Last Comment Bug 859072 - (CVE-2013-1712) The updater.exe loads the profapi.dll from the update directory
(CVE-2013-1712)
: The updater.exe loads the profapi.dll from the update directory
Status: VERIFIED FIXED
[adv-main23+][adv-esr1708+] introduce...
: csectype-priv-escalation, sec-high, sec-vector
Product: Toolkit
Classification: Components
Component: Application Update (show other bugs)
: 20 Branch
: x86_64 Windows 7
: -- normal (vote)
: mozilla25
Assigned To: Brian R. Bondy [:bbondy]
:
Mentors:
Depends on: 894402
Blocks:
  Show dependency treegraph
 
Reported: 2013-04-07 03:58 PDT by Holger Fuhrmannek
Modified: 2015-08-20 18:34 PDT (History)
10 users (show)
abillings: sec‑bounty+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
wontfix
+
verified
+
verified
+
verified
23+
verified
unaffected


Attachments
proof of concept (42.21 KB, application/octet-stream)
2013-04-07 04:00 PDT, Holger Fuhrmannek
no flags Details
proof of concept 2 (22.40 KB, application/octet-stream)
2013-04-20 12:43 PDT, Holger Fuhrmannek
no flags Details
Patch v1. (2.53 KB, patch)
2013-06-19 06:43 PDT, Brian R. Bondy [:bbondy]
robert.strong.bugs: review+
lukasblakk+bugs: approval‑mozilla‑aurora+
lukasblakk+bugs: approval‑mozilla‑beta+
lukasblakk+bugs: approval‑mozilla‑esr17+
abillings: sec‑approval+
Details | Diff | Review

Description Holger Fuhrmannek 2013-04-07 03:58:27 PDT
The updater component is still vulnerable (see 830134) to a library-based attack. The exe loads the profapi.dll from the update directory, for example while performing an update. That can lead to privilege escalation while updating with the Mozilla Maintenance Service.

I have tested this on win7 pro 32bit and 64bit with Firefox 20.0. 

Steps to reproduce:

1.) Download poc and extract the .dll file.
2.) Copy the updater.exe from the firefox directory to the poc directory
3.) Start the updater.exe
The updater loads the "profapi.dll" and executes system("calc").

The profapi.dll from the system directory should be loaded.
Comment 1 Holger Fuhrmannek 2013-04-07 04:00:10 PDT
Created attachment 734354 [details]
proof of concept
Comment 2 Daniel Veditz [:dveditz] 2013-04-10 10:42:03 PDT
We tested for this according to bug 830134 comment 8 and missed this .dll -- what version of windows are you using (specifically, including patch level if known)?
Comment 3 Holger Fuhrmannek 2013-04-10 13:13:14 PDT
I have tested the poc with the following configurations:

- Windows 7 x64 Professional SP1 DE, system is up to date with the latest updates
- Windows 7 x86 Professional SP1 EN, unkown patch level
Comment 4 Matt Wobensmith [:mwobensmith][:matt:] 2013-04-10 16:58:56 PDT
We did perform extensive testing on the related bug(s), using ProcMon and WinObj to search for all possible DLLs. This one didn't show up for us at that time. 

We'll look into this one ASAP. 

Since we've invested a fair amount of time in this and other DLL injection issues, we might want to ask ourselves what we can do to avoid the DLL whack-a-mole problem in the future.
Comment 6 Brian R. Bondy [:bbondy] 2013-04-10 20:33:14 PDT
By the way, for service updates we now copy updater.exe alongside the maintenanceservice in a high integrity location. This makes it so dll attacks like this are not possible with the service. 

For non service updates, this is still kind of a problem, but at least there's a UAC prompt. 

We should still fix this though.  Maybe the DLL is now being loaded because of new code that was added to updater at some point.
Comment 7 Brian R. Bondy [:bbondy] 2013-04-10 20:46:42 PDT
So the steps in Comment 0 need to be checked against non service updates only.
Comment 8 Kamil Jozwiak [:kjozwiak] 2013-04-10 20:58:29 PDT
I will take a look and see if I can confirm using the the steps outlined in comment 0 and comment 7
Comment 9 Holger Fuhrmannek 2013-04-10 23:09:40 PDT
Only to clarify: on my system I'm able to exploit this issue to execute the .dll with system rights with Maintenance Service 20.0.
Comment 10 Kamil Jozwiak [:kjozwiak] 2013-04-11 21:07:11 PDT
I don't think this particular DLL is an issue for the following reasons:

- For maintenance service updates, as I understand it, we are now copying the updater to a secure location before executing it. That secure location would not have this DLL in it.
- For updates where the maintenance service is NOT installed, if you copy this DLL to "C:\Users\Kamil\AppData\Local\Mozilla\Firefox\Nightly\updates\0" it executes calc.exe, but it doesn't execute it as elevated. Updater.exe would eventually elevate but it crashes before then so the DLL is never loaded by the elevated udpater.exe.

I did find that the steps we used to populate the DLL list had a problem in it though, so I think we should re-do the test to verify the new list of DLLs on each platform.
Comment 11 Kamil Jozwiak [:kjozwiak] 2013-04-11 21:10:51 PDT
This DLL was an issue with the service in v20 though but is already fixed in v21
Comment 12 Brian R. Bondy [:bbondy] 2013-04-12 05:12:07 PDT
We should check if SetDefaultDllDirectories will be of any help to this type of dlls. You can remove the current app directory from the search order with it. Unfortunately if it does help though, it's only available in win8 and some patched versions of win7.  From the documentation though it sounds like it only applies to LoadLibrary calls which would not help here.
Comment 13 Brian R. Bondy [:bbondy] 2013-04-12 05:17:19 PDT
I agree with Kamil in Comment 10 and Comment 11 by the way. The risk here with this particular DLL is not with someone being able to exploit our updater, but just with someone being able to copy our signed updater and a dll to a machine and then request elevation showing a Mozilla certificate, yet executing their code.  Unfortunately I don' think there's much we can do about that though because someone could always use a similar attack of an already public old signed updater.exe.
Comment 14 Brian R. Bondy [:bbondy] 2013-04-12 05:19:55 PDT
For this one:
> https://intranet.mozilla.org/User:Mwobensmith@mozilla.com/DLL_Hijacking_Updater

We should update the steps here and re-run the test on all OS please:
> Download and launch the ProcMon tool and set the following filters:
>    Process Name is firefoxinstaller.exe 

Should say updater.exe instead.  Otherwise we are probably checking a subset of the correct DLLs but not all of the correct ones.
Comment 15 [On PTO until 6/29] 2013-04-15 15:20:35 PDT
Ash, can you verify that this is no longer an issue using a Nightly build?
Comment 16 Holger Fuhrmannek 2013-04-16 00:13:18 PDT
I did a quick check with process monitor:
- I'm not able to exploit the updater with the service
- I'm certain I will be able to exploit the updater if I place the dll to "C:\Users\USERNAME\AppData\Local\Mozilla\Firefox\Nightly\updates\0" during an update without the service. Not with the poc dll, because the poc dll isn't acting like a proxy dll so the updater crashes.

By the way the elevated updater tries to load serveral .dll files from the current dirctory (mpr.dll, apphelp.dll propsys.dll, ntmarta.dll).

Are there any good reasons why the load of dlls with the updater.exe is delayed   at all?
Comment 17 [On PTO until 6/29] 2013-04-16 10:46:56 PDT
(In reply to ash from comment #16)
> - I'm certain I will be able to exploit the updater if I place the dll to
> "C:\Users\USERNAME\AppData\Local\Mozilla\Firefox\Nightly\updates\0" during
> an update without the service. Not with the poc dll, because the poc dll
> isn't acting like a proxy dll so the updater crashes.

Can you make sure, though? Just trying to be complete here.
Comment 18 Kamil Jozwiak [:kjozwiak] 2013-04-18 21:30:38 PDT
Progress:

Went through all the available platforms that I have available and compiled a list of unknown DLL's using the following steps:

Installed the latest Nightly build from the following location:

http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013-04-18-03-10-48-mozilla-central/

Once the Nightly build has been installed, went through the following steps:

1) Ran "Procmon.exe" as an Administrator and used the following settings:
    - Process Name is updater.exe
    - Path contains .dll
    - Operation is Load Image
2) Went into the appropriate folder where Nightly was installed and ran "updater.exe" as Administrator
3) Compared the DLL's listed in Step #1 to DLL's listed in "Winobj.exe" (KnownDlls/KnownDlls32)

Results:

Windows XP Pro SP3 x86: (Unknown DLL's)

C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\imm32.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\crypt32.dll
C:\WINDOWS\system32\msasn1.dll

Windows XP Pro SP3 x64: (Unknown DLL's)

C:\WINDOWS\system32\wow64.dll
C:\WINDOWS\system32\wow64win.dll
C:\WINDOWS\system32\wow64cpu.dll
C:\WINDOWS\SysWOW64\imm32.dll
C:\WINDOWS\SysWOW64\wsock32.dll
C:\WINDOWS\SysWOW64\ws2_32.dll
C:\WINDOWS\SysWOW64\ws2help.dll
C:\WINDOWS\SysWOW64\crypt32.dll
C:\WINDOWS\SysWOW64\msasn1.dll
C:\WINDOWS\SysWOW64\userenv.dll

Windows Vista Ultimate SP2 x86: (Unknown DLL's)

C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\shimeng.dll
C:\WINDOWS\system32\apphelp.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\crypt32.dll
C:\WINDOWS\system32\msasn1.dll
C:\WINDOWS\system32\userenv.dll
C:\WINDOWS\system32\secur32.dll

