325886 – DLL hijacking exploit

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 325886 - DLL hijacking exploit

Summary: DLL hijacking exploit

Status:	RESOLVED FIXED

Alias:	None

Product:	Equinox
Classification:	Eclipse Project
Component:	Framework (show other bugs)
Version:	3.3.1
Hardware:	PC All

Importance:	P3 normal (vote)
Target Milestone:	3.4.2+
Assignee:	equinox.framework-inbox
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:	325294
Blocks:
	Show dependency tree

Reported:	2010-09-21 14:18 EDT by Andrew Niefer
Modified:	2011-04-08 14:45 EDT (History)
CC List:	8 users (show)

See Also:

Flags:	tjwatson: review+

Attachments
patch against 34x branch (34.12 KB, patch) 2010-09-21 17:03 EDT, Andrew Niefer	no flags	Details \| Diff
build script changes for compiling on win32 (1.58 KB, patch) 2010-09-21 17:04 EDT, Andrew Niefer	no flags	Details \| Diff
patch against 34x branch (w/o whitespace changes) (2.78 KB, patch) 2010-09-21 17:32 EDT, Andrew Niefer	no flags	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Niefer

2010-09-21 14:18:28 EDT

+++ This bug was initially created as a clone of Bug #325294 +++

An Eclipse-based application can be hijacked during launch by placing a DLL file in the working directory when the application is launched. If the DLL matches the filename of the eclipse companion shared library, it will be invoked instead of the real DLL. This is particularly damaging for applications that associate file types with the executable. For details see:

http://securityreason.com/wlb_show/WLB-2010090065

Comment 1 Andrew Niefer

2010-09-21 17:03:03 EDT

Created attachment 179342 [details]
patch against 34x branch

Comment 2 Andrew Niefer

2010-09-21 17:04:20 EDT

Created attachment 179343 [details]
build script changes for compiling on win32

Comment 3 Andrew Niefer

2010-09-21 17:32:54 EDT

Created attachment 179346 [details]
patch against 34x branch (w/o whitespace changes)

Comment 4 Andrew Niefer

2010-09-22 11:47:57 EDT

I have reproduced all three of the shared library, vm and library.jar attacks on linux.gtk.x86 and have confirmed that this patch fixes them.

Comment 5 Andrew Niefer

2010-09-22 17:06:21 EDT

Binaries are recompiled and released.  Tagged as R34x_20100922

Comment 6 Thomas Watson

2010-09-22 17:23:04 EDT

(In reply to comment #5)
> Binaries are recompiled and released.  Tagged as R34x_20100922

The map file indicates R34x_v20100922 tag was used (with a 'v').

Comment 7 Andrew Niefer

2010-09-22 17:46:27 EDT

Yes, sorry, the tag contains a 'v', this was just a typo in the comment here.

Comment 8 John Arthorne

2011-04-08 14:45:11 EDT

Removing security advisories group. The fix is available in 3.6.2, and the exploit is already public anyway (see comment #0).