Closed Bug 859072 (CVE-2013-1712) Opened 12 years ago Closed 12 years ago

The updater.exe loads the profapi.dll from the update directory

Categories

(Toolkit :: Application Update, defect)

Product:
Toolkit
Component:
Application Update
Version:
20 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla25
Tracking Flags:
Tracking Status
firefox22 --- wontfix
firefox23 + verified
firefox24 + verified
firefox25 + verified
firefox-esr17 23+ verified
b2g18 --- unaffected

People

(Reporter: hofusec, Assigned: bbondy)

Details

(4 keywords, Whiteboard: [adv-main23+][adv-esr1708+] introduced by Win7, affects Win8 as well)

Attachments

(3 files)

proof of concept
42.21 KB, application/octet-stream
Details
proof of concept 2
22.40 KB, application/octet-stream
Details
Patch v1.
2.53 KB, patch
robert.strong.bugs
: review+
lsblakk
: approval-mozilla-aurora+
lsblakk
: approval-mozilla-beta+
lsblakk
: approval-mozilla-esr17+
abillings
: sec-approval+
Details | Diff | Splinter Review
The updater component is still vulnerable (see 830134) to a library-based attack. The exe loads the profapi.dll from the update directory, for example while performing an update. That can lead to privilege escalation while updating with the Mozilla Maintenance Service. I have tested this on win7 pro 32bit and 64bit with Firefox 20.0. Steps to reproduce: 1.) Download poc and extract the .dll file. 2.) Copy the updater.exe from the firefox directory to the poc directory 3.) Start the updater.exe The updater loads the "profapi.dll" and executes system("calc"). The profapi.dll from the system directory should be loaded.
Attached file proof of concept
QA Contact: mwobensmith
We tested for this according to bug 830134 comment 8 and missed this .dll -- what version of windows are you using (specifically, including patch level if known)?
Keywords: sec-high
QA Contact: mwobensmith
I have tested the poc with the following configurations: - Windows 7 x64 Professional SP1 DE, system is up to date with the latest updates - Windows 7 x86 Professional SP1 EN, unkown patch level
We did perform extensive testing on the related bug(s), using ProcMon and WinObj to search for all possible DLLs. This one didn't show up for us at that time. We'll look into this one ASAP. Since we've invested a fair amount of time in this and other DLL injection issues, we might want to ask ourselves what we can do to avoid the DLL whack-a-mole problem in the future.
By the way, for service updates we now copy updater.exe alongside the maintenanceservice in a high integrity location. This makes it so dll attacks like this are not possible with the service. For non service updates, this is still kind of a problem, but at least there's a UAC prompt. We should still fix this though. Maybe the DLL is now being loaded because of new code that was added to updater at some point.
So the steps in Comment 0 need to be checked against non service updates only.
Group: mozilla-corporation-confidential
I will take a look and see if I can confirm using the the steps outlined in comment 0 and comment 7
Only to clarify: on my system I'm able to exploit this issue to execute the .dll with system rights with Maintenance Service 20.0.
I don't think this particular DLL is an issue for the following reasons: - For maintenance service updates, as I understand it, we are now copying the updater to a secure location before executing it. That secure location would not have this DLL in it. - For updates where the maintenance service is NOT installed, if you copy this DLL to "C:\Users\Kamil\AppData\Local\Mozilla\Firefox\Nightly\updates\0" it executes calc.exe, but it doesn't execute it as elevated. Updater.exe would eventually elevate but it crashes before then so the DLL is never loaded by the elevated udpater.exe. I did find that the steps we used to populate the DLL list had a problem in it though, so I think we should re-do the test to verify the new list of DLLs on each platform.
This DLL was an issue with the service in v20 though but is already fixed in v21
We should check if SetDefaultDllDirectories will be of any help to this type of dlls. You can remove the current app directory from the search order with it. Unfortunately if it does help though, it's only available in win8 and some patched versions of win7. From the documentation though it sounds like it only applies to LoadLibrary calls which would not help here.
I agree with Kamil in Comment 10 and Comment 11 by the way. The risk here with this particular DLL is not with someone being able to exploit our updater, but just with someone being able to copy our signed updater and a dll to a machine and then request elevation showing a Mozilla certificate, yet executing their code. Unfortunately I don' think there's much we can do about that though because someone could always use a similar attack of an already public old signed updater.exe.