Windows Vista Ultimate SP2 x64: (Unknown DLL's)

C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\SysWOW64\ntdll.dll
C:\WINDOWS\system32\wow64.dll
C:\WINDOWS\system32\wow64win.dll
C:\WINDOWS\system32\wowcpu.dll
C:\WINDOWS\SysWOW64\shimeng.dll
C:\WINDOWS\SysWOW64\apphelp.dll
C:\WINDOWS\SysWOW64\wsock32.dll
C:\WINDOWS\SysWOW64\crypt32.dll
C:\WINDOWS\SysWOW64\msasn1.dll
C:\WINDOWS\SysWOW64\userenv.dll

Windows 7 Home Premium SP1 x64: (Unknown DLL's)

C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64win.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\SysWOW64\wsock32.dll
C:\Windows\SysWOW64\cryptsp.dll
C:\Windows\SysWOW64\userenv.dll
C:\Windows\SysWOW64\profapi.dll
C:\Windows\SysWOW64\secur32.dll

Windows 7 Home Premium SP1 x86: (Unknown DLL's)

C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\cryptsp.dll
C:\WINDOWS\system32\cryptbase.dll
C:\WINDOWS\system32\userenv.dll
C:\WINDOWS\system32\profapi.dll
C:\WINDOWS\system32\secur32.dll

Windows 8 x86: (Unknown DLL's)

C:\WINDOWS\system32\apphelp.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\cryptsp.dll
C:\WINDOWS\system32\cryptbase.dll
C:\WINDOWS\system32\bcryptprimitives.dll
C:\WINDOWS\system32\userenv.dll
C:\WINDOWS\system32\profapi.dll
C:\WINDOWS\system32\secur32.dll

Windows 8 Pro x64: (Unknown DLL's)

C:\WINDOWS\system32\wow64.dll
C:\WINDOWS\system32\wow64win.dll
C:\WINDOWS\system32\wowcpu.dll
C:\WINDOWS\SysWOW64\apphelp.dll
C:\WINDOWS\SysWOW64\nvinit.dll
C:\Program Files (x86)\NVIDIA Corporation\coprocmanager\detoured.dll
C:\Program Files (x86)\NVIDIA Corporation\coprocmanager\Nvd3d9wrap.dll
C:\Program Files (x86)\NVIDIA Corporation\coprocmanager\nvdxgiwrap.dll
C:\Windows\SysWOW64\wsock32.dll
C:\Windows\SysWOW64\cryptsp.dll
C:\Windows\SysWOW64\userenv.dll
C:\Windows\SysWOW64\profapi.dll
C:\Windows\SysWOW64\secur32.dll

Will go through each DLL as before and mark the ones that execute "cmd.exe" & "calc.exe" as System or High integrity
Comment 19 Holger Fuhrmannek 2013-04-20 12:43:05 PDT
(In reply to Al Billings [:abillings] from comment #17)

I have created a new poc dll which executes a elevated calc.exe during an update without the service. I have tested the new poc with the last nightly build.

Put the new poc profapi.dll to "C:\Users\USERNAME\AppData\Local\Mozilla\Firefox\Nightly\updates\0" and do 
an update to verify. (the first pop up of the calc.exe will be unelevated the second will be elevated)
Comment 20 Holger Fuhrmannek 2013-04-20 12:43:35 PDT
Created attachment 740013 [details]
proof of concept 2
Comment 21 Kamil Jozwiak [:kjozwiak] 2013-04-25 22:25:43 PDT
Went through all of the unknown DLL's that have been listed in Comment 18 and ran them through the POC2 that has been attached in Comment 20

Used the following build:
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013-04-25-03-08-45-mozilla-central/

Went through the following steps:

- Placed the updater.exe next to the POC2 DLL that has been attached and then ran updater.exe as "Administrator" using the right click method
- Renamed the POC2 DLL to all of the unknown DLL's in Comment 18 and ran them next to the updater.exe on all of the platforms (monitored Process Explorer at the same time)
- The POC does not reproduce with the Mozilla Maintenance Service but it does if you click on yes on the Mozilla UAC prompt

Results:

Windows XP Pro SP3 x86: (Unknown DLL's)

- C:\WINDOWS\system32\ws2_32.dll (possible issue, received error: "The ordinal 21 could not be located in the dynamic link library WS2_32.dll")
- C:\WINDOWS\system32\ws2help.dll (possible issue, received error: "The procedure entry point WahCompleteRequest could not be located in the dynamic link library WS2HELP.dll")
- C:\WINDOWS\system32\msasn1.dll (possible issue, received error: "The procedure entry point ASN1Free could not be located in the dynamic link library MSASN1.dll"

Windows XP Pro SP3 x64: (Unknown DLL's)

