Delay loading should use LOAD_WITH_ALTERED_SEARCH_PATH
Categories
(Core :: Security: Process Sandboxing, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox-esr91 | --- | unaffected |
| firefox92 | --- | unaffected |
| firefox93 | --- | unaffected |
| firefox94 | --- | wontfix |
| firefox95 | --- | wontfix |
| firefox96 | --- | wontfix |
| firefox97 | --- | wontfix |
People
(Reporter: emk, Assigned: bobowen)
References
(Regression)
Details
(Keywords: csectype-priv-escalation, regression, sec-moderate)
xul.dll is loaded with LOAD_WITH_ALTERED_SEARCH_PATH flag:
https://searchfox.org/mozilla-central/rev/a276135f5459fce19fa710337244d4dcdc4289ee/xpcom/glue/standalone/nsXPCOMGlue.cpp#50
Implicitly-loaded DLLs will transitively use LOAD_WITH_ALTERED_SEARCH_PATH. But delay-loaded DLLs will not use this flag by default. It will make DLL planting attack a bit easier (especially when PreferSystem32Images mitigation is unavailable).
__delayLoadHelper2 can customize delay-loading behavior.
|
Reporter | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Comment 1•3 years ago
|
||
Set release status flags based on info from the regressing bug 1546154
|
||
Comment 2•3 years ago
|
||
This is a regression due to a win32k-lockdown change, but will affect users even if win32k-lockdown is not enabled.
|
Assignee | |
Comment 3•3 years ago
|
||
Thanks for finding and reporting this.
As a slight aside, I think we might want to start using SetDefaultDllDirectories on the main process as well.
That might not be available on some win7 (it needs KB2533623), so we should look at adding this back in as well.
Hopefully we can do that through our existing hooking, without the need to use a custom delay loader.
I'll try and get to this soon, so we can uplift to 94 in beta.
|
|
Assignee | |
Comment 5•3 years ago
|
||
(In reply to Marco Castelluccio [:marco] from comment #2)
This is a regression due to a win32k-lockdown change, but will affect users even if win32k-lockdown is not enabled.
Yeah, I'll look into a patch now.
|
||
Updated•3 years ago
|
bob is this something we plan on addressing what are the implications if this is not addressed, should this be a P1 ?
|
|
Assignee | |
Comment 8•3 years ago
|
||
(In reply to Yasmin S from comment #7)
bob is this something we plan on addressing what are the implications if this is not addressed, should this be a P1 ?
Yes we want to address this, but I haven't had time to look into the solution in detail.
I guess this might not be a P1, an attacker would already need to be able to write DLLs to sensitive directories I believe.
dveditz - do you have a view on the priority/severity of this?
|
||
Comment 9•3 years ago
|
||
The only difference made by LOAD_WITH_ALTERED_SEARCH_PATH is that if the loaded .dll loads more .dlls the first searched directory is the directly-loaded .dll's directory rather than the application's directory, which in our case is the Firefox install directory. Not too worried about that if someone can already write into that location, although if, because of this difference, a library's dependency isn't found right next to it, it's not going to be found in the Firefox install directory either and Windows will keep searching down the path and might in some cases get into directories that an unprivileged local attacker could write into.
I'm not too worried it's an immediate threat to our users in practice, but this is likely to result in bug bounty claims down the road which will be annoying and expensive (because in certain very specific situations, mutually hostile users who cannot modify Firefox directly might be able to hack each other if any of the shared path directories are writable.
|
|
Assignee | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
||
Updated•1 year ago
|
Description
•