; CVE-2014-0315) | 24 Apr 201400:00 | – | checkpoint_advisories |
 | CVE-2014-0315 | 8 Apr 201421:00 | – | cve |
 | CVE-2014-0315 | 8 Apr 201421:00 | – | cvelist |
 | KLA10601 Multiple vulnerabilities in Microsoft products | 11 Nov 201400:00 | – | kaspersky |
 | CVE-2014-0315 | 8 Apr 201423:55 | – | nvd |
 | Microsoft File Handling Component Remote Code Execution Vulnerability (2922229) | 9 Apr 201400:00 | – | openvas |
| Microsoft File Handling Component Remote Code Execution Vulnerability (2922229) | 9 Apr 201400:00 | – | openvas |
| Microsoft Windows Unsafe Handling Practices | 27 Jul 202000:00 | – | packetstorm |
 | Design/Logic Flaw | 8 Apr 201423:55 | – | prion |
10
`Hi @ll,
eclipse-inst-win32.exe (and of course eclipse-inst-win64.exe
too) loads and executes multiple DLLs (in version 4.5 also
CMD.EXE) from its "application directory".
* version 4.5 ("Mars") on Windows 7:
UXTheme.dll, WindowsCodecs.dll, AppHelp.dll, SrvCli.dll,
Slc.dll, NTMarta.dll, ProfAPI.dll, SAMLib.dll
* version 4.6 ("Neon") on Windows 7:
IEFrame.dll, Version.dll
* version 4.5 on Windows XP:
ClbCatQ.dll, SetupAPI.dll, UXTheme.dll, RichEd20.dll
(version 4.6 not tested on Windows Embedded POSReady 2009
alias Windows XP).
For the vulnerable command line "cmd /c start <URL>" see
<https://technet.microsoft.com/en-us/library/ms14-019.aspx>
and CVE-2014-0315
For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for
"prior art" about this well-known and well-documented vulnerability.
If an attacker places the DLLs named above and/or CMD.EXE in the
users "Downloads" directory (for example per drive-by download
or social engineering) this vulnerability becomes a remote code
execution.
Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On a fresh (but fully patched) Windows installation (where a Java
Runtime is NOT installed) perform the following actions:
1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
<http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it
as UXTheme.dll in your "Downloads" directory, then copy it as
RichEd20.dll, SetupAPI.dll, ClbCatQ.dll, WindowsCodecs.dll,
AppHelp.dll, SrvCli.dll, Slc.dll, NTMarta.dll, ProfAPI.dll,
SAMLib.dll, IEFrame.dll, Version.dll;
2. Download <http://home.arcor.de/skanthak/download/SENTINEL.EXE>
and save it as CMD.EXE in your "Downloads" directory;
3. download eclipse-inst-win32.exe and save it in your "Downloads"
directory;
4. run eclipse-inst-win32.exe per double-click from your "Downloads"
directory;
5. click [Yes] in the message box
| Eclipse Installer
| (?) The required 32-bit Java 1.7.0 virtual machine could not be found.
| Do you want to browse your system for it?
6. notice the message boxes displayed from the DLLs placed in step 1
and CMD.EXE placed in step 2.
PWNED!
See <http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> as well as
<http://home.arcor.de/skanthak/sentinel.html> and the not yet
finished <http://home.arcor.de/skanthak/!execute.html> for details
about these well-known and well-documented BEGINNER'S errors!
Mitigation:
~~~~~~~~~~~
DUMP executable installers, build packages for the target OS' native
installer instead!
See <http://home.arcor.de/skanthak/!execute.html>
as well as <http://home.arcor.de/skanthak/sentinel.html> for the long
sad story of these vulnerabilities.
stay tuned
Stefan Kanthak
Timeline:
~~~~~~~~~
2016-02-12 vulnerability report sent to Eclipse Foundation
NO RESPONSE
2016-02-22 vulnerability report resent to Eclipse Foundation
2016-02-23 answer from Eclipse Foundation:
"we investigate"
2016-02-24 provided guidance to fix both vulnerabilities
2016-02-28 developer opens bug <https://bugs.eclipse.org/488644>
2016-07-01 second vulnerability report sent to Eclipse Foundation:
recently released installer 4.6 "Neon" still vulnerable!
2016-07-12 answer from developer:
"We analyzed this again and came to the conclusion
that the code of our installer is now safe (i.e.,
with the fix from bug 488644). Indications are that
your new check shows a problem much later in the
process and that the list of loaded DLLs is totally
different (i.e., not the one that you originally
reported).
Moreover we're convinced that it is a security problem
in rundll32.exe itself."
2016-07-12 OUCH!
It's DEFINITIVELY your "fixed" installer which STILL
loads DLLs from its application directory; it's NOT
safe, but VULNERABLE!
NO RESPONSE
2016-07-19 report published
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Jul 2016 00:00Current
EPSS0.22572