Closed Bug 1314108 Opened 3 years ago Closed 3 years ago

Firefox and Thunderbird will load any DLL listed in dependentlibs.list automatically

Categories

(Core :: Security, defect, major)

Unspecified
Windows
defect
Not set
major

Tracking

()

RESOLVED WONTFIX

People

(Reporter: avi3k3, Unassigned)

Details

you can manually/programmatically copy a DLL to FF/TB, edit dependentlibs.list and add it to list with just the filename, no path.
when opening FF, it will load that DLL (even if it's not signed by Mozilla or Microsoft).

this means that anyone can change the list and inject a spyware/adware into FF/TB
(was tested on Windows only, but could potentially be exploitable on Linux and macOS as well)


example code:
#define WIN32_LEAN_AND_MEAN
#include <Windows.h>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
   MessageBoxW(NULL, L"If you see this message, you can inject any DLL into Firefox and Thunderbird", L"Firefox/Thunderbird hacked", MB_OK);
   return TRUE;
}


after building the DLL, copying it to FF/TB folder and adding to dependentlibs.list, you will see the message box when it's loaded/unloaded to FF/TB
We may be removing dependentlist.list. However, it should not be surprising that if you modify the Firefox installation directory you can inject things (there are many potential ways to do this).
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
(In reply to Benjamin Smedberg [:bsmedberg] from comment #1)
> We may be removing dependentlist.list. However, it should not be surprising
> that if you modify the Firefox installation directory you can inject things
> (there are many potential ways to do this).

ok, but the fact that it's possible means you should work on fixing the bug, not ignoring it,
especially if you're not sure 100% you're removing dependentlist.list...)
this is a very simple attack that could easily go unnoticed
You need to log in before you can comment on or make changes to this bug.