Last Comment Bug 811557 - DLL Hijacking - Firefox Stub installer
: DLL Hijacking - Firefox Stub installer
Status: VERIFIED FIXED
[stub?][adv-main22-]
: csectype-priv-escalation, sec-high, verifyme
Product: Toolkit
Classification: Components
Component: NSIS Installer (show other bugs)
: unspecified
: x86_64 Windows 7
: -- normal (vote)
: mozilla24
Assigned To: Robert Strong [:rstrong] (use needinfo to contact me)
:
:
Mentors:
Depends on: CVE-2012-4206
Blocks: CVE-2013-1715 883322
  Show dependency treegraph
 
Reported: 2012-11-13 16:51 PST by Brian R. Bondy [:bbondy]
Modified: 2014-11-19 19:48 PST (History)
25 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-
wontfix
wontfix
wontfix
wontfix
+
wontfix
+
wontfix
+
verified
+
verified
+
verified
unaffected
unaffected
unaffected


Attachments
Stub for testing (630.44 KB, application/octet-stream)
2013-05-09 22:52 PDT, Robert Strong [:rstrong] (use needinfo to contact me)
no flags Details
patch rev1 (6.44 KB, patch)
2013-06-03 20:29 PDT, Robert Strong [:rstrong] (use needinfo to contact me)
netzen: review+
Details | Diff | Splinter Review
patch rev2 (4.53 KB, patch)
2013-06-04 13:21 PDT, Robert Strong [:rstrong] (use needinfo to contact me)
netzen: review+
lukasblakk+bugs: approval‑mozilla‑aurora+
lukasblakk+bugs: approval‑mozilla‑beta+
abillings: sec‑approval+
Details | Diff | Splinter Review

Description Brian R. Bondy [:bbondy] 2012-11-13 16:51:21 PST
+++ This bug was initially created as a clone of Bug #792106 +++

This bug is to fix the stub installer.  
A problem with this is that the below DLLs are loaded before the NSIS .onInit is called.

