Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 325886

Summary: DLL hijacking exploit
Product: [Eclipse Project] Equinox Reporter: Andrew Niefer <aniefer>
Component: FrameworkAssignee: equinox.framework-inbox <equinox.framework-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: aniefer, jdmiles, john.arthorne, mukund, raji, remy.suen, stephen.francisco, tjwatson
Version: 3.3.1Flags: tjwatson: review+
Target Milestone: 3.4.2+   
Hardware: PC   
OS: All   
Whiteboard:
Bug Depends on: 325294    
Bug Blocks:    
Attachments:
Description Flags
patch against 34x branch
none
build script changes for compiling on win32
none
patch against 34x branch (w/o whitespace changes) none

Description Andrew Niefer CLA 2010-09-21 14:18:28 EDT 
+++ This bug was initially created as a clone of Bug #325294 +++

An Eclipse-based application can be hijacked during launch by placing a DLL file in the working directory when the application is launched. If the DLL matches the filename of the eclipse companion shared library, it will be invoked instead of the real DLL. This is particularly damaging for applications that associate file types with the executable. For details see:

http://securityreason.com/wlb_show/WLB-2010090065
Comment 1 Andrew Niefer CLA 2010-09-21 17:03:03 EDT 
Created attachment 179342 [details]
patch against 34x branch
Comment 2 Andrew Niefer CLA 2010-09-21 17:04:20 EDT 
Created attachment 179343 [details]
build script changes for compiling on win32
Comment 3 Andrew Niefer CLA 2010-09-21 17:32:54 EDT 
Created attachment 179346 [details]
patch against 34x branch (w/o whitespace changes)
Comment 4 Andrew Niefer CLA 2010-09-22 11:47:57 EDT 
I have reproduced all three of the shared library, vm and library.jar attacks on linux.gtk.x86 and have confirmed that this patch fixes them.
Comment 5 Andrew Niefer CLA 2010-09-22 17:06:21 EDT 
Binaries are recompiled and released.  Tagged as R34x_20100922
Comment 6 Thomas Watson CLA 2010-09-22 17:23:04 EDT 
(In reply to comment #5)
> Binaries are recompiled and released.  Tagged as R34x_20100922

The map file indicates R34x_v20100922 tag was used (with a 'v').
Comment 7 Andrew Niefer CLA 2010-09-22 17:46:27 EDT 
Yes, sorry, the tag contains a 'v', this was just a typo in the comment here.
Comment 8 John Arthorne CLA 2011-04-08 14:45:11 EDT 
Removing security advisories group. The fix is available in 3.6.2, and the exploit is already public anyway (see comment #0).