Closed
Bug 609208
Opened 14 years ago
Closed 14 years ago
browserdirprovider.dll and brwsrcmp.dll is prone to DLL hijacking vulnerability
Categories
(Firefox :: Security, defect)
Tracking
()
VERIFIED
INVALID
People
(Reporter: again.liu, Unassigned)
References
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 A malicious DLL could be used to replace either browserdirprovider.dll or brwsrcmp.dll to perform arbitrary code. Reproducible: Always Steps to Reproduce: complie the following code Compiler : VC++ 2010 express Release Runtime Library: Multi-threaded (/MT) =============================================================================== #include<Windows.h> void init() { MessageBoxA(NULL, "owned by moigai", "injected!!", MB_OK); } BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch(ul_reason_for_call) { case DLL_PROCESS_ATTACH: init(); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } =============================================================================== And then replace the previous mentioned two DLL (either will do), then start firefox. Actual Results: The message box coded will popup when starting firefox.
Comment 1•14 years ago
|
||
Yes, if you replace Firefox files, you can break it. That's not exactly news ;-)
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
Comment 3•14 years ago
|
||
You could also replace firefox.exe with: void main() { for(;;); } The effects would be left as an exercise for the reader! ;-)
Status: RESOLVED → VERIFIED
Comment 4•14 years ago
|
||
> Yes, if you replace Firefox files, you can break it. That's not exactly news
Nor is it what's meant by "DLL hijacking".
You need to log in
before you can comment on or make changes to this bug.
Description
•