Eclipse DLL Hijacking

`Hi @ll,  
  
eclipse-inst-win32.exe (and of course eclipse-inst-win64.exe  
too) loads and executes multiple DLLs (in version 4.5 also  
CMD.EXE) from its "application directory".  
  
* version 4.5 ("Mars") on Windows 7:  
UXTheme.dll, WindowsCodecs.dll, AppHelp.dll, SrvCli.dll,  
Slc.dll, NTMarta.dll, ProfAPI.dll, SAMLib.dll  
  
* version 4.6 ("Neon") on Windows 7:  
IEFrame.dll, Version.dll  
  
* version 4.5 on Windows XP:  
ClbCatQ.dll, SetupAPI.dll, UXTheme.dll, RichEd20.dll  
  
(version 4.6 not tested on Windows Embedded POSReady 2009  
alias Windows XP).  
  
For the vulnerable command line "cmd /c start <URL>" see  
<https://technet.microsoft.com/en-us/library/ms14-019.aspx>  
and CVE-2014-0315  
  
  
For software downloaded with a web browser the application  
directory is typically the user's "Downloads" directory: see  
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,  
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>  
and <http://seclists.org/fulldisclosure/2012/Aug/134> for  
"prior art" about this well-known and well-documented vulnerability.  
  
If an attacker places the DLLs named above and/or CMD.EXE in the  
users "Downloads" directory (for example per drive-by download  
or social engineering) this vulnerability becomes a remote code  
execution.  
  
  
Proof of concept/demonstration:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
On a fresh (but fully patched) Windows installation (where a Java  
Runtime is NOT installed) perform the following actions:  
  
1. visit <http://home.arcor.de/skanthak/sentinel.html>, download  
<http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it  
as UXTheme.dll in your "Downloads" directory, then copy it as  
RichEd20.dll, SetupAPI.dll, ClbCatQ.dll, WindowsCodecs.dll,  
AppHelp.dll, SrvCli.dll, Slc.dll, NTMarta.dll, ProfAPI.dll,  
SAMLib.dll, IEFrame.dll, Version.dll;  
  
2. Download <http://home.arcor.de/skanthak/download/SENTINEL.EXE>  
and save it as CMD.EXE in your "Downloads" directory;  
  
3. download eclipse-inst-win32.exe and save it in your "Downloads"  
directory;  
  
4. run eclipse-inst-win32.exe per double-click from your "Downloads"  
directory;  
  
5. click [Yes] in the message box  
  
| Eclipse Installer  
| (?) The required 32-bit Java 1.7.0 virtual machine could not be found.  
| Do you want to browse your system for it?  
  
6. notice the message boxes displayed from the DLLs placed in step 1  
and CMD.EXE placed in step 2.  
  
PWNED!  
  
  
See <http://seclists.org/fulldisclosure/2015/Nov/101> and  
<http://seclists.org/fulldisclosure/2015/Dec/86> as well as  
<http://home.arcor.de/skanthak/sentinel.html> and the not yet  
finished <http://home.arcor.de/skanthak/!execute.html> for details  
about these well-known and well-documented BEGINNER'S errors!  
  
  
Mitigation:  
~~~~~~~~~~~  
  
DUMP executable installers, build packages for the target OS' native  
installer instead!  
  
See <http://home.arcor.de/skanthak/!execute.html>  
as well as <http://home.arcor.de/skanthak/sentinel.html> for the long  
sad story of these vulnerabilities.  
  
  
stay tuned  
Stefan Kanthak  
  
  
Timeline:  
~~~~~~~~~  
  
2016-02-12 vulnerability report sent to Eclipse Foundation  
  
NO RESPONSE  
  
2016-02-22 vulnerability report resent to Eclipse Foundation  
  
2016-02-23 answer from Eclipse Foundation:  
"we investigate"  
  
2016-02-24 provided guidance to fix both vulnerabilities  
  
2016-02-28 developer opens bug <https://bugs.eclipse.org/488644>  
  
2016-07-01 second vulnerability report sent to Eclipse Foundation:  
recently released installer 4.6 "Neon" still vulnerable!  
  
2016-07-12 answer from developer:  
"We analyzed this again and came to the conclusion  
that the code of our installer is now safe (i.e.,  
with the fix from bug 488644). Indications are that  
your new check shows a problem much later in the  
process and that the list of loaded DLLs is totally  
different (i.e., not the one that you originally  
reported).  
Moreover we're convinced that it is a security problem  
in rundll32.exe itself."  
  
2016-07-12 OUCH!  
It's DEFINITIVELY your "fixed" installer which STILL  
loads DLLs from its application directory; it's NOT  
safe, but VULNERABLE!  
  
NO RESPONSE  
  
2016-07-19 report published  
`