Enable PROCESS_MITIGATION_IMAGE_LOAD_POLICY

RESOLVED FIXED in Firefox 57

Status

()

defect
P3
normal
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: tjr, Assigned: bobowen)

Tracking

(Blocks 2 bugs)

Trunk
mozilla57
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox52 wontfix, firefox57 fixed)

Details

(Whiteboard: [sb+][tpi:+])

Attachments

(2 attachments)

NoRemoteImages is setting that will prevent LoadLibrary from being called with a library on a UNC share.  It's a common exploitation technique to do this with an internet-facing UNC share to achieve code execution.  

https://msdn.microsoft.com/en-us/library/windows/desktop/mt706245(v=vs.85).aspx

While this setting is often used in the context of a sandbox, I can't think of a reason not to enable it on Firefox itself and gain some security before the sandbox comes into play.

I believe this would break if Firefox is run from a UNC share, but it should be simple to detect if that is the case, and then simply not enable it in that case.
Priority: -- → P3
Whiteboard: [sb?][tpi:+]
Blocks: injecteject
Whiteboard: [sb?][tpi:+] → [sb+][tpi:+]
Mass wontfix for bugs affecting firefox 52.
Flags: needinfo?(bobowencode)
Assignee: nobody → bobowencode
Depends on: 1377555
Flags: needinfo?(bobowencode)
Ah now I remember that I had to #if out this support in the chromium sandbox, because of issues we had with relying on the Win10 SDK that is needed to support this (see bug 1337331 comment 24 and onwards).

I'm hoping that things have improved there, because I think something similar was blocking us from building with MSVS2017.
It looks like we now do pick up the Win10 SDK correctly, so hopefully we can move to requiring at least v10.0.10586.0, which is when these new bits were added.

I'll file a separate bug for that to block this one.
Depends on: 1380609
Depends on: 1380611
No longer depends on: 1380611
(In reply to Bob Owen (:bobowen) from comment #6)
> Part 2: Enable MITIGATION_IMAGE_LOAD_NO_LOW_LABEL and
> MITIGATION_IMAGE_LOAD_NO_REMOTE on Windows content sandbox

Doesn't it prevent Firefox from launching from a network share?
(In reply to Masatoshi Kimura [:emk] from comment #7)
> (In reply to Bob Owen (:bobowen) from comment #6)
> > Part 2: Enable MITIGATION_IMAGE_LOAD_NO_LOW_LABEL and
> > MITIGATION_IMAGE_LOAD_NO_REMOTE on Windows content sandbox
> 
> Doesn't it prevent Firefox from launching from a network share?

It doesn't enable it in that case.
Attachment #8906565 - Flags: review?(jmathies) → review+
Attachment #8906566 - Flags: review?(jmathies) → review+
Pushed by bobowencode@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/aaf411b9d99f
Part 1: Compile chromium sandbox features that require at least UCRT SDK version 10.0.10586.0. r=jimm
https://hg.mozilla.org/integration/mozilla-inbound/rev/ac48944bf3c6
Part 2: Enable MITIGATION_IMAGE_LOAD_NO_LOW_LABEL and MITIGATION_IMAGE_LOAD_NO_REMOTE on Windows content sandbox. r=jimm
https://hg.mozilla.org/mozilla-central/rev/aaf411b9d99f
https://hg.mozilla.org/mozilla-central/rev/ac48944bf3c6
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
With Windows SDK 10.0.14393.33 which according to https://en.wikipedia.org/wiki/Microsoft_Windows_SDK is more recent than 10.0.10586.0 I'm getting:

c:/mozilla-source/comm-central/mozilla/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc(157): error C2065: 'PROCESS_MITIGATION_FONT_DISABLE_POLICY': undeclared identifier 

I grepped for PROCESS_MITIGATION_FONT_DISABLE_POLICY in C:\Program Files (x86)\Windows Kits\10 in *.h files and it's not there.

In C:\Program Files (x86)\Windows Kits\10\Include I only see 10.0.10150.0 and 10.0.10240.0.

Any hints would be welcome.
Flags: needinfo?(bobowencode)
(In reply to Jorg K (GMT+2) from comment #11)
> With Windows SDK 10.0.14393.33 which according to
> https://en.wikipedia.org/wiki/Microsoft_Windows_SDK is more recent than
> 10.0.10586.0 I'm getting:
> 
> c:/mozilla-source/comm-central/mozilla/security/sandbox/chromium/sandbox/win/
> src/process_mitigations.cc(157): error C2065:
> 'PROCESS_MITIGATION_FONT_DISABLE_POLICY': undeclared identifier 
> 
> I grepped for PROCESS_MITIGATION_FONT_DISABLE_POLICY in C:\Program Files
> (x86)\Windows Kits\10 in *.h files and it's not there.
> 
> In C:\Program Files (x86)\Windows Kits\10\Include I only see 10.0.10150.0
> and 10.0.10240.0.
> 
> Any hints would be welcome.

It would seem that it hasn't installed properly then, you should have a 10.0.14393.0 dir there I believe.
Flags: needinfo?(bobowencode)
Yes, I reinstalled the Windows SDK 10.0.14393.795 and got that directory now. Thank you.
Depends on: 1423296
Blocks: 1426417
Blocks: 1435794
No longer blocks: injecteject
You need to log in before you can comment on or make changes to this bug.