clang-linker-wrapper.exe executable in LLVM versions from 15.0.0 to 19.1.1, when invoked, is attempting to load an executable named ".exe" despite not being requested by the invocation. This opens up the possibly of a binary executable injection vulnerability.
The reproducer is straight forward:
cp C:\Windows\System32\calc.exe .exe
clang-linker-wrapper.exe
after which the Windows calculator will be spawned.
Impact
An attacker with the ability to smuggle an executable into the CWD and the ability to trigger invocation of the clang-linker-wrapper.exe can use this exploit to run arbitrary untrusted code, violating confidentiality, integrity and availability. This will most impact developers who are running open source CI/CD systems, as an attacker may leverage this exploit to establish a foothold on their systems.
Systems other than Windows are not impacted.
Patches
Fix for the issue is provided in the patch llvm/llvm-project#113613 which was merged October 25th 2024. The patch is included into LLVM releases from version 20.1.0.
Workarounds
Security-conscious users may ensure that no unnecessaries binaries are found when running validation jobs in CI/CD systems.
clang-linker-wrapper.exe executable in LLVM versions from 15.0.0 to 19.1.1, when invoked, is attempting to load an executable named ".exe" despite not being requested by the invocation. This opens up the possibly of a binary executable injection vulnerability.
The reproducer is straight forward:
after which the Windows calculator will be spawned.
Impact
An attacker with the ability to smuggle an executable into the CWD and the ability to trigger invocation of the clang-linker-wrapper.exe can use this exploit to run arbitrary untrusted code, violating confidentiality, integrity and availability. This will most impact developers who are running open source CI/CD systems, as an attacker may leverage this exploit to establish a foothold on their systems.
Systems other than Windows are not impacted.
Patches
Fix for the issue is provided in the patch llvm/llvm-project#113613 which was merged October 25th 2024. The patch is included into LLVM releases from version 20.1.0.
Workarounds
Security-conscious users may ensure that no unnecessaries binaries are found when running validation jobs in CI/CD systems.