Mozilla Firefox / Thunderbird DLL Hijacking

2016.04.30
Credit: Stefan Kanthak
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Hi @ll despite better knowledge and MULTIPLE bug/vulnerability reports (see <https://bugzilla.mozilla.org/show_bug.cgi?id=811557>, <https://bugzilla.mozilla.org/show_bug.cgi?id=809373>, <https://bugzilla.mozilla.org/show_bug.cgi?id=579593>, ...) Mozilla continues to ship Firefox and Thunderbird for Windows with a vulnerable executable installer. Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download <http://home.arcor.de/skanthak/download/SENTINEL.DLL> and save it as ShimEng.dll in your "Downloads" folder, then copy it as WinMM.dll, SetupAPI.dll, MSACM32.dll, UXTheme.dll, DWMAPI.dll, ShFolder.dll, RichEd20.dll, ClbCatQ.dll, COMRes.dll, Version.dll, SAMCli.dll, SFC.dll, SFC_OS.dll, UserEnv.dll, ProfAPI.dll, MPR.dll, NTMarta.dll, Secur32.dll and CryptSP.dll 2. download any full-package installer for Firefox or Thunderbird from <https://ftp.mozilla.org/pub/firefox/releases/.../win32/...> or <https://ftp.mozilla.org/pub/thunderbird/releases/.../win32/...> (these are self-extractors built with 7-zip) 3. extract setup.exe from the downloaded self-extractor and save it in your "Downloads" folder, for example using the command line 7za.exe x <self-extractor> setup.exe (or start the downloaded self-extractor, find the temporary subdirectory 7z*.tmp it created below %TEMP% and copy setup.exe from this subdirectory to your "Downloads" folder) 4. execute the extracted/copied setup.exe and notice the message boxes displayed from the DLL(s) downloaded in step 1: PWNED! See <https://cwe.mitre.org/data/definitions/426.html>, <https://cwe.mitre.org/data/definitions/427.html> plus <https://capec.mitre.org/data/definitions/471.html> for the well-known and well-documented DLL search path vulnerability. Mitigation: ~~~~~~~~~~~ Stay away from Mozilla's crapware until Mozilla starts to develop a sense for the basics of software engineering as well as the safety and security of their users^Wvictims: the authors of the 3rd party installer fixed these vulnerabilities about 4 months ago! JFTR: the vulnerable executable installer is not the only outdated 3rd party component used to build Firefox and Thunderbird! Mozilla even uses different versions of this vulnerable executable installer for Firefox and Firefox ESR. See <https://www.firegiant.com/blog/2016/1/20/wix-v3.10.2-released/> why you should NEVER name any executable (installer) setup.exe! stay tuned Stefan Kanthak PS: Mozilla fixed the same vulnerabilities in their executable self- extractor long ago (see for example <https://bugzilla.mozilla.org/show_bug.cgi?id=792106> or <https://bugzilla.mozilla.org/show_bug.cgi?id=883165>), but apparently did not send their fixes to the author of this tool.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top