Closed
Bug 589925
Opened 14 years ago
Closed 14 years ago
Firefox on Windows XP (at least) is vulnerable to recently published DLL hijacking vulnerabilities
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 579593
People
(Reporter: bojan.zdrnja, Unassigned)
Details
(Whiteboard: [sg:dupe 579593])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 Hi, From conversations I had with HD Moore, I think you might be aware of this - but just in case; Firefox on Windows XP is vulnerable to recently published DLL hijacking vulnerabilities. Basically, when an HTML file is opened by double clicking on it, Firefox will (amongst the other DLLs) on Windows XP try to load dwmapi.dll. That DLL does not exist on Windows XP so an attacker can plant it in order to get Firefox execute it (via LoadLibrary()). Firefox will call DllMain() and the attacker can execute arbitrary malicious code through it. I've successfully exploited this on fully patched Windows XP SP3 and latest Mozilla Firefox. You can see my SANS ISC diary at http://isc.sans.edu/diary.html?storyid=9445 - the removed application is actually Firefox and the DLL is dwmapi.dll. By putting it in that share one can exploit Firefox. Reproducible: Always Steps to Reproduce: 1. Create a malicious dll that has code under DllMain() 2. Put an HTML file and the dll named as dwmapi.dll on a network share 3. Double click on the HTMl file in that folder. Actual Results: DllMain() from dwmapi.dll gets executed. Expected Results: The exploit doesn't work :)
Updated•14 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 579593]
Comment 2•14 years ago
|
||
Note the implied step 0 (2.5?): make sure Firefox is not already running.
Comment 3•14 years ago
|
||
3.6.x builds containing a fix for this can be tested at http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-1.9.2/ 3.5.x builds containing a fix are at http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-1.9.1/ "trunk" (future Firefox 4 betas) can be found at http://nightly.mozilla.org/
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•