Closed Bug 1361328 Opened 4 years ago Closed 4 years ago
Dll hijack Mozilla Thunderbird
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36 Steps to reproduce: 1.Create a malicious BCRYPT.dll file and save it in your "Downloads" directory. 2.Download 'Thunderbird Setup 52.1.0.exe' and save it in your "Downloads" directory. 3.Execute 'Thunderbird Setup 52.1.0.exe' from your "Downloads" directory. 4.Malicious dll file gets executed. Actual results: trojan DLL loads cmd.exe and alert the dialog Expected results: DLL file on a Windows computer is placed in the default downloads directory with the Thunderbird installer, the Thunderbird installer will load this DLL when it is launched. In circumstances where the installer is run by an administrator privileged account, this allows for the downloaded DLL file to be run with administrator privileges. This can lead to arbitrary code execution from a privileged account.
like bug 579593?
Looks quite the same yes. @yujitounai: so do you see this in Firefox also?
Flags: needinfo?(mkmelin+mozilla) → needinfo?(bogus)
(In reply to Magnus Melin from comment #2) > Looks quite the same yes. > > @yujitounai: so do you see this in Firefox also? yes
Same installer code as bug 1361326, but not a dupe because the Thunderbird team will have to carry their own copy of whatever patch we can come up with.
(In reply to Daniel Veditz [:dveditz] from comment #4) > Same installer code as bug 1361326, but not a dupe because the Thunderbird > team will have to carry their own copy of whatever patch we can come up with. Can you cc magnus and I on the bug?
Bump. Wayne, the security fix for Firefox already exists. Please remember to take this into Thunderbird :)
(In reply to Daniel Veditz [:dveditz] from comment #4) > Same installer code as bug 1361326, but not a dupe because the Thunderbird > team will have to carry their own copy of whatever patch we can come up with.
Flags: needinfo?(vseerror) → needinfo?(jorgk)
OK, I'll push https://hg.mozilla.org/mozilla-central/rev/f5041969acc7 to our Thunderbird branches. Leaving NI for now.
OK, here we go, landing this for TB, IB and SM: Trunk, TB 55: https://hg.mozilla.org/comm-central/rev/d652070a09bec16ccec197734e3e910d6b412008 https://hg.mozilla.org/comm-central/rev/6d4d5b4ab1475ba621025672f9bc36f697dbaada https://hg.mozilla.org/comm-central/rev/bcf12fa6a5c8c811350a9951cae7b05bd39b87c3 Beta, TB 54: https://hg.mozilla.org/releases/comm-beta/rev/9adb812956e1907f07dd2853424594d51e5fcfd6 https://hg.mozilla.org/releases/comm-beta/rev/bc4de2303739d0c9735d495424ee405dad16e871 https://hg.mozilla.org/releases/comm-beta/rev/2cc323183f6349c2fcec186dff6d8f33b4edd949 ESR, TB 52: https://hg.mozilla.org/releases/comm-esr52/rev/98b41bbc09f18b11754005c583e645cf7a9e1f88 https://hg.mozilla.org/releases/comm-esr52/rev/67c31b2682a483a273275dc030ebd7bd5252a3b4 https://hg.mozilla.org/releases/comm-esr52/rev/b7552e5a8cbb44d36362910bf1821e26fe44a215
Setting the bounty flag on request of the reporter. Note that the Firefox bug (bug 1361326) is already marked for bounty consideration, so maybe the bounty folks want to merge those.
Sorry, I didn't properly catch up on email. Thunderbird is no longer part of our bounty program.
Pushed by firstname.lastname@example.org: https://hg.mozilla.org/comm-central/rev/d17e8e16ec8d Delay-load DLL's used by the 7-zip self-extractor. r=rstrong DONTBUILD
Just stumbled over this. The SeaMonkey patches in comment 10 for 54 55 (2.51 2.52) were empty. Only esr52 was updated. I pushed corrected patches with the old date but with the current bug number to avoid confusion in bug 1361326. https://hg.mozilla.org/releases/comm-esr60/rev/504485636e79e4210735a9be409c97c1660c2545
You need to log in before you can comment on or make changes to this bug.