(In reply to Anthony Hughes, Mozilla QA (:ashughes) from comment #141)
> Some results from testing last week. The following DLLs were found to have
> launched cmd.exe processes and are not listed as Known DLLs using the WinObj
> tool.
> 
> Win32 Stub Installer
>  * cabinet.dll: Windows 7 64-bit, Windows 7 32-bit, Windows Vista 32-bit
>  * credssp.dll: Windows Vista 32-bit
>  * cryptbase.dll: Windows 7 32-bit
>  * cryptnet.dll: Windows 7 32-bit, Windows 7 64-bit
>  * cryptsp.dll: Windows 7 32-bit, Windows 7 64-bit, Windows Vista 32-bit
>  * devrtl.dll: Windows 7 32-bit, Windows 7 64-bit
>  * dnsapi.dll: Windows 7 32-bit, Windows 7 64-bit, Windows Vista 32-bit
>  * dwmapi.dll: Windows 7 64-bit
>  * gpapi.dll: Windows 7 32-bit, Windows 7 64-bit, Windows Vista 32-bit
>  * IPHLPAPI.dll: Windows 7 32-bit, Windows 7 64-bit, Windows Vista 32-bit
>  * linkinfo.dll: Windows Vista 32-bit
>  * ncrypt.dll: Windows 7 32-bit, Windows 7 64-bit, Windows Vista 32-bit
>  * netapi32.dll: Windows Vista 32-bit
>  * ntmarta.dll: Windows 7 64-bit, Windows Vista 32-bit
>  * ntshrui.dll: Windows Vista 32-bit
>  * profapi.dll: Windows 7 32-bit, Windows 7 64-bit
>  * propsys.dll: Windows Vista 32-bit
>  * rasadhlp.dll: Windows 7 32-bit, Windows 7 64-bit, Windows Vista 32-bit
>  * rasapi32.dll: Windows 7 64-bit, Windows Vista 32-bit
>  * riched20.dll: Windows 7 32-bit, Windows 7 64-bit, Windows Vista 32-bit
>  * RpcRtRemote.dll: Windows 7 64-bit, Windows Vista 32-bit
>  * rtutils.dll: Windows 7 32-bit, Windows 7 64-bit
>  * secur32.dll: Windows 7 32-bit, Windows 7 64-bit, Windows Vista 32-bit
>  * SensApi.dll: Windows 7 32-bit, Windows 7 64-bit, Windows Vista 32-bit
>  * shfolder.dll: Windows 7 64-bit, Windows Vista 32-bit
>  * SLC.dll: Windows Vista 32-bit
>  * userenv.dll: Windows 7 32-bit, Windows 7 64-bit
>  * uxtheme.dll: Windows Vista 32-bit
> 
> Keep in mind that we are only a third of the way through testing. Though I
> suspect we've caught the lion's share of DLLs already (at least one would
> hope).
> 
> Full results are being added here as we test:
> https://intranet.mozilla.org/User:Ahughes@mozilla.com/DLL_Hijacking
Comment 1 Brian R. Bondy [:bbondy] 2012-11-13 16:57:26 PST
So I think either a patch to makensis itself or add code to:
toolkit/mozapps/installer/windows/nsis/makensis.mk
which wraps the stub in a 7zip self extracting archive and then put extra fixes into the 7zip Main.
Comment 2 Robert Strong [:rstrong] (use needinfo to contact me) 2012-11-13 16:59:29 PST
Patch NSIS and upstream.
Comment 3 Brian R. Bondy [:bbondy] 2012-11-13 17:07:56 PST
We'll have to update all of our talos builders, is that OK?  Or maybe we could just add makensis itself as a binary to the tree?
Comment 4 Robert Strong [:rstrong] (use needinfo to contact me) 2012-11-13 17:12:00 PST
It is ok to update our build system as we did when we had to for NSIS 2.46. Let's talk about adding makensis to the tree though I must say that I am not leaning in that direction atm. If we were to add it then I would also say that we should add many other build tools that are currently in MozillaBuild.
Comment 5 Brian R. Bondy [:bbondy] 2012-11-16 08:38:08 PST
OK so we can build 2.46 with scons and VS2005. Should we track the source code in mozilla-build? Or only upstream the patch and use our own build?  Maybe just zip up the changed source code to this ticket after?
Comment 6 Alex Keybl [:akeybl] 2012-11-20 14:56:50 PST
Tracking for FF18, in case we actually hit this release with the stub installer.
Comment 7 Robert Strong [:rstrong] (use needinfo to contact me) 2012-11-20 14:59:21 PST
It is extremely unlikely we are going to have this fixed for 18 or 19 due to other work. If this is considered a high priority please let me know and we'll evaluate this work with other work in progress.
Comment 8 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-11-27 10:03:44 PST
I believe QA has done all the testing required for the time being so I'm removing the qawanted/verifyme keywords. Please re-add if/when there is more needed from us.
Comment 9 Brian R. Bondy [:bbondy] 2012-11-27 12:04:45 PST
Has QA verified that the problems are fixed on the mentioned branches? It would be good to go over the affected DLLs only, not on every affected platform, but just one platform per affected DLL where the issue could be reproduced before.
Comment 10 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-11-27 13:07:27 PST
I don't see that this has been fixed anywhere yet. Please let me know where this has been fixed so I can test those installers.
Comment 11 Brian R. Bondy [:bbondy] 2012-11-27 13:17:19 PST
My bad I thought this was the original installer bug.
Comment 12 Alex Keybl [:akeybl] 2012-12-19 13:59:37 PST
(In reply to Alex Keybl [:akeybl] from comment #6)
> Tracking for FF18, in case we actually hit this release with the stub
> installer.

