helper.exe should not drop system.dll in %TEMP% due to AppLocker not allowing the loading of DLL's from %TEMP%
Categories
(Firefox :: Installer, defect, P5)
Tracking
()
People
(Reporter: richard, Unassigned)
References
Details
Attachments
(1 file)
88.17 KB,
image/png
|
Details |
Comment 1•13 years ago
|
||
Comment 2•13 years ago
|
||
Reporter | ||
Comment 3•13 years ago
|
||
Comment 4•13 years ago
|
||
Reporter | ||
Comment 5•13 years ago
|
||
Comment 6•13 years ago
|
||
Comment 7•10 years ago
|
||
Comment 8•9 years ago
|
||
Comment 9•9 years ago
|
||
Comment 10•9 years ago
|
||
Comment 11•9 years ago
|
||
Updated•7 years ago
|
Comment 12•6 years ago
|
||
I think this is the same thing I asked about in the support forums https://support.mozilla.org/en-US/questions/1254989#answer-1210474. Today I am seeing AppLocker catch 5 different DLLs running in %TEMP%:
SHELLLINK.DLL
SYSTEM.DLL
CITYHASH.DLL
USERINFO.DLL
APPLICATIONID.DLL
Can someone confirm what all of these are related to? They apparently aren't signed as I tried to whitelist with a publisher rule. If they really only have to do with setting the default browser I'll probably just continue blocking. My main concern is that this behavior has something to do with updates and I want to make sure that part is working properly.
Comment 13•6 years ago
|
||
(In reply to user20190402 from comment #12)
I think this is the same thing I asked about in the support forums https://support.mozilla.org/en-US/questions/1254989#answer-1210474.
Yes, what you're seeing appears to be the same thing this bug is about.
Today I am seeing AppLocker catch 5 different DLLs running in %TEMP%:
SHELLLINK.DLL
SYSTEM.DLL
CITYHASH.DLL
USERINFO.DLL
APPLICATIONID.DLLCan someone confirm what all of these are related to? They apparently aren't signed as I tried to whitelist with a publisher rule. If they really only have to do with setting the default browser I'll probably just continue blocking. My main concern is that this behavior has something to do with updates and I want to make sure that part is working properly.
These are all used by part of the update procedure (as well as by the installer); if they're blocked you'll get a partially complete update, but I can't really make any guarantees about how well that installation will work after that as we don't test or support that scenario at all.
Comment 14•6 years ago
|
||
Note that since this bug was filed, NSIS has started configuring the permissions on the temporary directory in question to only grant any access to the Administrators group (assuming the process is running with admin privileges, as all the relevant processes typically are). I believe this should effectively mitigate the possibility for privilege escalation here.
Comment 15•6 years ago
|
||
Thanks for the response, Matt. I can't speak to NSIS as I have no experience there, but I don't think they are running as admin. If they were, AppLocker would be allowing them based off the default rule set. As well, I know that Firefox allows a non-administrative user to install the entire application in their AppData. So in that case, how would an administrative hook for maintenance purposes ever get created? That is beside the point really. I have come to accept that certain programs are going to install in this manner, even MS OneDrive does. Therefore a big reason why to use AppLocker.
What you are basically telling me is that in my current state, I should consider Firefox unstable, so I need to get those DLLs whitelisted. I have tried a publisher rule like this:
Publisher: O=MOZILLA CORPORATION, L=MOUNTAIN VIEW, S=CALIFORNIA, C=US
Product name: *
File name: *
File version: *
And the DLLs are still blocked. Does anyone know if these files are digitally signed by anyone? I am going to test hash rules next, but I don't like the prospect of chasing my tail every time the files are updated. This is also not a straightforward process as I have to retrieve the hash from the log, then manually edit the AppLocker xml because the files disappear too quickly to get a copy.
Reporter | ||
Comment 16•6 years ago
|
||
My initial report is not on install or upgrade (users are not allowed to do that in a controlled environment) but upon selecting Firefox as their default browser. That should not require running EXE's and DLL's from %TEMP% at all. If EXE's and DLL's are required for this task please load them from %PROGRAMFILES%.
Comment 18•2 years ago
|
||
This is still a problem, the system.dll is not signed and that is the main problem here.
Comment 19•2 years ago
|
||
Comment 20•2 years ago
|
||
C:\USERS"username"\APPDATA\LOCAL\TEMP\NSVEB98.TMP\SYSTEM.DLL is not signed however.
Comment 21•2 years ago
|
||
(I just noticed my previous message and no comment on it - sorry about that. I had meant to say that I believed that we fixed this in https://bugzilla.mozilla.org/show_bug.cgi?id=1751450.)
(In reply to vegardalsli from comment #20)
C:\USERS"username"\APPDATA\LOCAL\TEMP\NSVEB98.TMP\SYSTEM.DLL is not signed however.
Huh. Look at that. None of the other DLLs in the temp directory (eg: CityHash.dll) are signed either, which is extra surprising considering that the only copy of CityHash.dll
that we have now is signed and checked into mozilla-central
.
What's very interesting is that I get different results from the following two tests:
- Unpacking
helper.exe
manually with7zip
results in signed DLLs. - Running
helper.exe
and locating the files in the temporary directory results in unsigned DLLs.
However, both files have the same sha256sum, and if I copy the DLLs from the temporary directory elsewhere, they suddenly have a signature.
You're quite right that is clearly still an issue - but whether or not we can do anything about it requires more investigation still.
Comment 22•2 years ago
|
||
There seems to be something special about the directories that the NSIS self extractor creates. If I copy the DLLs to another place in %TEMP% (even a directory that I create by hand), the signatures are there. Conversely, if I copy some random exe or dll to the NSIS directory, they appear to lose their signature. I also noticed that explorer.exe
stopped showing its application icon in Explorer when I copied that file to the NSIS directory. This leads me to wonder if there's interesting permissions or other metadata on the NSIS directory that cause this?
Updated•2 years ago
|
Description
•