- C:\WINDOWS\SysWOW64\ws2_32.dll (possible issue, received error: "The procedure entry point WSARecvFROM could not be located in the dynamic link library WS2_32.dll")
- C:\WINDOWS\SysWOW64\ws2help.dll (possible issue, received error: "The procedure entry point WahCompleteRequest could not be located in the dynamic link library WS2HELP.dll")
- C:\WINDOWS\SysWOW64\msasn1.dll (possible issue, received error: "The procedure entry point ASN1_CreateEncoder could not be located in the dynamic link library MSASN1.dll")

Windows Vista Ultimate SP2 x86: (Unknown DLL's)

- C:\WINDOWS\system32\apphelp.dll (possible issue, received error: "The procedure entry point SdbFindFirstTagRef could not be located in the dynamic link library apphelp.dll")
- C:\WINDOWS\system32\msasn1.dll (possible issue, received error: "The procedure entry point ASN1_SetEncoderOption could not be located in the dynamic link library MSASN1.dll")
- C:\WINDOWS\system32\userenv.dll (possible issue, received error: "The procedure entry point GetUserProfileDirectoryW could not be located in the dynamic link library USERENV.dll")

Windows Vista Ultimate SP2 x64: (Unknown DLL's)

- C:\WINDOWS\SysWOW64\apphelp.dll (possible issue, received error: "The procedure entry point SdbFindFirstTagRef could not be located in the dynamic link library apphelp.dll")
- C:\WINDOWS\SysWOW64\msasn1.dll (possible issue, received error: "The procedure entry point ASN1_SetEncoderOption could not be located in the dynamic link library MSASN1.dll")
- C:\WINDOWS\SysWOW64\userenv.dll (possible issue, received error: "The procedure entry point GetUserProfileDirectoryW could not be located in the dynamic link library USERENV.dll")

Windows 7 Home Premium SP1 x64: (Unknown DLL's)

- C:\Windows\SysWOW64\profapi.dll (reproduced the issue, calc.exe spawned in High Integrity)

Windows 7 Home Premium SP1 x86: (Unknown DLL's)

- C:\WINDOWS\system32\profapi.dll (reproduced the issue, calc.exe spawned in High Integrity)

Windows 8 x86: (Unknown DLL's)

- C:\WINDOWS\system32\bcryptprimitives.dll (possible issue, received error: "The procedure entry point ProcessPrng could not be located in the dynamic link library C:\Windows\system32\cryptbase.dll")
- C:\WINDOWS\system32\profapi.dll (reproduced the issue, calc.exe spawned in High Integrity)

Windows 8 Pro x64: (Unknown DLL's)

- C:\Windows\SysWOW64\profapi.dll (reproduced the issue, calc.exe spawned in High Integrity)
Comment 22 Daniel Veditz [:dveditz] 2013-05-15 13:36:50 PDT
> - The POC does not reproduce with the Mozilla Maintenance Service but
> it does if you click on yes on the Mozilla UAC prompt

Without the maintenance service the user would expect to have to click on UAC to perform an install so that's not much mitigation. In what situations would users not have the maintenance service but still get a UAC?
Comment 23 Daniel Veditz [:dveditz] 2013-05-15 13:44:29 PDT
The point of my question is that I think for truly limited accounts who cannot write to the Firefox install location we abort the update anyway. The update runs and shows the UAC prompt only if the user can otherwise write to the Firefox install location. In that case an attacker could just add a component or something to Firefox itself to be run later. Is this really a sec-high attack or a more moderate spoofing-equivalent one?
Comment 24 Brian R. Bondy [:bbondy] 2013-05-15 13:53:37 PDT
(In reply to Daniel Veditz [:dveditz] from comment #22)
> > - The POC does not reproduce with the Mozilla Maintenance Service but
> > it does if you click on yes on the Mozilla UAC prompt
> 
> Without the maintenance service the user would expect to have to click on
> UAC to perform an install so that's not much mitigation. In what situations
> would users not have the maintenance service but still get a UAC?

In these situations:
- At install time a user can choose to not install the maintenance service.
- Users can pref off the maintenance service from the checkbox in options or about config.
- An unprivileged process could disable the service via setting the pref in the user's app profile dir to not use the service.
- A user has more than 10 errors with the service so it gets disabled

From telemetry data we know that:

95.9% of users have the service installed
99.7% of users have the service enabled (people that don't have it installed are counted as having it on because of the pref check)
0% of users have more than 2 errors with the servicce
1.84% of users onec had it installed but later uninstalled it

I think we can call an update exploit equally as critical since an unelevated process account can disable service via a pref.
Comment 25 Daniel Veditz [:dveditz] 2013-05-20 15:38:00 PDT
(In reply to Kamil Jozwiak [:kjozwiak] from comment #10)
> - For updates where the maintenance service is NOT installed, if you copy
> this DLL to "C:\Users\Kamil\AppData\Local\Mozilla\Firefox\Nightly\updates\0"
> it executes calc.exe

Does that mean we copy updater.exe to that directory before running it? I guess that's the root of the problem here then -- malware could copy the dll there and wait for a legitimate update which the user would approve. I'm assuming a situation where malware can't write directly to the Firefox install directory because if it can all bets are off. Of course if it can write into the profile it can install add-ons so that's pretty bad, too.
Comment 26 Brian R. Bondy [:bbondy] 2013-05-20 16:26:11 PDT
Yes we copy the updater there because we need to replace it during an update.
The maintenance service then re-copies it out of there to a secure location before executing it.
Comment 27 [On PTO until 6/29] 2013-06-06 13:48:45 PDT
Can we get this fixed on trunk soon?
Comment 28 Brian R. Bondy [:bbondy] 2013-06-08 18:48:51 PDT
On my short list of things to do
Comment 29 Brian R. Bondy [:bbondy] 2013-06-19 06:43:46 PDT
Created attachment 764729 [details] [diff] [review]
Patch v1.

I'm going to file a followup that will try to fix this type of problem in general for updater.exe.  In particular it would exclusively lock every .dll in the current directory from the unelevated updater.exe before elevating it.

This patch should fix the problems found by Kamil in Comment 21.
I tested this with all mentioned DLLs on Windows 8x64.

userenv.dll  was already in the list but was being loaded before the program started. We've had a similar situation to this in the past and I explicitly specify to delay load that DLL in the Makefile. I tested and it's working now.
Comment 30 Brian R. Bondy [:bbondy] 2013-06-19 11:24:56 PDT
Comment on attachment 764729 [details] [diff] [review]
Patch v1.

This request is to push to try and m-i.

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Easily if the user has access to the physical machine.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
It's pretty easy to deduce based on the surrounding comment.

Which older supported branches are affected by this flaw?
I think all

If not all supported branches, which bug introduced the flaw?
n/a.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
other branches should use the same patch if this is uplifted.

How likely is this patch to cause regressions; how much testing does it need?
Not likely, try builds should catch any regressions.
Comment 32 [On PTO until 6/29] 2013-07-01 15:42:28 PDT
Comment on attachment 764729 [details] [diff] [review]
Patch v1.

sec-approval+ for trunk. Let's get some branch patches set up.
Comment 33 Brian R. Bondy [:bbondy] 2013-07-01 15:47:48 PDT
branch patches should be the same, I'll request this for branch approval from the same patch once it lands on m-c.
Comment 34 [On PTO until 6/29] 2013-07-01 16:04:43 PDT
Sounds good.
Comment 36 Ryan VanderMeulen [:RyanVM] 2013-07-03 11:50:43 PDT
https://hg.mozilla.org/mozilla-central/rev/969ad7ca404c
Comment 37 Brian R. Bondy [:bbondy] 2013-07-04 06:23:36 PDT
Comment on attachment 764729 [details] [diff] [review]
Patch v1.


[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
It is a sec-high

Bug caused by (feature/regressing bug #): 
I think it's always been in updater

User impact if declined: 
Unelevated process can put a dll alongside the updater to get their code executed in an elevated context.

Fix Landed on Version:
mozilla25

Risk to taking this patch (and alternatives if risky): 
Very low

String or UUID changes made by this patch: 
None.

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Comment 39 chris hofmann 2013-07-09 07:48:55 PDT
hi ash,

I've tried to contact you a few times with an offer for a security bug bounty for this bug.  Let me know if you are interested by sending mail to chofmann@mozilla.org
Comment 40 Kamil Jozwiak [:kjozwiak] 2013-07-15 16:23:29 PDT
Will be going through this ASAP and post the results once I have completed the testing.
Comment 41 Kamil Jozwiak [:kjozwiak] 2013-07-15 20:41:14 PDT
Firefox 25 Testing/Verification:

** Other then the errors still occurring, the DLL's that originally produced the cmd.exe & calc.exe are working correctly, are the errors supposed to be fixed? If not, then please mark Firefox 25 as verified **

Used the following build to reproduce the original issue:
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013/04/2013-04-18-03-10-48-mozilla-central/

Used the following build to ensure that the issue has been resolved:
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013-07-15-03-02-02-mozilla-central/

Windows XP Pro SP3 x86: (Unknown DLL's)

- C:\WINDOWS\system32\ws2_32.dll (still receiving error: "The ordinal 21 could not be located in the dynamic link library WS2_32.dll")
- C:\WINDOWS\system32\ws2help.dll (still receiving error: "The procedure entry point WahCompleteRequest could not be located in the dynamic link library WS2HELP.dll")
- C:\WINDOWS\system32\msasn1.dll (still receiving error: "The procedure entry point ASN1Free could not be located in the dynamic link library MSASN1.dll"

Windows XP Pro SP3 x64: (Unknown DLL's)

- C:\WINDOWS\SysWOW64\ws2_32.dll (still receiving error: "The procedure entry point WSARecvFROM could not be located in the dynamic link library WS2_32.dll")
- C:\WINDOWS\SysWOW64\ws2help.dll (still receiving error: "The procedure entry point WahCompleteRequest could not be located in the dynamic link library WS2HELP.dll")
- C:\WINDOWS\SysWOW64\msasn1.dll (still receiving error: "The procedure entry point ASN1_CreateEncoder could not be located in the dynamic link library MSASN1.dll")

Windows Vista Ultimate SP2 x86: (Unknown DLL's)

- C:\WINDOWS\system32\apphelp.dll (still receiving error: "The procedure entry point SdbFindFirstTagRef could not be located in the dynamic link library apphelp.dll")
- C:\WINDOWS\system32\msasn1.dll (still receiving error: "The procedure entry point ASN1_SetEncoderOption could not be located in the dynamic link library MSASN1.dll")
- C:\WINDOWS\system32\userenv.dll (still receiving error: "The procedure entry point GetUserProfileDirectoryW could not be located in the dynamic link library USERENV.dll")

Windows Vista Ultimate SP2 x64: (Unknown DLL's)

- C:\WINDOWS\SysWOW64\apphelp.dll (still receiving error: "The procedure entry point SdbFindFirstTagRef could not be located in the dynamic link library apphelp.dll")
- C:\WINDOWS\SysWOW64\msasn1.dll (still receiving error: "The procedure entry point ASN1_SetEncoderOption could not be located in the dynamic link library MSASN1.dll")
- C:\WINDOWS\SysWOW64\userenv.dll (still receiving error: "The procedure entry point GetUserProfileDirectoryW could not be located in the dynamic link library USERENV.dll")

Windows 7 Home Premium SP1 x64: (Unknown DLL's)

- C:\Windows\SysWOW64\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages)

Windows 7 Home Premium SP1 x86: (Unknown DLL's)

- C:\WINDOWS\system32\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages)

Windows 8 x86: (Unknown DLL's)

- C:\WINDOWS\system32\bcryptprimitives.dll (still receiving error: "The procedure entry point ProcessPrng could not be located in the dynamic link library C:\Windows\system32\cryptbase.dll")
- C:\WINDOWS\system32\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages)

Windows 8 Pro x64: (Unknown DLL's)

- C:\Windows\SysWOW64\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages)

Still going to go through the other builds and post the results one by one once they are completed.
Comment 42 Kamil Jozwiak [:kjozwiak] 2013-07-15 21:34:47 PDT
Firefox 24 Testing/Verification:

Used the following build to ensure that the issue has been resolved:
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013-07-15-00-40-02-mozilla-aurora/

** Other then the errors still occurring, the DLL's that originally produced the cmd.exe & calc.exe are working correctly, are the errors supposed to be fixed? If not, then please mark Firefox 24 as verified **

Windows XP Pro SP3 x86: (Unknown DLL's)

- C:\WINDOWS\system32\ws2_32.dll (still receiving error: "The ordinal 21 could not be located in the dynamic link library WS2_32.dll")
- C:\WINDOWS\system32\ws2help.dll (still receiving error: "The procedure entry point WahCompleteRequest could not be located in the dynamic link library WS2HELP.dll")
- C:\WINDOWS\system32\msasn1.dll (still receiving error: "The procedure entry point ASN1Free could not be located in the dynamic link library MSASN1.dll"

Windows XP Pro SP3 x64: (Unknown DLL's)

- C:\WINDOWS\SysWOW64\ws2_32.dll (still receiving error: "The procedure entry point WSARecvFROM could not be located in the dynamic link library WS2_32.dll")
- C:\WINDOWS\SysWOW64\ws2help.dll (still receiving error: "The procedure entry point WahCompleteRequest could not be located in the dynamic link library WS2HELP.dll")
- C:\WINDOWS\SysWOW64\msasn1.dll (still receiving error: "The procedure entry point ASN1_CreateEncoder could not be located in the dynamic link library MSASN1.dll")

Windows Vista Ultimate SP2 x86: (Unknown DLL's)

- C:\WINDOWS\system32\apphelp.dll (still receiving error: "The procedure entry point SdbFindFirstTagRef could not be located in the dynamic link library apphelp.dll")
- C:\WINDOWS\system32\msasn1.dll (still receiving error: "The procedure entry point ASN1_SetEncoderOption could not be located in the dynamic link library MSASN1.dll")
- C:\WINDOWS\system32\userenv.dll (still receiving error: "The procedure entry point GetUserProfileDirectoryW could not be located in the dynamic link library USERENV.dll")

Windows Vista Ultimate SP2 x64: (Unknown DLL's)

- C:\WINDOWS\SysWOW64\apphelp.dll (still receiving error: "The procedure entry point SdbFindFirstTagRef could not be located in the dynamic link library apphelp.dll")
- C:\WINDOWS\SysWOW64\msasn1.dll (still receiving error: "The procedure entry point ASN1_SetEncoderOption could not be located in the dynamic link library MSASN1.dll")
- C:\WINDOWS\SysWOW64\userenv.dll (still receiving error: "The procedure entry point GetUserProfileDirectoryW could not be located in the dynamic link library USERENV.dll")

Windows 7 Home Premium SP1 x64: (Unknown DLL's)

- C:\Windows\SysWOW64\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages)

Windows 7 Home Premium SP1 x86: (Unknown DLL's)

- C:\WINDOWS\system32\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages)

Windows 8 x86: (Unknown DLL's)

- C:\WINDOWS\system32\bcryptprimitives.dll (still receiving error: "The procedure entry point ProcessPrng could not be located in the dynamic link library C:\Windows\system32\cryptbase.dll")
- C:\WINDOWS\system32\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages)

Windows 8 Pro x64: (Unknown DLL's)

- C:\Windows\SysWOW64\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages)
Comment 43 Kamil Jozwiak [:kjozwiak] 2013-07-15 22:42:42 PDT
Firefox 23 Testing/Verification:

Used the following build to ensure that the issue has been resolved:
http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/latest-beta/win32/en-US/

** Other then the errors still occurring, the DLL's that originally produced the cmd.exe & calc.exe are working correctly, are the errors supposed to be fixed? If not, then please mark Firefox 23 as verified **

Windows XP Pro SP3 x86: (Unknown DLL's)

- C:\WINDOWS\system32\ws2_32.dll (still receiving error: "The ordinal 21 could not be located in the dynamic link library WS2_32.dll")
- C:\WINDOWS\system32\ws2help.dll (still receiving error: "The procedure entry point WahCompleteRequest could not be located in the dynamic link library WS2HELP.dll")
- C:\WINDOWS\system32\msasn1.dll (still receiving error: "The procedure entry point ASN1Free could not be located in the dynamic link library MSASN1.dll"

Windows XP Pro SP3 x64: (Unknown DLL's)

- C:\WINDOWS\SysWOW64\ws2_32.dll (still receiving error: "The procedure entry point WSARecvFROM could not be located in the dynamic link library WS2_32.dll")
- C:\WINDOWS\SysWOW64\ws2help.dll (still receiving error: "The procedure entry point WahCompleteRequest could not be located in the dynamic link library WS2HELP.dll")
- C:\WINDOWS\SysWOW64\msasn1.dll (still receiving error: "The procedure entry point ASN1_CreateEncoder could not be located in the dynamic link library MSASN1.dll")

Windows Vista Ultimate SP2 x86: (Unknown DLL's)

- C:\WINDOWS\system32\apphelp.dll (still receiving error: "The procedure entry point SdbFindFirstTagRef could not be located in the dynamic link library apphelp.dll")
- C:\WINDOWS\system32\msasn1.dll (still receiving error: "The procedure entry point ASN1_SetEncoderOption could not be located in the dynamic link library MSASN1.dll")
- C:\WINDOWS\system32\userenv.dll (still receiving error: "The procedure entry point GetUserProfileDirectoryW could not be located in the dynamic link library USERENV.dll")

Windows Vista Ultimate SP2 x64: (Unknown DLL's)

- C:\WINDOWS\SysWOW64\apphelp.dll (still receiving error: "The procedure entry point SdbFindFirstTagRef could not be located in the dynamic link library apphelp.dll")
- C:\WINDOWS\SysWOW64\msasn1.dll (still receiving error: "The procedure entry point ASN1_SetEncoderOption could not be located in the dynamic link library MSASN1.dll")
- C:\WINDOWS\SysWOW64\userenv.dll (still receiving error: "The procedure entry point GetUserProfileDirectoryW could not be located in the dynamic link library USERENV.dll")

Windows 7 Home Premium SP1 x64: (Unknown DLL's)

- C:\Windows\SysWOW64\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages)

Windows 7 Home Premium SP1 x86: (Unknown DLL's)

- C:\WINDOWS\system32\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages)

Windows 8 x86: (Unknown DLL's)

- C:\WINDOWS\system32\bcryptprimitives.dll (still receiving error: "The procedure entry point ProcessPrng could not be located in the dynamic link library C:\Windows\system32\cryptbase.dll")
- C:\WINDOWS\system32\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages)

Windows 8 Pro x64: (Unknown DLL's)

- C:\Windows\SysWOW64\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages)
Comment 44 Kamil Jozwiak [:kjozwiak] 2013-07-15 23:46:29 PDT
Firefox ESR17 Testing/Verification:

Used the following build to ensure that the issue has been resolved:
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-esr17/

** Other then the errors still occurring, the DLL's that originally produced the cmd.exe & calc.exe are working correctly, are the errors supposed to be fixed? If not, then please mark Firefox ESR17 as verified **

Windows XP Pro SP3 x86: (Unknown DLL's)

