Closed Bug 1361328 Opened 4 years ago Closed 4 years ago

Dll hijack Mozilla Thunderbird

Categories

(Thunderbird :: Security, defect)

52 Branch
defect
Not set
normal

Tracking

(thunderbird_esr52 fixed, thunderbird54 fixed, thunderbird55 fixed)

RESOLVED FIXED
Thunderbird 55.0
Tracking Status
thunderbird_esr52 --- fixed
thunderbird54 --- fixed
thunderbird55 --- fixed

People

(Reporter: bogus, Unassigned)

References

Details

(Keywords: csectype-priv-escalation, sec-high, Whiteboard: local attack)

Attachments

(1 file)

42.82 KB, application/zip
Details
Attached file dll.zip
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Safari/537.36

Steps to reproduce:

1.Create a malicious BCRYPT.dll file and save it in your "Downloads" directory.
2.Download 'Thunderbird Setup 52.1.0.exe' and save it in your "Downloads" directory.
3.Execute 'Thunderbird Setup 52.1.0.exe' from your "Downloads" directory.
4.Malicious dll file gets executed.


Actual results:

trojan DLL loads cmd.exe and alert the dialog


Expected results:

DLL file on a Windows computer is placed in the default downloads directory with the Thunderbird installer, the Thunderbird installer will load this DLL when it is launched. In circumstances where the installer is run by an administrator privileged account, this allows for the downloaded DLL file to be run with administrator privileges. This can lead to arbitrary code execution from a privileged account.
like bug 579593?
Flags: needinfo?(mkmelin+mozilla)
Looks quite the same yes.

@yujitounai: so do you see this in Firefox also?
Flags: needinfo?(mkmelin+mozilla) → needinfo?(bogus)
(In reply to Magnus Melin from comment #2)
> Looks quite the same yes.
> 
> @yujitounai: so do you see this in Firefox also?

yes
Flags: needinfo?(bogus)
Same installer code as bug 1361326, but not a dupe because the Thunderbird team will have to carry their own copy of whatever patch we can come up with.
Depends on: CVE-2017-7755
Whiteboard: local attack
(In reply to Daniel Veditz [:dveditz] from comment #4)
> Same installer code as bug 1361326, but not a dupe because the Thunderbird
> team will have to carry their own copy of whatever patch we can come up with.

Can you cc magnus and I on the bug?
Flags: needinfo?(dveditz)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Done
Flags: needinfo?(dveditz)
Bump. Wayne, the security fix for Firefox already exists. Please remember to take this into Thunderbird :)
Flags: needinfo?(vseerror)
(In reply to Daniel Veditz [:dveditz] from comment #4)
> Same installer code as bug 1361326, but not a dupe because the Thunderbird
> team will have to carry their own copy of whatever patch we can come up with.
Flags: needinfo?(vseerror) → needinfo?(jorgk)
OK, I'll push 
https://hg.mozilla.org/mozilla-central/rev/f5041969acc7
to our Thunderbird branches. Leaving NI for now.
Group: mail-core-security → core-security-release
Setting the bounty flag on request of the reporter. Note that the Firefox bug (bug 1361326) is already marked for bounty consideration, so maybe the bounty folks want to merge those.
Flags: sec-bounty?
Sorry, I didn't properly catch up on email. Thunderbird is no longer part of our bounty program.
Flags: sec-bounty?
Group: core-security-release
Target Milestone: --- → Thunderbird 55.0
Pushed by frgrahl@gmx.net:
https://hg.mozilla.org/comm-central/rev/d17e8e16ec8d
Delay-load DLL's used by the 7-zip self-extractor. r=rstrong DONTBUILD
Just stumbled over this. The SeaMonkey patches in comment 10 for 54 55 (2.51 2.52) were empty. Only esr52 was updated. 

I pushed corrected patches with the old date but with the current bug number to avoid confusion in bug 1361326. 
https://hg.mozilla.org/releases/comm-esr60/rev/504485636e79e4210735a9be409c97c1660c2545
You need to log in before you can comment on or make changes to this bug.