Closed Bug 1283794 Opened 5 years ago Closed 5 years ago

Multiple DLL's used by TB at startup are vulnerable to DLL preloading attacks

Categories

(Thunderbird :: Security, defect)

45 Branch
x86_64
Windows 10
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 579593

People

(Reporter: chris, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux i686; rv:41.0) Gecko/20100101 Firefox/41.0

Steps to reproduce:

Identified which DLL's are utilized by TB, peformed DLL preloading attack on each of the identified DLL's to determine which of the used DLL's were susceptible to preloading attacks. Verified if my test malicious DLL was loaded when executing FF.

The DLL's susceptible to preloading attacks are: dwmapi.dll, dwrite.dll, dbghelp.dll, dbgcore.DLL, Dnsapi.dll, mscms.dll, dcomp.dll, AUDIOSES.DLL

To replicate, place a malicious DLL(the test DLL was a DLL which opened Calc.exe) in the directory of thunderbird.exe and rename the DLL to any of the above mentioned DLL's and the malicious DLL will be executed when thunderbird.exe is executed.


Actual results:

8 DLL's utilized by TB are vulnerable to DLL preloading attacks and can be successfully exploited such that the malicious DLL is executed by TB when stared.


Expected results:

The expected results were that my malicious DLL was executed when applying a preloading attack to the identified DLL's mentioned above.
OS: Unspecified → Windows 10
Hardware: Unspecified → x86_64
Component: Untriaged → Security
Whiteboard: [dupme]
actually, bug 579593
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Whiteboard: [dupme]
Duplicate of bug: CVE-2010-3131
Hi there,

Any insight as to why the 8 mentioned DLL's are preloadable?
Group: mail-core-security
You need to log in before you can comment on or make changes to this bug.