For this one: > https://intranet.mozilla.org/User:Mwobensmith@mozilla.com/DLL_Hijacking_Updater We should update the steps here and re-run the test on all OS please: > Download and launch the ProcMon tool and set the following filters: > Process Name is firefoxinstaller.exe Should say updater.exe instead. Otherwise we are probably checking a subset of the correct DLLs but not all of the correct ones.
Ash, can you verify that this is no longer an issue using a Nightly build?
I did a quick check with process monitor: - I'm not able to exploit the updater with the service - I'm certain I will be able to exploit the updater if I place the dll to "C:\Users\USERNAME\AppData\Local\Mozilla\Firefox\Nightly\updates\0" during an update without the service. Not with the poc dll, because the poc dll isn't acting like a proxy dll so the updater crashes. By the way the elevated updater tries to load serveral .dll files from the current dirctory (mpr.dll, apphelp.dll propsys.dll, ntmarta.dll). Are there any good reasons why the load of dlls with the updater.exe is delayed at all?
(In reply to ash from comment #16) > - I'm certain I will be able to exploit the updater if I place the dll to > "C:\Users\USERNAME\AppData\Local\Mozilla\Firefox\Nightly\updates\0" during > an update without the service. Not with the poc dll, because the poc dll > isn't acting like a proxy dll so the updater crashes. Can you make sure, though? Just trying to be complete here.
Progress: Went through all the available platforms that I have available and compiled a list of unknown DLL's using the following steps: Installed the latest Nightly build from the following location: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013-04-18-03-10-48-mozilla-central/ Once the Nightly build has been installed, went through the following steps: 1) Ran "Procmon.exe" as an Administrator and used the following settings: - Process Name is updater.exe - Path contains .dll - Operation is Load Image 2) Went into the appropriate folder where Nightly was installed and ran "updater.exe" as Administrator 3) Compared the DLL's listed in Step #1 to DLL's listed in "Winobj.exe" (KnownDlls/KnownDlls32) Results: Windows XP Pro SP3 x86: (Unknown DLL's) C:\WINDOWS\system32\ntdll.dll C:\WINDOWS\system32\imm32.dll C:\WINDOWS\system32\wsock32.dll C:\WINDOWS\system32\ws2_32.dll C:\WINDOWS\system32\ws2help.dll C:\WINDOWS\system32\crypt32.dll C:\WINDOWS\system32\msasn1.dll Windows XP Pro SP3 x64: (Unknown DLL's) C:\WINDOWS\system32\wow64.dll C:\WINDOWS\system32\wow64win.dll C:\WINDOWS\system32\wow64cpu.dll C:\WINDOWS\SysWOW64\imm32.dll C:\WINDOWS\SysWOW64\wsock32.dll C:\WINDOWS\SysWOW64\ws2_32.dll C:\WINDOWS\SysWOW64\ws2help.dll C:\WINDOWS\SysWOW64\crypt32.dll C:\WINDOWS\SysWOW64\msasn1.dll C:\WINDOWS\SysWOW64\userenv.dll Windows Vista Ultimate SP2 x86: (Unknown DLL's) C:\WINDOWS\system32\ntdll.dll C:\WINDOWS\system32\shimeng.dll C:\WINDOWS\system32\apphelp.dll C:\WINDOWS\system32\wsock32.dll C:\WINDOWS\system32\crypt32.dll C:\WINDOWS\system32\msasn1.dll C:\WINDOWS\system32\userenv.dll C:\WINDOWS\system32\secur32.dll Windows Vista Ultimate SP2 x64: (Unknown DLL's) C:\WINDOWS\system32\ntdll.dll C:\WINDOWS\SysWOW64\ntdll.dll C:\WINDOWS\system32\wow64.dll C:\WINDOWS\system32\wow64win.dll C:\WINDOWS\system32\wowcpu.dll C:\WINDOWS\SysWOW64\shimeng.dll C:\WINDOWS\SysWOW64\apphelp.dll C:\WINDOWS\SysWOW64\wsock32.dll C:\WINDOWS\SysWOW64\crypt32.dll C:\WINDOWS\SysWOW64\msasn1.dll C:\WINDOWS\SysWOW64\userenv.dll Windows 7 Home Premium SP1 x64: (Unknown DLL's) C:\Windows\System32\wow64.dll C:\Windows\System32\wow64win.dll C:\Windows\System32\wow64cpu.dll C:\Windows\SysWOW64\wsock32.dll C:\Windows\SysWOW64\cryptsp.dll C:\Windows\SysWOW64\userenv.dll C:\Windows\SysWOW64\profapi.dll C:\Windows\SysWOW64\secur32.dll Windows 7 Home Premium SP1 x86: (Unknown DLL's) C:\WINDOWS\system32\wsock32.dll C:\WINDOWS\system32\cryptsp.dll C:\WINDOWS\system32\cryptbase.dll C:\WINDOWS\system32\userenv.dll C:\WINDOWS\system32\profapi.dll C:\WINDOWS\system32\secur32.dll Windows 8 x86: (Unknown DLL's) C:\WINDOWS\system32\apphelp.dll C:\WINDOWS\system32\wsock32.dll C:\WINDOWS\system32\cryptsp.dll C:\WINDOWS\system32\cryptbase.dll C:\WINDOWS\system32\bcryptprimitives.dll C:\WINDOWS\system32\userenv.dll C:\WINDOWS\system32\profapi.dll