- C:\WINDOWS\system32\ws2_32.dll (still receiving error: "The ordinal 21 could not be located in the dynamic link library WS2_32.dll")
- C:\WINDOWS\system32\ws2help.dll (still receiving error: "The procedure entry point WahCompleteRequest could not be located in the dynamic link library WS2HELP.dll")
- C:\WINDOWS\system32\msasn1.dll (still receiving error: "The procedure entry point ASN1Free could not be located in the dynamic link library MSASN1.dll"

Windows XP Pro SP3 x64: (Unknown DLL's)

- C:\WINDOWS\SysWOW64\ws2_32.dll (still receiving error: "The procedure entry point WSARecvFROM could not be located in the dynamic link library WS2_32.dll")
- C:\WINDOWS\SysWOW64\ws2help.dll (still receiving error: "The procedure entry point WahCompleteRequest could not be located in the dynamic link library WS2HELP.dll")
- C:\WINDOWS\SysWOW64\msasn1.dll (still receiving error: "The procedure entry point ASN1_CreateEncoder could not be located in the dynamic link library MSASN1.dll")

Windows Vista Ultimate SP2 x86: (Unknown DLL's)

- C:\WINDOWS\system32\apphelp.dll (still receiving error: "The procedure entry point SdbFindFirstTagRef could not be located in the dynamic link library apphelp.dll")
- C:\WINDOWS\system32\msasn1.dll (still receiving error: "The procedure entry point ASN1_SetEncoderOption could not be located in the dynamic link library MSASN1.dll")
- C:\WINDOWS\system32\userenv.dll (still receiving error: "The procedure entry point GetUserProfileDirectoryW could not be located in the dynamic link library USERENV.dll")

Windows Vista Ultimate SP2 x64: (Unknown DLL's)

- C:\WINDOWS\SysWOW64\apphelp.dll (still receiving error: "The procedure entry point SdbFindFirstTagRef could not be located in the dynamic link library apphelp.dll")
- C:\WINDOWS\SysWOW64\msasn1.dll (still receiving error: "The procedure entry point ASN1_SetEncoderOption could not be located in the dynamic link library MSASN1.dll")
- C:\WINDOWS\SysWOW64\userenv.dll (still receiving error: "The procedure entry point GetUserProfileDirectoryW could not be located in the dynamic link library USERENV.dll")

Windows 7 Home Premium SP1 x64: (Unknown DLL's)

- C:\Windows\SysWOW64\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages)

Windows 7 Home Premium SP1 x86: (Unknown DLL's)

- C:\WINDOWS\system32\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages)

Windows 8 x86: (Unknown DLL's)

- C:\WINDOWS\system32\bcryptprimitives.dll (still receiving error: "The procedure entry point ProcessPrng could not be located in the dynamic link library C:\Windows\system32\cryptbase.dll")
- C:\WINDOWS\system32\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages)

Windows 8 Pro x64: (Unknown DLL's)

- C:\Windows\SysWOW64\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages)
Comment 45 Kamil Jozwiak [:kjozwiak] 2013-07-15 23:54:48 PDT
My apologies for the spam, but think it was easier splitting each comment for each build or it would have been hard to go through one giant comment.

Summary:

Firefox 25 Testing/Verification (Tested on all OS x86/x64) - comment 41
- DLL's that original produced the executables are working correctly and NOT spawning CMD.exe/CALC.exe anymore
- The prompt error messages for the other DLL's is still occurring

Firefox 24 Testing/Verification (Tested on all OS x86/x64) - comment 42
- DLL's that original produced the executables are working correctly and NOT spawning CMD.exe/CALC.exe anymore
- The prompt error messages for the other DLL's is still occurring

Firefox 23 Testing/Verification (Tested on all OS x86/x64) - comment 43
- DLL's that original produced the executables are working correctly and NOT spawning CMD.exe/CALC.exe anymore
- The prompt error messages for the other DLL's is still occurring

Firefox ESR17 Testing/Verification (Tested on all OS x86/x64) - comment 44
- DLL's that original produced the executables are working correctly and NOT spawning CMD.exe/CALC.exe anymore
- The prompt error messages for the other DLL's is still occurring
Comment 46 Brian R. Bondy [:bbondy] 2013-07-16 07:06:54 PDT
Hi Kamil, it's good the cmds are not spawned anymore.

I did verify each DLL that was producing the error on the fixed build but only on win8x4, which you confirmed has no errors. I think it's best for us to try to get rid of the dll errors on other Windows versions though too, although it may just be best to do a blanket fix for all DLLs at this point.  

Could you post a new bug in the meantime for the dlls that reproduce the errors? I guess just one new bug with the dlls mentioned in the last few comments that reproduce the errors and on which OS. Thanks!
Comment 47 Kamil Jozwiak [:kjozwiak] 2013-07-16 07:46:42 PDT
Sounds good Brian, created the bug and blocked this issue.

Note You need to log in before you can comment on or make changes to this bug.