We'll leave this on the tracking FF18 list as a reminder in case we do end up shipping the stub installer in the FF18 timeframe. We could always just re-spin the stub installer if necessary.
Comment 13 Alex Keybl [:akeybl] 2013-01-23 13:36:04 PST
(In reply to Brian R. Bondy [:bbondy] from comment #11)
> My bad I thought this was the original installer bug.

Any updates here? It doesn't look like we'll have a stub in time for FF19, but it's possible that we'll want to push it out while FF19 is on release (needinfo:rstrong to confirm timelines). If so, we should get a fix on all branches soon.
Comment 14 Robert Strong [:rstrong] (use needinfo to contact me) 2013-01-23 13:52:32 PST
No updates at this time. We could possibly wrap the stub inside of a 7-zip self-extracting archive to get a temporary fix with the real fix being what is noted in comment #2 through comment #4 though there is other work that would not get done if we do fix this. I think it would be a good thing to evaluate that fact along with the fact that there have been a ton of NSIS installers out in the world for many years that all have this potential vulnerability without it being exploited.
Comment 15 Brian R. Bondy [:bbondy] 2013-02-13 12:54:52 PST
quick update: I'm working on this again but am having trouble getting NSIS to build. The problem is because SCONS is picking up newer MSVC versions I have installed as well. I tried configuring it but without success. I'm setting up a new WinXP VM now in which I'll re-install only the tools for NSIS and I expect that will compile fine.
Comment 16 Robert Strong [:rstrong] (use needinfo to contact me) 2013-02-13 13:10:30 PST
bbondy and I discussed bug 744669 yesterday and concluded that to properly fix bug 744669 the need for the 7-Zip self extracting archive should be removed and the files should be packaged in the installer itself. If this was done then this would reintroduce the dll hijacking bug to the regular installer. So, this bug will need to be fixed to fix bug 744669 by patching NSIS which will fix dll hijacking for both the complete and the stub installers.
Comment 17 Brian R. Bondy [:bbondy] 2013-02-19 10:17:53 PST
I built nsis-u successfully by modifying some of the scripts to force include, lib and rc directories.

But I'm getting some strange side effects after I build the installer with the new makensis and run the installer.

After zip extracts the exe it gives a infinite loop of:
Copying 1 file from nsa440B.tmp to 7zSD6a.tmp
The destination already has a file named "System.dll"
()Replace the file in the destination
()Skip this file
() Compare info for both files

I'll play around with it more to try to build with different include/lib directories but just wanted to provide an interim update.
Comment 18 Brian R. Bondy [:bbondy] 2013-02-21 13:01:18 PST
Summary so far:

So the 2005 toolchain is for the official NSIS version here:
http://nsis.sourceforge.net/
To build this you can't have 2008 toolchain installed or else the old scons that it requires will fail.

Later I found out what I really need is here:
http://www.scratchpaper.com/
To build this you have to use 2008 or later. 
I built makensis successfully with 2008, 2010, and 2012 toolsets.
Each one produces a Firefox installer and looks correct but they fail with either a crash when you start the installer or else the issue mentioned in Comment 17.

I need to investigate why it's crashing or getting the above error more still.
Comment 19 Brian R. Bondy [:bbondy] 2013-05-01 19:57:57 PDT
Not currently working on this one and I have some other security ones I'll be doing before this.  Last time I worked on this I successfully built NSIS as per Comment 18 toolsets.  But the produced installers crashed on startup.  In hindsight it was probably due to a loaded plugin on startup.  I didn't have time to investigate the crash at all.
Comment 20 Robert Strong [:rstrong] (use needinfo to contact me) 2013-05-08 17:35:06 PDT
Taking a look to see if I have any better luck
Comment 21 Robert Strong [:rstrong] (use needinfo to contact me) 2013-05-09 22:52:40 PDT
Created attachment 747803 [details]
Stub for testing
Comment 22 Robert Strong [:rstrong] (use needinfo to contact me) 2013-05-09 22:55:18 PDT
:ashughes, could you run the attached "Stub for testing" through the test suite?
https://intranet.mozilla.org/User:Ahughes@mozilla.com/DLL_Hijacking#Firefox_19.0a1_win32_Stub_Installer

This passed on Win7 but I wouldn't be surprised if there are some one-offs that still fail. Thanks!
Comment 23 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2013-05-10 09:03:12 PDT
(In reply to Robert Strong [:rstrong] (do not email) from comment #22)
> :ashughes, could you run the attached "Stub for testing" through the test
> suite?
> https://intranet.mozilla.org/User:Ahughes@mozilla.com/
> DLL_Hijacking#Firefox_19.0a1_win32_Stub_Installer
> 
> This passed on Win7 but I wouldn't be surprised if there are some one-offs
> that still fail. Thanks!

I won't have time to look at this for at least a couple of weeks. Matt can you please handle Robert's request? I think Kamil could probably assist.
Comment 24 Brian R. Bondy [:bbondy] 2013-05-10 10:19:59 PDT
Robert did you want me to review the code change first? I know it's not part of Mozilla code but it may be useful to have a second set of eyes on the change anyway.  Testing this takes a non trivial amount of time.
Comment 25 Robert Strong [:rstrong] (use needinfo to contact me) 2013-05-10 10:52:05 PDT
(In reply to Brian R. Bondy [:bbondy] from comment #24)
> Robert did you want me to review the code change first? I know it's not part
> of Mozilla code but it may be useful to have a second set of eyes on the
> change anyway.  Testing this takes a non trivial amount of time.
No, I took a different approach that preloads the dlls that NSIS loads early (only 3 so far vs. the 20) and preloads the others in .oninit in the hope that I can get this upstreamed easily. I need to know if others are needed for other Windows versions besides Windows 7 and the testing will provide that info.
Comment 26 Robert Strong [:rstrong] (use needinfo to contact me) 2013-05-10 13:27:40 PDT
I have Win7 and Vista systems so I can check those (already did a brief check of Win7) fairly easily.
Comment 27 Brian R. Bondy [:bbondy] 2013-05-25 12:23:08 PDT
Hey Robert, Kamil was going to start on this, but before he does I just wanted to see if you wanted to wait for the 7zip stub implementation we discussed instead?
Comment 28 Robert Strong [:rstrong] (use needinfo to contact me) 2013-05-28 13:15:38 PDT
Hey Brian, I would still like to know if it fixes it for those Windows versions since it might be a good idea to get a fix upstreamed for NSIS as well.
Comment 29 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-03 17:33:31 PDT
nightly stub installer sizes
631 KB - current local build
665 KB - wrapped in 7zip stub with NSIS compression (34 KB more)
656 KB - wrapped in 7zip stub without NSIS compression (25 KB more)
656 KB - wrapped in 7zip stub without NSIS compression and bmps inside of 7zip
         stub instead of the stub installer (25 KB more)

The reason for the last test is that we have been asked to include the artwork outside of the installer for distributions.

Note: I would still like the info requested in comment #22... if this is important to us it should be important to others and it is a good thing to give back to the project that has been providing to us.
Comment 30 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-03 20:29:43 PDT
Created attachment 757779 [details] [diff] [review]
patch rev1

Brian, I'd like to run this by you first. Thanks!
Comment 31 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-03 22:40:44 PDT
(In reply to Robert Strong [:rstrong] (do not email) from comment #30)
> Created attachment 757779 [details] [diff] [review]
> patch rev1
> 
> Brian, I'd like to run this by you first. Thanks!
I am going to refactor the toolkit nsis make code a little and I mainly want your r+ for the browser nsis code.
Comment 32 Brian R. Bondy [:bbondy] 2013-06-04 10:36:44 PDT
Comment on attachment 757779 [details] [diff] [review]
patch rev1

Review of attachment 757779 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good but I'll leave it to your discretion whether or not you want someone from build config to also take a look.
Comment 33 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-04 13:21:22 PDT
Created attachment 758155 [details] [diff] [review]
patch rev2

Brian, since glandium is high latency atm could you review the changes to the build process. I was able to take a much cleaner and safer approach.
Comment 34 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-04 19:27:04 PDT
Comment on attachment 758155 [details] [diff] [review]
patch rev2

[Security approval request comment]
How easily could an exploit be constructed based on the patch? Not easily and less easily from code inspection from the landing of bug 792106.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No

Which older supported branches are affected by this flaw? This affects all NSIS installers. This mitigates this bug by wrapping the stub installer in our custom 7-Zip stub which also had the same flaw and has been patched.

If not all supported branches, which bug introduced the flaw? bug 322206

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? This is easily backported.

How likely is this patch to cause regressions; how much testing does it need? Unlikely since we have been doing the same thing with the full installer.
Comment 35 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-04 19:28:46 PDT
Comment on attachment 758155 [details] [diff] [review]
patch rev2

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 322206
User impact if declined: potential security exploit
Testing completed (on m-c, etc.): We use this same method with the full installer and I have tested locally
Risk to taking this patch (and alternatives if risky): minimal
String or IDL/UUID changes made by this patch: none
Comment 36 Al Billings [:abillings] 2013-06-04 23:00:51 PDT
Comment on attachment 758155 [details] [diff] [review]
patch rev2

sec-approval+ for trunk. Please nominate for branches once it is in.
Comment 37 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-05 00:34:20 PDT
Pushed to mozilla-inbound
https://hg.mozilla.org/integration/mozilla-inbound/rev/642a020ef752
Comment 38 Ryan VanderMeulen [:RyanVM] 2013-06-05 13:40:37 PDT
https://hg.mozilla.org/mozilla-central/rev/642a020ef752
Comment 39 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-06 11:50:37 PDT
The current nightly has the stub installer wrapped by the 7-Zip stub just like the full installer so this can be verified.
Comment 40 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-06 13:48:51 PDT
I also checked that everything is signed correctly for en-US and de so l10n appears to be building correctly.
Comment 42 Kamil Jozwiak [:kjozwiak] 2013-06-13 21:46:08 PDT
Firefox 24 Testing/Verification Results:

Steps Used:

- Downloaded the latest stub executable & renamed it to stub.exe
- Configured procmon as follows:

Process Name is stub.exe
Path contains .dll
Operation is Load Image

Matched the listed DLL's in procmon against the KnownDlls32 list under Winobj. Listed the unknown DLL's below.

Reproduced original issue using the stub executable from the following build:
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/11/2012-11-07-04-58-42-mozilla-central/

Tested the issue using the stub executable from the following build:
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013-06-13-03-12-37-mozilla-central/

Windows 8 x64:

C:\Windows\System32\wow64.dll -> Passed (cmd.exe was not executed)
C:\Windows\System32\wow64win.dll -> Passed (cmd.exe was not executed)
C:\Windows\System32\wow64cpu.dll -> Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\dwmapi.dll -> Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\SHCore.dll -> Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\uxtheme.dll -> Passed (cmd.exe was not executed)
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\tiptsf.dll -> Passed (cmd.exe was not executed)
C:\Program Files\ThinkPad\Bluetooth Software\syswow64\BtMmHook.dll -> Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\oleacc.dll -> cmd.exe was launched in MEDIUM integrity
C:\Windows\SysWOW64\apphelp.dll -> Passed (cmd.exe was not executed)

Windows 7 Home Premium SP1 x64:

C:\Windows\System32\wow64.dll <- Passed (cmd.exe was not executed)
C:\Windows\System32\wow64win.dll <- Passed (cmd.exe was not executed)
C:\Windows\System32\wow64cpu.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\dwmapi.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\uxtheme.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\apphelp.dll <- Passed (cmd.exe was not executed)

