BugTraq
Executable installers are vulnerable^WEVIL (case 35): eclipse-inst-win*.exe vulnerable to DLL and EXE hijacking Jul 19 2016 02:05PM
Stefan Kanthak (stefan kanthak nexgo de)
Hi @ll,

eclipse-inst-win32.exe (and of course eclipse-inst-win64.exe
too) loads and executes multiple DLLs (in version 4.5 also
CMD.EXE) from its "application directory".

* version 4.5 ("Mars") on Windows 7:
UXTheme.dll, WindowsCodecs.dll, AppHelp.dll, SrvCli.dll,
Slc.dll, NTMarta.dll, ProfAPI.dll, SAMLib.dll

* version 4.6 ("Neon") on Windows 7:
IEFrame.dll, Version.dll

* version 4.5 on Windows XP:
ClbCatQ.dll, SetupAPI.dll, UXTheme.dll, RichEd20.dll

(version 4.6 not tested on Windows Embedded POSReady 2009
alias Windows XP).

For the vulnerable command line "cmd /c start <URL>" see
<https://technet.microsoft.com/en-us/library/ms14-019.aspx>
and CVE-2014-0315

For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-
poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.
html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for
"prior art" about this well-known and well-documented vulnerability.

If an attacker places the DLLs named above and/or CMD.EXE in the
users "Downloads" directory (for example per drive-by download
or social engineering) this vulnerability becomes a remote code
execution.

Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On a fresh (but fully patched) Windows installation (where a Java
Runtime is NOT installed) perform the following actions:

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
<http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it
as UXTheme.dll in your "Downloads" directory, then copy it as
RichEd20.dll, SetupAPI.dll, ClbCatQ.dll, WindowsCodecs.dll,
AppHelp.dll, SrvCli.dll, Slc.dll, NTMarta.dll, ProfAPI.dll,
SAMLib.dll, IEFrame.dll, Version.dll;

2. Download <http://home.arcor.de/skanthak/download/SENTINEL.EXE>
and save it as CMD.EXE in your "Downloads" directory;

3. download eclipse-inst-win32.exe and save it in your "Downloads"
directory;

4. run eclipse-inst-win32.exe per double-click from your "Downloads"
directory;

5. click [Yes] in the message box

| Eclipse Installer
| (?) The required 32-bit Java 1.7.0 virtual machine could not be found.
| Do you want to browse your system for it?

6. notice the message boxes displayed from the DLLs placed in step 1
and CMD.EXE placed in step 2.

PWNED!

See <http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> as well as
<http://home.arcor.de/skanthak/sentinel.html> and the not yet
finished <http://home.arcor.de/skanthak/!execute.html> for details
about these well-known and well-documented BEGINNER'S errors!

Mitigation:
~~~~~~~~~~~

DUMP executable installers, build packages for the target OS' native
installer instead!

See <http://home.arcor.de/skanthak/!execute.html>
as well as <http://home.arcor.de/skanthak/sentinel.html> for the long
sad story of these vulnerabilities.

stay tuned
Stefan Kanthak

Timeline:
~~~~~~~~~

2016-02-12 vulnerability report sent to Eclipse Foundation

NO RESPONSE

2016-02-22 vulnerability report resent to Eclipse Foundation

2016-02-23 answer from Eclipse Foundation:
"we investigate"

2016-02-24 provided guidance to fix both vulnerabilities

2016-02-28 developer opens bug <https://bugs.eclipse.org/488644>

2016-07-01 second vulnerability report sent to Eclipse Foundation:
recently released installer 4.6 "Neon" still vulnerable!

2016-07-12 answer from developer:
"We analyzed this again and came to the conclusion
that the code of our installer is now safe (i.e.,
with the fix from bug 488644). Indications are that
your new check shows a problem much later in the
process and that the list of loaded DLLs is totally
different (i.e., not the one that you originally
reported).
Moreover we're convinced that it is a security problem
in rundll32.exe itself."

2016-07-12 OUCH!
It's DEFINITIVELY your "fixed" installer which STILL
loads DLLs from its application directory; it's NOT
safe, but VULNERABLE!

NO RESPONSE

2016-07-19 report published

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus