1320273 - DLL Hijacking - Firefox installer on Windows 7

Status: RESOLVED DUPLICATE of bug 1361326

(Firefox :: Installer, defect)

Description

[EIRI MASAMI]

Attachment: fake trojan DLL. Show the msg, no harm.

+++ This bug is recurrence of Bug #883165 and Bug #811557 and Bug #792106 +++

Windows 7 64-bit
Firefox/50.0

Steps to reproduce:

1.The attacker will let the target download the trojan DLL named "RpcRtRemote.dll" or "dwmapi.dll".
2.The Target download the Installer of Firefox or Thunderbird .
3.When the user runs Setup, arbitrary code is executed.

Actual results:

Arbitrary code is executed with the authority of the user who executed setup.

Expected results:

The installer should not load the trojan dll.

Comment 1

[EIRI MASAMI]

I investigated Windows Vista(32bit), 7(64bit), 8.1(64bit), 10(64bit) using sysinternals Process Monitor, but only Windows 7 could be exploited.

Fortunately, these DLLs were called before the installer escalated privileges.

I hope that there is no need to explain that this is a vulnerability.

Comment 2

[EIRI MASAMI]

I made a mistake. Correctly "RpcRtRemote.dll" or "CRYPTSP.dll""RpcRtRemote.dll" or "dwmapi.dll" are incorrect.

Comment 3

[EIRI MASAMI]

Attachment: bug1320273.diff

I wrote a patch, but I can not create a binary with VC6. Would you please take over someone else?

This is a provisional response. It is foolish to repeat the test every time a new OS or service pack comes out. More fundamental modification is necessary.

Actually, similar bugs have been fixed in 7-zip 16.03. 
https://sourceforge.net/p/sevenzip/discussion/45797/thread/b6a10dbd/?limit=25&page=0

However, what is used in the mozilla project is 7-zip 4.42 source codes about 10 years ago!(So VC6 is required)

We must continuously incorporate the safe and new code of 7-zip into mozilla's project. Otherwise we will need to keep listing up un-KnownDLLs.

Comment 4

[Robert Strong (they/them - no direct email)]

Note to self and Matt, the 7-Zip self-extracting archive doesn't run elevated.

Comment 5

[Robert Strong (they/them - no direct email)]

Also see bug 861012.

Comment 6

[EIRI MASAMI]

(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #5)
> Also see bug 861012.

I'm not authorized to access bug 861012. Should We do?

Comment 7

[Robert Strong (they/them - no direct email)]

Shouldn't be necessary

Comment 8

[Molly Howell (she/her) (mostly inactive)]

I wasn't aware that 7-Zip had addressed this themselves. We should be able to backport their fix. I'll try to work on that soon.

Comment 9

[Molly Howell (she/her) (mostly inactive)]

Comment on attachment 8814654 [details] [diff] [review]
bug1320273.diff

I'm r-'ing this patch because I know of at least two more DLL's that need to be included (LPK and WIN32U), but mostly because, as comment 3 points out, just adding more DLL's to that list is not a complete solution. We need to try SetDefaultDllDirectories first.

Comment 10

[EIRI MASAMI]

(In reply to Matt Howell [:mhowell] from comment #8)
> I wasn't aware that 7-Zip had addressed this themselves. We should be able
> to backport their fix. I'll try to work on that soon.

Three months have passed since the last post. Are you sure that you'll try to work on that?

I'm sure that you are busy. If complete solution is difficult right now, I suggest that you release the provisional version witch applied bug1320273.diff and then work over it later.

Comment 11

[EIRI MASAMI]

It seems that this bug has been fixed in Firefox 54.0 by a bug 1361326 that later reported the same problem. Can I ask for an explanation?

Comment 12

[Molly Howell (she/her) (mostly inactive)]

You're right. I apologize for forgetting about this bug instead of updating it bug like I should have, but it was indeed fixed by bug 1361326.

Comment 13

[EIRI MASAMI]

(In reply to Matt Howell [:mhowell] from comment #12)
> You're right. I apologize for forgetting about this bug instead of updating
> it bug like I should have, but it was indeed fixed by bug 1361326.

I got it. I appreciate to the people concerned in bug fix, and then I hope my contribution will be appreciated right. In this case, What if I claim of the bug bounty and the credit?

Comment 14

[Al Billings [:abillings - ex-MoCo]]

If you're interested in claiming a bounty, in the future, please follow the bounty process on our client bounty page at https://www.mozilla.org/en-US/security/client-bug-bounty/ and email security@mozilla.org with your bounty request. We don't take bounty requests in bugs as a matter of course because we don't normally see them. You're lucky that I randomly came across your request here.

Comment 15

[EIRI MASAMI]

(In reply to Al Billings [:abillings] from comment #14)
> If you're interested in claiming a bounty, in the future, please follow the
> bounty process on our client bounty page at
> https://www.mozilla.org/en-US/security/client-bug-bounty/ and email
> security@mozilla.org with your bounty request. We don't take bounty requests
> in bugs as a matter of course because we don't normally see them. You're
> lucky that I randomly came across your request here.

Oh, thank you. I'll follow it soon.