803515 - DLL Hijacking - Thunderbird installer

Status: RESOLVED FIXED

(Thunderbird :: Installer, defect)

Description

[Mark Banner (:standard8)]

+++ This bug was initially created as a clone of Bug #792106 +++

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1
Build ID: 20120905151427

Steps to reproduce:

I downloaded the current Firefox installer in the Windows downloads directory. 
C:\Users\User\Downloads
Then I put a trojan dwmapi.dll in the same directory.


Actual results:

If a user wants to install the Firefox browser, the setup loads the trojan dll with administrative privileges.
As described here http://seclists.org/fulldisclosure/2012/Aug/134 , you can compromise the victim with a social engineering attack like this.



Expected results:

The installer should not load the trojan dll.

Comment 1

[Mark Banner (:standard8)]

Brian tells me Thunderbird can just take the copy of the Firefox file.

For testing the fix, from private messages on irc:

bbondy: so if you want to verify if it's fixed, you can do it really easily.  There is a PoC dll that you just drop beside the thunderbird installer.
bbondy: right click the installer and run as administrator
bbondy: you should see a bunch of cmd.exe processes popup
bbondy: inside task manager
bbondy: you should only see those processes if the problem is not fixed

Comment 2

[Brian R. Bondy [:bbondy]]

Sorry I missed one extra change you also have to make:

Open the sfx file with reshacker or Visual Studio (click on the arrow next to open and choose resource editor).

Open the VersionInfo resource and change Firefox to Thunderbird.
You might want to look at the other resources as well to be 100% sure there's nothing else Firefox, but I think that's it.

Comment 3

[Mark Banner (:standard8)]

Attachment: The fix

This follows Brian's instructions and copies the FF one and changes Firefox to Thunderbird in the version manifest, there's no other changes made.

Comment 4

[Mark Banner (:standard8)]

wontfix for esr per bug 792106

Comment 5

[Mark Banner (:standard8)]

Comment on attachment 674623 [details] [diff] [review]
The fix

Irving, can you test this? I'm struggling with getting a build environment running at the moment.

Comment 6

[Mark Banner (:standard8)]

(In reply to Mark Banner (:standard8) from comment #4)
> wontfix for esr per bug 792106

This has changed, and there's a different fix I'll need to do, updating flags.

Comment 7

[Mark Banner (:standard8)]

https://hg.mozilla.org/comm-central/rev/b1b1fd6de66d

Comment 8

[Mark Banner (:standard8)]

Comment on attachment 674623 [details] [diff] [review]
The fix

[Triage Comment]
a=me as we'll need these on branches.

Comment 9

[Mark Banner (:standard8)]

https://hg.mozilla.org/releases/comm-aurora/rev/0e01d5cdc37d
https://hg.mozilla.org/releases/comm-beta/rev/e05a6db5bd7d

Comment 10

[Mark Banner (:standard8)]

Attachment: ESR fix

This takes the Firefox 7zSD.sfx that is in the ESR repo currently and does the necessary changes for the resources so that it looks like Thunderbird.

Comment 11

[:Irving Reid (No longer working on Firefox)]

Comment on attachment 681932 [details] [diff] [review]
ESR fix

Thunderbird esr10 installer no longer loads dwmapi.dll from the download directory

Comment 12

[Mark Banner (:standard8)]

(In reply to Irving Reid (:irving) from comment #11)
> Comment on attachment 681932 [details] [diff] [review]
> ESR fix
> 
> Thunderbird esr10 installer no longer loads dwmapi.dll from the download
> directory

Checked in:

https://hg.mozilla.org/releases/comm-esr10/rev/abd74617947c