Closed Bug 589925 Opened 14 years ago Closed 14 years ago

Firefox on Windows XP (at least) is vulnerable to recently published DLL hijacking vulnerabilities

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 579593

People

(Reporter: bojan.zdrnja, Unassigned)

Details

(Whiteboard: [sg:dupe 579593]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8

Hi,

From conversations I had with HD Moore, I think you might be aware of this - but just in case; Firefox on Windows XP is vulnerable to recently published DLL hijacking vulnerabilities.

Basically, when an HTML file is opened by double clicking on it, Firefox will (amongst the other DLLs) on Windows XP try to load dwmapi.dll. That DLL does not exist on Windows XP so an attacker can plant it in order to get Firefox execute it (via LoadLibrary()). Firefox will call DllMain() and the attacker can execute arbitrary malicious code through it.

I've successfully exploited this on fully patched Windows XP SP3 and latest Mozilla Firefox. You can see my SANS ISC diary at http://isc.sans.edu/diary.html?storyid=9445 - the removed application is actually Firefox and the DLL is dwmapi.dll. By putting it in that share one can exploit Firefox.


Reproducible: Always

Steps to Reproduce:
1. Create a malicious dll that has code under DllMain()
2. Put an HTML file and the dll named as dwmapi.dll on a network share
3. Double click on the HTMl file in that folder.
Actual Results:  
DllMain() from dwmapi.dll gets executed.

Expected Results:  
The exploit doesn't work :)
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 579593]
Note the implied step 0 (2.5?): make sure Firefox is not already running.
3.6.x builds containing a fix for this can be tested at
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-1.9.2/

3.5.x builds containing a fix are at
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-1.9.1/

"trunk" (future Firefox 4 betas) can be found at http://nightly.mozilla.org/
Group: core-security
You need to log in before you can comment on or make changes to this bug.