C:\WINDOWS\system32\secur32.dll Windows 8 Pro x64: (Unknown DLL's) C:\WINDOWS\system32\wow64.dll C:\WINDOWS\system32\wow64win.dll C:\WINDOWS\system32\wowcpu.dll C:\WINDOWS\SysWOW64\apphelp.dll C:\WINDOWS\SysWOW64\nvinit.dll C:\Program Files (x86)\NVIDIA Corporation\coprocmanager\detoured.dll C:\Program Files (x86)\NVIDIA Corporation\coprocmanager\Nvd3d9wrap.dll C:\Program Files (x86)\NVIDIA Corporation\coprocmanager\nvdxgiwrap.dll C:\Windows\SysWOW64\wsock32.dll C:\Windows\SysWOW64\cryptsp.dll C:\Windows\SysWOW64\userenv.dll C:\Windows\SysWOW64\profapi.dll C:\Windows\SysWOW64\secur32.dll Will go through each DLL as before and mark the ones that execute "cmd.exe" & "calc.exe" as System or High integrity
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to Al Billings [:abillings] from comment #17) I have created a new poc dll which executes a elevated calc.exe during an update without the service. I have tested the new poc with the last nightly build. Put the new poc profapi.dll to "C:\Users\USERNAME\AppData\Local\Mozilla\Firefox\Nightly\updates\0" and do an update to verify. (the first pop up of the calc.exe will be unelevated the second will be elevated)
Attached file proof of concept 2
Went through all of the unknown DLL's that have been listed in Comment 18 and ran them through the POC2 that has been attached in Comment 20 Used the following build: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013-04-25-03-08-45-mozilla-central/ Went through the following steps: - Placed the updater.exe next to the POC2 DLL that has been attached and then ran updater.exe as "Administrator" using the right click method - Renamed the POC2 DLL to all of the unknown DLL's in Comment 18 and ran them next to the updater.exe on all of the platforms (monitored Process Explorer at the same time) - The POC does not reproduce with the Mozilla Maintenance Service but it does if you click on yes on the Mozilla UAC prompt Results: Windows XP Pro SP3 x86: (Unknown DLL's) - C:\WINDOWS\system32\ws2_32.dll (possible issue, received error: "The ordinal 21 could not be located in the dynamic link library WS2_32.dll") - C:\WINDOWS\system32\ws2help.dll (possible issue, received error: "The procedure entry point WahCompleteRequest could not be located in the dynamic link library WS2HELP.dll") - C:\WINDOWS\system32\msasn1.dll (possible issue, received error: "The procedure entry point ASN1Free could not be located in the dynamic link library MSASN1.dll" Windows XP Pro SP3 x64: (Unknown DLL's) - C:\WINDOWS\SysWOW64\ws2_32.dll (possible issue, received error: "The procedure entry point WSARecvFROM could not be located in the dynamic link library WS2_32.dll") - C:\WINDOWS\SysWOW64\ws2help.dll (possible issue, received error: "The procedure entry point WahCompleteRequest could not be located in the dynamic link library WS2HELP.dll") - C:\WINDOWS\SysWOW64\msasn1.dll (possible issue, received error: "The procedure entry point ASN1_CreateEncoder could not be located in the dynamic link library MSASN1.dll") Windows Vista Ultimate SP2 x86: (Unknown DLL's) - C:\WINDOWS\system32\apphelp.dll (possible issue, received error: "The procedure entry point SdbFindFirstTagRef could not be located in the dynamic link library apphelp.dll") - C:\WINDOWS\system32\msasn1.dll (possible issue, received error: "The procedure entry point ASN1_SetEncoderOption could not be located in the dynamic link library MSASN1.dll") - C:\WINDOWS\system32\userenv.dll (possible issue, received error: "The procedure entry point GetUserProfileDirectoryW could not be located in the dynamic link library USERENV.dll") Windows Vista Ultimate SP2 x64: (Unknown DLL's) - C:\WINDOWS\SysWOW64\apphelp.dll (possible issue, received error: "The procedure entry point SdbFindFirstTagRef could not be located in the dynamic link library apphelp.dll") - C:\WINDOWS\SysWOW64\msasn1.dll (possible issue, received error: "The procedure entry point ASN1_SetEncoderOption could not be located in the dynamic link library MSASN1.dll") - C:\WINDOWS\SysWOW64\userenv.dll (possible issue, received error: "The procedure entry point GetUserProfileDirectoryW could not be located in the dynamic link library USERENV.dll") Windows 7 Home Premium SP1 x64: (Unknown DLL's) - C:\Windows\SysWOW64\profapi.dll (reproduced the issue, calc.exe spawned in High Integrity) Windows 7 Home Premium SP1 x86: (Unknown DLL's) - C:\WINDOWS\system32\profapi.dll (reproduced the issue, calc.exe spawned in High Integrity) Windows 8 x86: (Unknown DLL's) - C:\WINDOWS\system32\bcryptprimitives.dll (possible issue, received error: "The procedure entry point ProcessPrng could not be located in the dynamic link library C:\Windows\system32\cryptbase.dll") - C:\WINDOWS\system32\profapi.dll (reproduced the issue, calc.exe spawned in High Integrity) Windows 8 Pro x64: (Unknown DLL's) - C:\Windows\SysWOW64\profapi.dll (reproduced the issue, calc.exe spawned in High Integrity)
Assignee: nobody → netzen
> - The POC does not reproduce with the Mozilla Maintenance Service but > it does if you click on yes on the Mozilla UAC prompt Without the maintenance service the user would expect to have to click on UAC to perform an install so that's not much mitigation. In what situations would users not have the maintenance service but still get a UAC?
Flags: needinfo?(netzen)
Keywords: sec-vector
Whiteboard: introduced by Win7, affects Win8 as well
The point of my question is that I think for truly limited accounts who cannot write to the Firefox install location we abort the update anyway. The update runs and shows the UAC prompt only if the user can otherwise write to the Firefox install location. In that case an attacker could just add a component or something to Firefox itself to be run later. Is this really a sec-high attack or a more moderate spoofing-equivalent one?
(In reply to Daniel Veditz [:dveditz] from comment #22) > > - The POC does not reproduce with the Mozilla Maintenance Service but > > it does if you click on yes on the Mozilla UAC prompt > > Without the maintenance service the user would expect to have to click on > UAC to perform an install so that's not much mitigation. In what situations > would users not have the maintenance service but still get a UAC? In these situations: - At install time a user can choose to not install the maintenance service. - Users can pref off the maintenance service from the checkbox in options or about config. - An unprivileged process could disable the service via setting the pref in the user's app profile dir to not use the service. - A user has more than 10 errors with the service so it gets disabled From telemetry data we know that: 95.9% of users have the service installed 99.7% of users have the service enabled (people that don't have it installed are counted as having it on because of the pref check) 0% of users have more than 2 errors with the servicce 1.84% of users onec had it installed but later uninstalled it I think we can call an update exploit equally as critical since an unelevated process account can disable service via a pref.
Flags: needinfo?(netzen)
(In reply to Kamil Jozwiak [:kjozwiak] from comment #10) > - For updates where the maintenance service is NOT installed, if you copy > this DLL to "C:\Users\Kamil\AppData\Local\Mozilla\Firefox\Nightly\updates\0" > it executes calc.exe Does that mean we copy updater.exe to that directory before running it? I guess that's the root of the problem here then -- malware could copy the dll there and wait for a legitimate update which the user would approve. I'm assuming a situation where malware can't write directly to the Firefox install directory because if it can all bets are off. Of course if it can write into the profile it can install add-ons so that's pretty bad, too.
Yes we copy the updater there because we need to replace it during an update. The maintenance service then re-copies it out of there to a secure location before executing it.
Can we get this fixed on trunk soon?
On my short list of things to do
Attached patch Patch v1.Splinter Review
I'm going to file a followup that will try to fix this type of problem in general for updater.exe. In particular it would exclusively lock every .dll in the current directory from the unelevated updater.exe before elevating it. This patch should fix the problems found by Kamil in Comment 21. I tested this with all mentioned DLLs on Windows 8x64. userenv.dll was already in the list but was being loaded before the program started. We've had a similar situation to this in the past and I explicitly specify to delay load that DLL in the Makefile. I tested and it's working now.
