1439642 - Crash in TppWaiterpThread/MD4Transform with crypto addons

Status: RESOLVED WORKSFORME

(Core :: General, defect)

Description

[[:philipp]]

This bug was filed from the Socorro interface and is
report bp-73db1a9b-3bfe-443f-90c2-82c2f0180217.
=============================================================

Top 5 frames of crashing thread:

0 ntdll.dll MD4Transform 
1 kernel32.dll BaseThreadInitThunk 
2 mozglue.dll patched_BaseThreadInitThunk mozglue/build/WindowsDllBlocklist.cpp:834
3 ntdll.dll __RtlUserThreadStart 
4 ntdll.dll _RtlUserThreadStart 

=============================================================

these crash reports from windows 7 users have spiked up starting on 2018-02-16. many comments from users indicate that they receive the crash report after they have closed the browser.

the crash stack isn't really helpful but the signatures seem correlated to various cryptography-related extensions:

Addons facet
*{443830f0-1fff-4f9a-aa1e-444bafbc7319}:0.0.28 	458 	22.25 % ("Token signing")
*belgiumeid@eid.belgium.be:1.0.27 	266 	12.93 %
*belgiumeid@eid.belgium.be:1.0.26 	260 	12.63 %
*{02274e0c-d135-45f0-8a9c-32b35110e10d}:1.0.1 	188 	9.14 %	("Firefox PKCS11 loader")
*CPS2ter-2020_Firefox@asipsante.fr:6.0.19 	66 	3.21 %	("Extension CPS")
*eid-chrome-extension@e-contract.be:1.0.2 	63 	3.06 %

Comment 1

[Julien Cristau [:jcristau] (back April 22)]

David, any idea what might trigger this?

Comment 2

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

As far as I can tell, "MD4Transform" does not appear in our code. This looks like a Windows-specific issue - either a Windows bug or we're misusing a Windows API. Either way, someone like Matt would know better than I.

Comment 3

[Molly Howell (she/her) (no longer active)]

That stack looks to me like external software trying to inject code into us, and looking at bug 1139497 and bug 1153824, which both had the MD4Transform signature, that was the case with them as well. I'm trying to identify the external software and having a hard time; there are a number of less common security products showing up in these reports, but I'm not sure how notable that fact is.

Comment 4

[Marco Castelluccio [:marco]]

(In reply to Matt Howell [:mhowell] from comment #3)
> That stack looks to me like external software trying to inject code into us,
> and looking at bug 1139497 and bug 1153824, which both had the MD4Transform
> signature, that was the case with them as well. I'm trying to identify the
> external software and having a hard time; there are a number of less common
> security products showing up in these reports, but I'm not sure how notable
> that fact is.

Maybe they are using a common solution to inject (something like https://easyhook.github.io/).
Perhaps we can try to contact one of them and see if they can share some details.

Comment 5

[Ryan VanderMeulen [:RyanVM]]

The crashing functions are in ntdll.dll. Every crash report I'm looking at is ntdll.dll version 6.1.7601.24024, which corresponds to the February 2018 security updates. The timing of this also fits with last week's Patch Tuesday. Adam, I think we need to escalate this to MS as there's some smoke here that this is an issue with their latest Win7 security patches.

Comment 6

[Adam Stevenson [:adamopenweb]]

Reaching out on the mailing list.

Comment 7

[Liz Henry (:lizzard) (relman/hg->git project)]

Tracking for 59 to keep an eye on this after 59 release.

Comment 8

[Mike Taylor [:miketaylr]]

Probably wontfix for 58.

Comment 9

[Liz Henry (:lizzard) (relman/hg->git project)]

Quick update: we have passed on some crash info to Microsoft engineers (with permission from an affected user) and are waiting for their response.

Comment 10

[Liz Henry (:lizzard) (relman/hg->git project)]

So far, so good on 59 release. March's patch Tuesday seems to have fixed the issue. I'll leave this bug open a few more days to be sure of that, but then we can close it as WORKSFORME.