Windows Vista Ultimate SP2 x64:

C:\Windows\System32\ntdll.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\ntdll.dll <- Passed (cmd.exe was not executed)
C:\Windows\System32\wow64.dll <- Passed (cmd.exe was not executed)
C:\Windows\System32\wow64win.dll <- Passed (cmd.exe was not executed)
C:\Windows\System32\wow64cpu.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\dwmapi.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\uxtheme.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\apphelp.dll <- Passed (cmd.exe was not executed)

Windows XP Pro SP2 x64:

C:\WINDOWS\system32\wow64.dll <- Passed (cmd.exe was not executed)
C:\WINDOWS\system32\wow64win.dll <- Passed (cmd.exe was not executed)
C:\WINDOWS\system32\wow64cpu.dll <- Passed (cmd.exe was not executed)
C:\WINDOWS\SysWOW64\imm32.dll <- Passed (cmd.exe was not executed)
C:\WINDOWS\SysWOW64\uxtheme.dll <- Passed (cmd.exe was not executed)
C:\WINDOWS\SysWOW64\msctf.dll <- Passed (cmd.exe was not executed)
C:\WINDOWS\SysWOW64\apphelp.dll <- Several CMD.EXE where launched (not sure what integrity level)

Possible Issues:

Windows 8 x64:
C:\Windows\SysWOW64\oleacc.dll -> cmd.exe was launched in MEDIUM integrity

Windows XP Pro SP2 x64:
C:\WINDOWS\SysWOW64\apphelp.dll <- Several CMD.EXE where launched (not sure what integrity level)

Before verifying Firefox 24, could someone please double check and see if the two DLL's listed above are possible issues.
Comment 43 Kamil Jozwiak [:kjozwiak] 2013-06-13 23:26:40 PDT
Firefox 23 Testing/Verification Results:

Steps Used:

- Downloaded the latest stub executable & renamed it to stub.exe
- Configured procmon as follows:

Process Name is stub.exe
Path contains .dll
Operation is Load Image

Matched the listed DLL's in procmon against the KnownDlls32 list under Winobj. Listed the unknown DLL's below

Tested the issue using the stub executable from the following build:
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013-06-13-00-40-19-mozilla-aurora/

Windows 8 x64:

C:\Windows\System32\wow64.dll <- Passed (cmd.exe was not executed)
C:\Windows\System32\wow64win.dll <- Passed (cmd.exe was not executed)
C:\Windows\System32\wow64cpu.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\apphelp.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\dwmapi.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\SHCore.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\uxtheme.dll <- Passed (cmd.exe was not executed)
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\tiptsf.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\oleacc.dll <- CMD.EXE was launched in MEDIUM integrity

Windows 7 Home Premium SP1 x64:

C:\Windows\System32\wow64.dll <- Passed (cmd.exe was not executed)
C:\Windows\System32\wow64win.dll <- Passed (cmd.exe was not executed)
C:\Windows\System32\wow64cpu.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\dwmapi.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\uxtheme.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\apphelp.dll <- Passed (cmd.exe was not executed)

Windows Vista Ultimate SP2 x64:

C:\Windows\System32\ntdll.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\ntdll.dll <- Passed (cmd.exe was not executed)
C:\Windows\System32\wow64.dll <- Passed (cmd.exe was not executed)
C:\Windows\System32\wow64win.dll <- Passed (cmd.exe was not executed)
C:\Windows\System32\wow64cpu.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\dwmapi.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\uxtheme.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\apphelp.dll <- Passed (cmd.exe was not executed)

Windows XP Pro SP2 x64:

C:\WINDOWS\system32\wow64.dll <- Passed (cmd.exe was not executed)
C:\WINDOWS\system32\wow64win.dll <- Passed (cmd.exe was not executed)
C:\WINDOWS\system32\wow64cpu.dll <- Passed (cmd.exe was not executed)
C:\WINDOWS\SysWOW64\imm32.dll <- Passed (cmd.exe was not executed)
C:\WINDOWS\SysWOW64\uxtheme.dll <- Passed (cmd.exe was not executed)
C:\WINDOWS\SysWOW64\msctf.dll <- Passed (cmd.exe was not executed)
C:\WINDOWS\SysWOW64\apphelp.dll <- Several CMD.EXE where launched (not sure what integrity level)

Possible Issues:

Windows 8 x64:
C:\Windows\SysWOW64\oleacc.dll <- CMD.EXE was launched in MEDIUM integrity

Windows XP Pro SP2 x64:
C:\WINDOWS\SysWOW64\apphelp.dll <- Several CMD.EXE where launched (not sure what integrity level)

Before verifying Firefox 23, could someone please double check and see if the two DLL's listed above are possible issues.
Comment 44 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-13 23:31:20 PDT
I won't be able to check due to only having Win Vista and Win 7 at this time.

Brian, could you check the above two dll's?
Comment 45 Kamil Jozwiak [:kjozwiak] 2013-06-14 01:00:51 PDT
Firefox 22 Testing/Verification Results:

Steps Used:

- Downloaded the latest stub executable & renamed it to stub.exe
- Configured procmon as follows:

Process Name is stub.exe
Path contains .dll
Operation is Load Image

Matched the listed DLL's in procmon against the KnownDlls32 list under Winobj. Listed the unknown DLL's below

Tested the issue using the stub executable from the following build:
http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/22.0b5/win32/en-US/

Windows 8 x64:

C:\Windows\System32\wow64.dll <- Passed (cmd.exe was not executed)
C:\Windows\System32\wow64win.dll <- Passed (cmd.exe was not executed)
C:\Windows\System32\wow64cpu.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\apphelp.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\dwmapi.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\SHCore.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\uxtheme.dll <- Passed (cmd.exe was not executed)
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\tiptsf.dll <- Passed (cmd.exe was not executed)
C:\Program Files\ThinkPad\Bluetooth Software\syswow64\BtMmHook.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\oleacc.dll <- CMD.EXE was launched in MEDIUM integrity

Windows 7 Home Premium SP1 x64:

C:\Windows\System32\wow64.dll <- Passed (cmd.exe was not executed)
C:\Windows\System32\wow64win.dll <- Passed (cmd.exe was not executed)
C:\Windows\System32\wow64cpu.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\dwmapi.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\uxtheme.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\apphelp.dll <- Passed (cmd.exe was not executed)

Windows Vista Ultimate SP2 x64:

C:\Windows\System32\ntdll.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\ntdll.dll <- Passed (cmd.exe was not executed)
C:\Windows\System32\wow64.dll <- Passed (cmd.exe was not executed)
C:\Windows\System32\wow64win.dll <- Passed (cmd.exe was not executed)
C:\Windows\System32\wow64cpu.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\dwmapi.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\uxtheme.dll <- Passed (cmd.exe was not executed)
C:\Windows\SysWOW64\apphelp.dll <- Passed (cmd.exe was not executed)


Windows XP Pro SP2 x64:

C:\Windows\System32\wow64.dll <- Passed (cmd.exe was not executed)
C:\Windows\System32\wow64win.dll <- Passed (cmd.exe was not executed)
C:\Windows\System32\wow64cpu.dll <- Passed (cmd.exe was not executed)
C:\WINDOWS\SysWOW64\imm32.dll <- Passed (cmd.exe was not executed)
C:\WINDOWS\SysWOW64\uxtheme.dll <- Passed (cmd.exe was not executed)
C:\WINDOWS\SysWOW64\msctf.dll <- Passed (cmd.exe was not executed)
C:\WINDOWS\SysWOW64\apphelp.dll <- Several CMD.EXE where launched (not sure what integrity level)