Attachment #764729 - Flags: review?(robert.bugzilla)
Attachment #764729 - Flags: review?(robert.bugzilla) → review+
Comment on attachment 764729 [details] [diff] [review] Patch v1. This request is to push to try and m-i. [Security approval request comment] How easily could an exploit be constructed based on the patch? Easily if the user has access to the physical machine. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? It's pretty easy to deduce based on the surrounding comment. Which older supported branches are affected by this flaw? I think all If not all supported branches, which bug introduced the flaw? n/a. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? other branches should use the same patch if this is uplifted. How likely is this patch to cause regressions; how much testing does it need? Not likely, try builds should catch any regressions.
Attachment #764729 - Flags: sec-approval?
Flags: sec-bounty? → sec-bounty+
Comment on attachment 764729 [details] [diff] [review] Patch v1. sec-approval+ for trunk. Let's get some branch patches set up.
Attachment #764729 - Flags: sec-approval? → sec-approval+
branch patches should be the same, I'll request this for branch approval from the same patch once it lands on m-c.
Sounds good.
https://hg.mozilla.org/mozilla-central/rev/969ad7ca404c
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox22: affectedwontfix
status-firefox25: affectedfixed
Resolution: --- → FIXED
Comment on attachment 764729 [details] [diff] [review] Patch v1. [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: It is a sec-high Bug caused by (feature/regressing bug #): I think it's always been in updater User impact if declined: Unelevated process can put a dll alongside the updater to get their code executed in an elevated context. Fix Landed on Version: mozilla25 Risk to taking this patch (and alternatives if risky): Very low String or UUID changes made by this patch: None. See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #764729 - Flags: approval-mozilla-esr17?
Attachment #764729 - Flags: approval-mozilla-beta?
Attachment #764729 - Flags: approval-mozilla-aurora?
Attachment #764729 - Flags: approval-mozilla-esr17?
Attachment #764729 - Flags: approval-mozilla-esr17+
Attachment #764729 - Flags: approval-mozilla-beta?
Attachment #764729 - Flags: approval-mozilla-beta+
Attachment #764729 - Flags: approval-mozilla-aurora?
Attachment #764729 - Flags: approval-mozilla-aurora+
hi ash, I've tried to contact you a few times with an offer for a security bug bounty for this bug. Let me know if you are interested by sending mail to chofmann@mozilla.org
Will be going through this ASAP and post the results once I have completed the testing.
Firefox 25 Testing/Verification: ** Other then the errors still occurring, the DLL's that originally produced the cmd.exe & calc.exe are working correctly, are the errors supposed to be fixed? If not, then please mark Firefox 25 as verified ** Used the following build to reproduce the original issue: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013/04/2013-04-18-03-10-48-mozilla-central/ Used the following build to ensure that the issue has been resolved: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013-07-15-03-02-02-mozilla-central/ Windows XP Pro SP3 x86: (Unknown DLL's) - C:\WINDOWS\system32\ws2_32.dll (still receiving error: "The ordinal 21 could not be located in the dynamic link library WS2_32.dll") - C:\WINDOWS\system32\ws2help.dll (still receiving error: "The procedure entry point WahCompleteRequest could not be located in the dynamic link library WS2HELP.dll") - C:\WINDOWS\system32\msasn1.dll (still receiving error: "The procedure entry point ASN1Free could not be located in the dynamic link library MSASN1.dll" Windows XP Pro SP3 x64: (Unknown DLL's) - C:\WINDOWS\SysWOW64\ws2_32.dll (still receiving error: "The procedure entry point WSARecvFROM could not be located in the dynamic link library WS2_32.dll") - C:\WINDOWS\SysWOW64\ws2help.dll (still receiving error: "The procedure entry point WahCompleteRequest could not be located in the dynamic link library WS2HELP.dll") - C:\WINDOWS\SysWOW64\msasn1.dll (still receiving error: "The procedure entry point ASN1_CreateEncoder could not be located in the dynamic link library MSASN1.dll") Windows Vista Ultimate SP2 x86: (Unknown DLL's) - C:\WINDOWS\system32\apphelp.dll (still receiving error: "The procedure entry point SdbFindFirstTagRef could not be located