Executable installers are vulnerable^WEVIL (case 35): eclipse-inst-win*.exe vulnerable to DLL and EXE hijacking

From: Stefan Kanthak <stefan.kanthak@nexgo.de>
To: fulldisclosure@seclists.org
Cc: bugtraq@securityfocus.com
Subject: Executable installers are vulnerable^WEVIL (case 35): eclipse-inst-win*.exe vulnerable to DLL and EXE hijacking
Date:


Hi @ll,

eclipse-inst-win32.exe (and of course eclipse-inst-win64.exe
too) loads and executes multiple DLLs (in version 4.5 also
CMD.EXE) from its "application directory".

* version 4.5 ("Mars") on Windows 7:
  UXTheme.dll, WindowsCodecs.dll, AppHelp.dll, SrvCli.dll,
  Slc.dll, NTMarta.dll, ProfAPI.dll, SAMLib.dll

* version 4.6 ("Neon") on Windows 7:
  IEFrame.dll, Version.dll

* version 4.5 on Windows XP:
  ClbCatQ.dll, SetupAPI.dll, UXTheme.dll, RichEd20.dll

(version 4.6 not tested on Windows Embedded POSReady 2009
alias Windows XP).

For the vulnerable command line "cmd /c start <URL>" see
<https://technet.microsoft.com/en-us/library/ms14-019.aspx>
and CVE-2014-0315


For software downloaded with a web browser the application
directory is typically the user's "Downloads" directory: see
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html>
and <http://seclists.org/fulldisclosure/2012/Aug/134> for
"prior art" about this well-known and well-documented vulnerability.

If an attacker places the DLLs named above and/or CMD.EXE in the
users "Downloads" directory (for example per drive-by download
or social engineering) this vulnerability becomes a remote code
execution.


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On a fresh (but fully patched) Windows installation (where a Java
Runtime is NOT installed) perform the following actions:

1. visit <http://home.arcor.de/skanthak/sentinel.html>, download
   <http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it
   as UXTheme.dll in your "Downloads" directory, then copy it as
   RichEd20.dll, SetupAPI.dll, ClbCatQ.dll, WindowsCodecs.dll,
   AppHelp.dll, SrvCli.dll, Slc.dll, NTMarta.dll, ProfAPI.dll,
   SAMLib.dll, IEFrame.dll, Version.dll;

2. Download <http://home.arcor.de/skanthak/download/SENTINEL.EXE>
   and save it as CMD.EXE in your "Downloads" directory;

3. download eclipse-inst-win32.exe and save it in your "Downloads"
   directory;

4. run eclipse-inst-win32.exe per double-click from your "Downloads"
   directory;

5. click [Yes] in the message box
   
   | Eclipse Installer
   | (?)  The required 32-bit Java 1.7.0 virtual machine could not be found.
   |      Do you want to browse your system for it?

6. notice the message boxes displayed from the DLLs placed in step 1
   and CMD.EXE placed in step 2.

PWNED!


See <http://seclists.org/fulldisclosure/2015/Nov/101> and
<http://seclists.org/fulldisclosure/2015/Dec/86> as well as
<http://home.arcor.de/skanthak/sentinel.html> and the not yet
finished <http://home.arcor.de/skanthak/!execute.html> for details
about these well-known and well-documented BEGINNER'S errors!


Mitigation:
~~~~~~~~~~~

DUMP executable installers, build packages for the target OS' native
installer instead!

See <http://home.arcor.de/skanthak/!execute.html>
as well as <http://home.arcor.de/skanthak/sentinel.html> for the long
sad story of these vulnerabilities.


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2016-02-12    vulnerability report sent to Eclipse Foundation

              NO RESPONSE

2016-02-22    vulnerability report resent to Eclipse Foundation

2016-02-23    answer from Eclipse Foundation:
              "we investigate"

2016-02-24    provided guidance to fix both vulnerabilities

2016-02-28    developer opens bug <https://bugs.eclipse.org/488644>

2016-07-01    second vulnerability report sent to Eclipse Foundation:
              recently released installer 4.6 "Neon" still vulnerable!

2016-07-12    answer from developer:
              "We analyzed this again and came to the conclusion
               that the code of our installer is now safe (i.e.,
               with the fix from bug 488644). Indications are that
               your new check shows a problem much later in the
               process and that the list of loaded DLLs is totally
               different (i.e., not the one that you originally
               reported).
               Moreover we're convinced that it is a security problem
               in rundll32.exe itself."

2016-07-12    OUCH!
              It's DEFINITIVELY your "fixed" installer which STILL
              loads DLLs from its application directory; it's NOT
              safe, but VULNERABLE!

              NO RESPONSE

2016-07-19    report published





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.