lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E8FB49DB23AB49E08C1DC0F91398B657@W340>
Date: Tue, 19 Jul 2016 16:05:06 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: <bugtraq@...urityfocus.com>
Subject: Executable installers are vulnerable^WEVIL (case 35): eclipse-inst-win*.exe vulnerable to DLL and EXE hijacking

Hi @ll,

eclipse-inst-win32.exe (and of course eclipse-inst-win64.exe
too) loads and executes multiple DLLs (in version 4.5 also
CMD.EXE) from its "application directory".

* version 4.5 ("Mars") on Windows 7:
  UXTheme.dll, WindowsCodecs.dll, AppHelp.dll, SrvCli.dll,
  Slc.dll, NTMarta.dll, ProfAPI.dll, SAMLib.dll

* version 4.6 ("Neon") on Windows 7:
  IEFrame.dll, Version.dll

* version 4.5 on Windows XP:
  ClbCatQ.dll, SetupAPI.dll, UXTheme.dll, RichEd20.dll

(version 4.6 not tested on Windows Embedded POSReady 2009
alias Windows XP).

For the vulnerable command line "cmd /c start <URL>" see
<https://technet.microsoft.com/en-us/library/ms14-019.aspx>
and CVE-2014-0315


For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for
"prior art" about this well-known and well-documented vulnerability.

If an attacker places the DLLs named above and/or CMD.EXE in the
users "Downloads" directory (for example per drive-by download
or social engineering) this vulnerability becomes a remote code
execution.


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On a fresh (but fully patched) Windows installation (where a Java
Runtime is NOT installed) perform the following actions:

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
   <http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it
   as UXTheme.dll in your "Downloads" directory, then copy it as
   RichEd20.dll, SetupAPI.dll, ClbCatQ.dll, WindowsCodecs.dll,
   AppHelp.dll, SrvCli.dll, Slc.dll, NTMarta.dll, ProfAPI.dll,
   SAMLib.dll, IEFrame.dll, Version.dll;

2. Download <http://home.arcor.de/skanthak/download/SENTINEL.EXE>
   and save it as CMD.EXE in your "Downloads" directory;

3. download eclipse-inst-win32.exe and save it in your "Downloads"
   directory;

4. run eclipse-inst-win32.exe per double-click from your "Downloads"
   directory;

5. click [Yes] in the message box
   
   | Eclipse Installer
   | (?)  The required 32-bit Java 1.7.0 virtual machine could not be found.
   |      Do you want to browse your system for it?

6. notice the message boxes displayed from the DLLs placed in step 1
   and CMD.EXE placed in step 2.

PWNED!


See <http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> as well as
<http://home.arcor.de/skanthak/sentinel.html> and the not yet
finished <http://home.arcor.de/skanthak/!execute.html> for details
about these well-known and well-documented BEGINNER'S errors!


Mitigation:
~~~~~~~~~~~

DUMP executable installers, build packages for the target OS' native
installer instead!

See <http://home.arcor.de/skanthak/!execute.html>
as well as <http://home.arcor.de/skanthak/sentinel.html> for the long
sad story of these vulnerabilities.


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2016-02-12    vulnerability report sent to Eclipse Foundation

              NO RESPONSE

2016-02-22    vulnerability report resent to Eclipse Foundation

2016-02-23    answer from Eclipse Foundation:
              "we investigate"

2016-02-24    provided guidance to fix both vulnerabilities

2016-02-28    developer opens bug <https://bugs.eclipse.org/488644>

2016-07-01    second vulnerability report sent to Eclipse Foundation:
              recently released installer 4.6 "Neon" still vulnerable!

2016-07-12    answer from developer:
              "We analyzed this again and came to the conclusion
               that the code of our installer is now safe (i.e.,
               with the fix from bug 488644). Indications are that
               your new check shows a problem much later in the
               process and that the list of loaded DLLs is totally
               different (i.e., not the one that you originally
               reported).
               Moreover we're convinced that it is a security problem
               in rundll32.exe itself."

2016-07-12    OUCH!
              It's DEFINITIVELY your "fixed" installer which STILL
              loads DLLs from its application directory; it's NOT
              safe, but VULNERABLE!

              NO RESPONSE

2016-07-19    report published

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