in the dynamic link library apphelp.dll") - C:\WINDOWS\system32\msasn1.dll (still receiving error: "The procedure entry point ASN1_SetEncoderOption could not be located in the dynamic link library MSASN1.dll") - C:\WINDOWS\system32\userenv.dll (still receiving error: "The procedure entry point GetUserProfileDirectoryW could not be located in the dynamic link library USERENV.dll") Windows Vista Ultimate SP2 x64: (Unknown DLL's) - C:\WINDOWS\SysWOW64\apphelp.dll (still receiving error: "The procedure entry point SdbFindFirstTagRef could not be located in the dynamic link library apphelp.dll") - C:\WINDOWS\SysWOW64\msasn1.dll (still receiving error: "The procedure entry point ASN1_SetEncoderOption could not be located in the dynamic link library MSASN1.dll") - C:\WINDOWS\SysWOW64\userenv.dll (still receiving error: "The procedure entry point GetUserProfileDirectoryW could not be located in the dynamic link library USERENV.dll") Windows 7 Home Premium SP1 x64: (Unknown DLL's) - C:\Windows\SysWOW64\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages) Windows 7 Home Premium SP1 x86: (Unknown DLL's) - C:\WINDOWS\system32\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages) Windows 8 x86: (Unknown DLL's) - C:\WINDOWS\system32\bcryptprimitives.dll (still receiving error: "The procedure entry point ProcessPrng could not be located in the dynamic link library C:\Windows\system32\cryptbase.dll") - C:\WINDOWS\system32\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages) Windows 8 Pro x64: (Unknown DLL's) - C:\Windows\SysWOW64\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages) Still going to go through the other builds and post the results one by one once they are completed.
Firefox 24 Testing/Verification: Used the following build to ensure that the issue has been resolved: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013-07-15-00-40-02-mozilla-aurora/ ** Other then the errors still occurring, the DLL's that originally produced the cmd.exe & calc.exe are working correctly, are the errors supposed to be fixed? If not, then please mark Firefox 24 as verified ** Windows XP Pro SP3 x86: (Unknown DLL's) - C:\WINDOWS\system32\ws2_32.dll (still receiving error: "The ordinal 21 could not be located in the dynamic link library WS2_32.dll") - C:\WINDOWS\system32\ws2help.dll (still receiving error: "The procedure entry point WahCompleteRequest could not be located in the dynamic link library WS2HELP.dll") - C:\WINDOWS\system32\msasn1.dll (still receiving error: "The procedure entry point ASN1Free could not be located in the dynamic link library MSASN1.dll" Windows XP Pro SP3 x64: (Unknown DLL's) - C:\WINDOWS\SysWOW64\ws2_32.dll (still receiving error: "The procedure entry point WSARecvFROM could not be located in the dynamic link library WS2_32.dll") - C:\WINDOWS\SysWOW64\ws2help.dll (still receiving error: "The procedure entry point WahCompleteRequest could not be located in the dynamic link library WS2HELP.dll") - C:\WINDOWS\SysWOW64\msasn1.dll (still receiving error: "The procedure entry point ASN1_CreateEncoder could not be located in the dynamic link library MSASN1.dll") Windows Vista Ultimate SP2 x86: (Unknown DLL's) - C:\WINDOWS\system32\apphelp.dll (still receiving error: "The procedure entry point SdbFindFirstTagRef could not be located in the dynamic link library apphelp.dll") - C:\WINDOWS\system32\msasn1.dll (still receiving error: "The procedure entry point ASN1_SetEncoderOption could not be located in the dynamic link library MSASN1.dll") - C:\WINDOWS\system32\userenv.dll (still receiving error: "The procedure entry point GetUserProfileDirectoryW could not be located in the dynamic link library USERENV.dll") Windows Vista Ultimate SP2 x64: (Unknown DLL's) - C:\WINDOWS\SysWOW64\apphelp.dll (still receiving error: "The procedure entry point SdbFindFirstTagRef could not be located in the dynamic link library apphelp.dll") - C:\WINDOWS\SysWOW64\msasn1.dll (still receiving error: "The procedure entry point ASN1_SetEncoderOption could not be located in the dynamic link library MSASN1.dll") - C:\WINDOWS\SysWOW64\userenv.dll (still receiving error: "The procedure entry point GetUserProfileDirectoryW could not be located in the dynamic link library USERENV.dll") Windows 7 Home Premium SP1 x64: (Unknown DLL's) - C:\Windows\SysWOW64\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages) Windows 7 Home Premium SP1 x86: (Unknown DLL's) - C:\WINDOWS\system32\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages) Windows 8 x86: (Unknown DLL's) - C:\WINDOWS\system32\bcryptprimitives.dll (still receiving error: "The procedure entry point ProcessPrng could not be located in the dynamic link library C:\Windows\system32\cryptbase.dll") - C:\WINDOWS\system32\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages) Windows 8 Pro x64: (Unknown DLL's) - C:\Windows\SysWOW64\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages)
