Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 325902

Summary: [launcher] Windows LoadLibrary search cwd DLL exploit
Product: [Eclipse Project] Equinox Reporter: Andrew Niefer <aniefer>
Component: LauncherAssignee: Project Inbox <equinox.launcher-inbox>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: jdmiles, mukund, raji, remy.suen, stephen.francisco, tjwatson
Version: unspecifiedKeywords: security
Target Milestone: 3.6.2   
Hardware: PC   
OS: Windows All   
Whiteboard:
Bug Depends on:    
Bug Blocks: 325903    
Attachments:
Description Flags
patch none

Description Andrew Niefer CLA 2010-09-21 16:18:25 EDT 
On windows, the default search when loading native libraries with LoadLibrary without an absolute path searches the current working directory before the windows search path. [1]

Therefore, native code trying to load a shared library that it expects to find on the windows search path is vulnerable to a malicious dll being placed in the current working directory in a manner similar to bug 325294

The proposed fix is to call SetDllDirectory[2] to remove the cwd from the search.

For > 3.6.x we may want to also add the cwd to the end of the PATH env variable to preserve finding libraries there but still closing the vulnerability.  We must also ensure that this change affects the child vm process when the vm is not in-process.

[1] http://msdn.microsoft.com/en-us/library/ms682586%28VS.85%29.aspx
[2] http://msdn.microsoft.com/en-us/library/ms686203%28v=VS.85%29.aspx
Comment 1 Andrew Niefer CLA 2010-10-08 15:29:37 EDT 
Test shows that adjusting the the dll directory in the launcher has no affect when java is forked in a new process.
Comment 2 Andrew Niefer CLA 2010-10-08 16:22:28 EDT 
I have not been able to find any method for securing the child java process.
Comment 3 Andrew Niefer CLA 2010-12-20 15:44:26 EST 
Created attachment 185593 [details]
patch

Patch adds the current working directory to the end of the search path.
Comment 4 Andrew Niefer CLA 2011-01-11 10:14:56 EST 
Patch was released to 3.6.2