Possible Issues:

Windows 8 x64:
C:\Windows\SysWOW64\oleacc.dll <- CMD.EXE was launched in MEDIUM integrity

Windows XP Pro SP2 x64:
C:\WINDOWS\SysWOW64\apphelp.dll <- Several CMD.EXE where launched (not sure what integrity level)

Before verifying Firefox 22, could someone please double check and see if the two DLL's listed above are possible issues.
Comment 46 Brian R. Bondy [:bbondy] 2013-06-14 07:10:42 PDT
(In reply to Robert Strong [:rstrong] (do not email) from comment #44)
> I won't be able to check due to only having Win Vista and Win 7 at this time.
> 
> Brian, could you check the above two dll's?

I reproduced medium integrity level with oleacc.dll on win8x64. This is not an easy to exploit escalation of privs problem, but we should still fix for these 2 cases:
i) User downloads a bad dll into their downloads directory, and then downloads the stub, then executes the stub.  The dll can then run on the machine with medium integrity. Which isn't as bad as high, but is at least something.
ii) The user downloads the stub and right clicks it and runs it as admin, or runs it from an elevated cmd.  The dll then gets high integirty.

The same logic applies to apphelp.dll, although I didn't verify this one because I don't have WinXPx64 locally here. There's no per-user integrity level on XP like there is on Vista+ so I trust this result. 

I think both should be fixed in the delayDLLs array of the  AutoLoadSystemDependencies struct in this file:
other-licenses/7zstub/src/7zip/Bundles/SFXSetup-moz/Main.cpp

---

After this fix, Kamil you can only retest the affected platforms and DLLs, you don't need to retry everything. Thanks for the huge amount of work by the way!
Comment 47 Brian R. Bondy [:bbondy] 2013-06-14 07:11:09 PDT
See bug 792106 for a similar fix.
Comment 48 Kamil Jozwiak [:kjozwiak] 2013-06-14 07:21:03 PDT
no problem Brian! Robert, just needinfo me when its ready to go again and I will test the two DLL's on the affected platforms.
Comment 49 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-14 07:47:51 PDT
Brian, do those dll's also affect the full installer? I would suspect so.
Comment 50 Brian R. Bondy [:bbondy] 2013-06-14 07:53:55 PDT
The win8 one is yup, the x64xp one I don't have it locally to try but I'm sure it's the same too.

I think originally we were just fixing the high integrity processes but then we learnt that it can be a security risk if a user downloads a dll off the internet and then downloads an installer and executes it. I personally don't think sec-high but worth fixing.
Comment 51 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-14 07:57:52 PDT
Thanks Brian! With this affecting both the full installer and the stub installer I'd like to do those in a separate bug.

Thanks Kamil! I know the test matrix to verify this is a pain and your efforts are much appreciated.
Comment 52 Brian R. Bondy [:bbondy] 2013-06-14 08:04:50 PDT
Followup for the dll pre-loading from a known path sounds right to me.
Comment 53 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-14 09:16:08 PDT
This is as fixed as much as bug 792106 is fixed per the checks Kamil performed so changing to verified based on comment #42, comment #43, and comment #45. Bug 883165 will handle the medium integrity dll's.
Comment 54 Matt Wobensmith [:mwobensmith][:matt:] 2013-08-19 15:25:07 PDT
Hey Kamil, comment 46 and comment 48 - can you do a quick verify?
Comment 55 Robert Strong [:rstrong] (use needinfo to contact me) 2013-08-19 15:28:26 PDT
Matt, the medium integrity case referenced in comment #46 and comment #48 was moved to bug 883165.
Comment 56 Matt Wobensmith [:mwobensmith][:matt:] 2013-08-19 15:36:31 PDT
Indeed, thanks Robert, and sorry for spacing that. Too much info spread across too many DLL bugs. :(

Note You need to log in before you can comment on or make changes to this bug.