Firefox 23 Testing/Verification: Used the following build to ensure that the issue has been resolved: http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/latest-beta/win32/en-US/ ** Other then the errors still occurring, the DLL's that originally produced the cmd.exe & calc.exe are working correctly, are the errors supposed to be fixed? If not, then please mark Firefox 23 as verified ** Windows XP Pro SP3 x86: (Unknown DLL's) - C:\WINDOWS\system32\ws2_32.dll (still receiving error: "The ordinal 21 could not be located in the dynamic link library WS2_32.dll") - C:\WINDOWS\system32\ws2help.dll (still receiving error: "The procedure entry point WahCompleteRequest could not be located in the dynamic link library WS2HELP.dll") - C:\WINDOWS\system32\msasn1.dll (still receiving error: "The procedure entry point ASN1Free could not be located in the dynamic link library MSASN1.dll" Windows XP Pro SP3 x64: (Unknown DLL's) - C:\WINDOWS\SysWOW64\ws2_32.dll (still receiving error: "The procedure entry point WSARecvFROM could not be located in the dynamic link library WS2_32.dll") - C:\WINDOWS\SysWOW64\ws2help.dll (still receiving error: "The procedure entry point WahCompleteRequest could not be located in the dynamic link library WS2HELP.dll") - C:\WINDOWS\SysWOW64\msasn1.dll (still receiving error: "The procedure entry point ASN1_CreateEncoder could not be located in the dynamic link library MSASN1.dll") Windows Vista Ultimate SP2 x86: (Unknown DLL's) - C:\WINDOWS\system32\apphelp.dll (still receiving error: "The procedure entry point SdbFindFirstTagRef could not be located in the dynamic link library apphelp.dll") - C:\WINDOWS\system32\msasn1.dll (still receiving error: "The procedure entry point ASN1_SetEncoderOption could not be located in the dynamic link library MSASN1.dll") - C:\WINDOWS\system32\userenv.dll (still receiving error: "The procedure entry point GetUserProfileDirectoryW could not be located in the dynamic link library USERENV.dll") Windows Vista Ultimate SP2 x64: (Unknown DLL's) - C:\WINDOWS\SysWOW64\apphelp.dll (still receiving error: "The procedure entry point SdbFindFirstTagRef could not be located in the dynamic link library apphelp.dll") - C:\WINDOWS\SysWOW64\msasn1.dll (still receiving error: "The procedure entry point ASN1_SetEncoderOption could not be located in the dynamic link library MSASN1.dll") - C:\WINDOWS\SysWOW64\userenv.dll (still receiving error: "The procedure entry point GetUserProfileDirectoryW could not be located in the dynamic link library USERENV.dll") Windows 7 Home Premium SP1 x64: (Unknown DLL's) - C:\Windows\SysWOW64\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages) Windows 7 Home Premium SP1 x86: (Unknown DLL's) - C:\WINDOWS\system32\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages) Windows 8 x86: (Unknown DLL's) - C:\WINDOWS\system32\bcryptprimitives.dll (still receiving error: "The procedure entry point ProcessPrng could not be located in the dynamic link library C:\Windows\system32\cryptbase.dll") - C:\WINDOWS\system32\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages) Windows 8 Pro x64: (Unknown DLL's) - C:\Windows\SysWOW64\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages)
Firefox ESR17 Testing/Verification: Used the following build to ensure that the issue has been resolved: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-mozilla-esr17/ ** Other then the errors still occurring, the DLL's that originally produced the cmd.exe & calc.exe are working correctly, are the errors supposed to be fixed? If not, then please mark Firefox ESR17 as verified ** Windows XP Pro SP3 x86: (Unknown DLL's) - C:\WINDOWS\system32\ws2_32.dll (still receiving error: "The ordinal 21 could not be located in the dynamic link library WS2_32.dll") - C:\WINDOWS\system32\ws2help.dll (still receiving error: "The procedure entry point WahCompleteRequest could not be located in the dynamic link library WS2HELP.dll") - C:\WINDOWS\system32\msasn1.dll (still receiving error: "The procedure entry point ASN1Free could not be located in the dynamic link library MSASN1.dll" Windows XP Pro SP3 x64: (Unknown DLL's) - C:\WINDOWS\SysWOW64\ws2_32.dll (still receiving error: "The procedure entry point WSARecvFROM could not be located in the dynamic link library WS2_32.dll") - C:\WINDOWS\SysWOW64\ws2help.dll (still receiving error: "The procedure entry point WahCompleteRequest could not be located in the dynamic link library WS2HELP.dll") - C:\WINDOWS\SysWOW64\msasn1.dll (still receiving error: "The procedure entry point ASN1_CreateEncoder could not be located in the dynamic link library MSASN1.dll") Windows Vista Ultimate SP2 x86: (Unknown DLL's) - C:\WINDOWS\system32\apphelp.dll (still receiving error: "The procedure entry point SdbFindFirstTagRef could not be located in the dynamic link library apphelp.dll") - C:\WINDOWS\system32\msasn1.dll (still receiving error: "The procedure entry point ASN1_SetEncoderOption could not be located in the dynamic link library MSASN1.dll") - C:\WINDOWS\system32\userenv.dll (still receiving error: "The procedure entry point GetUserProfileDirectoryW could not be located in the dynamic link library USERENV.dll") Windows Vista Ultimate SP2 x64: (Unknown DLL's) - C:\WINDOWS\SysWOW64\apphelp.dll (still receiving error: "The procedure entry point SdbFindFirstTagRef could not be located in the dynamic link library apphelp.dll") - C:\WINDOWS\SysWOW64\msasn1.dll (still receiving error: "The procedure entry point ASN1_SetEncoderOption could not be located in the dynamic link library MSASN1.dll") - C:\WINDOWS\SysWOW64\userenv.dll (still receiving error: "The procedure entry point GetUserProfileDirectoryW could not be located in the dynamic link library USERENV.dll") Windows 7 Home Premium SP1 x64: (Unknown DLL's) - C:\Windows\SysWOW64\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages) Windows 7 Home Premium SP1 x86: (Unknown DLL's) - C:\WINDOWS\system32\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages) Windows 8 x86: (Unknown DLL's) - C:\WINDOWS\system32\bcryptprimitives.dll (still receiving error: "The procedure entry point ProcessPrng could not be located in the dynamic link library C:\Windows\system32\cryptbase.dll") - C:\WINDOWS\system32\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages) Windows 8 Pro x64: (Unknown DLL's) - C:\Windows\SysWOW64\profapi.dll - Passed (both cmd.exe & calc.exe not executed, no error messages)
My apologies for the spam, but think it was easier splitting each comment for each build or it would have been hard to go through one giant comment. Summary: Firefox 25 Testing/Verification (Tested on all OS x86/x64) - comment 41 - DLL's that original produced the executables are working correctly and NOT spawning CMD.exe/CALC.exe anymore - The prompt error messages for the other DLL's is still occurring Firefox 24 Testing/Verification (Tested on all OS x86/x64) - comment 42 - DLL's that original produced the executables are working correctly and NOT spawning CMD.exe/CALC.exe anymore - The prompt error messages for the other DLL's is still occurring Firefox 23 Testing/Verification (Tested on all OS x86/x64) - comment 43 - DLL's that original produced the executables are working correctly and NOT spawning CMD.exe/CALC.exe anymore - The prompt error messages for the other DLL's is still occurring Firefox ESR17 Testing/Verification (Tested on all OS x86/x64) - comment 44 - DLL's that original produced the executables are working correctly and NOT spawning CMD.exe/CALC.exe anymore - The prompt error messages for the other DLL's is still occurring
Hi Kamil, it's good the cmds are not spawned anymore. I did verify each DLL that was producing the error on the fixed build but only on win8x4, which you confirmed has no errors. I think it's best for us to try to get rid of the dll errors on other Windows versions though too, although it may just be best to do a blanket fix for all DLLs at this point. Could you post a new bug in the meantime for the dlls that reproduce the errors? I guess just one new bug with the dlls mentioned in the last few comments that reproduce the errors and on which OS. Thanks!
Sounds good Brian, created the bug and blocked this issue.
Whiteboard: introduced by Win7, affects Win8 as well → [adv-main23+][adv-esr1708+] introduced by Win7, affects Win8 as well
Alias: CVE-2013-1712
Group: core-security
Group: mozilla-employee-confidential
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: