Last Comment Bug 883165 - (CVE-2013-1715) Medium integrity DLL Hijacking - Firefox Full installer and Stub installer
(CVE-2013-1715)
: Medium integrity DLL Hijacking - Firefox Full installer and Stub installer
Status: VERIFIED FIXED
[adv-main23+][include 811557 in this...
: csectype-priv-escalation, sec-moderate
Product: Toolkit
Classification: Components
Component: NSIS Installer (show other bugs)
: unspecified
: x86_64 Windows 7
: -- normal (vote)
: mozilla24
Assigned To: Robert Strong [:rstrong] (use needinfo to contact me)
:
:
Mentors:
Depends on: CVE-2012-4206 811557
Blocks: 883322
  Show dependency treegraph
 
Reported: 2013-06-14 08:04 PDT by Robert Strong [:rstrong] (use needinfo to contact me)
Modified: 2014-11-19 20:03 PST (History)
26 users (show)
robert.strong.bugs: in‑testsuite-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
wontfix
+
wontfix
+
verified
+
verified
-
wontfix
unaffected


Attachments
patch rev1 - oleacc.dll and apphelp.dll (1.35 KB, patch)
2013-06-14 09:02 PDT, Robert Strong [:rstrong] (use needinfo to contact me)
netzen: review+
akeybl: approval‑mozilla‑aurora+
Details | Diff | Splinter Review
new 7zip sfx (80.24 KB, patch)
2013-06-14 09:59 PDT, Robert Strong [:rstrong] (use needinfo to contact me)
netzen: review+
Details | Diff | Splinter Review

Description Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-14 08:04:24 PDT
+++ This bug was initially created as a clone of Bug #811557 which was initially created as a clone of Bug #792106 +++

Specifically (from bug 811557 comment #42)
Windows 8 x64:
C:\Windows\SysWOW64\oleacc.dll <- CMD.EXE was launched in MEDIUM integrity

Windows XP Pro SP2 x64:
C:\WINDOWS\SysWOW64\apphelp.dll <- Several CMD.EXE where launched (not sure what integrity level)

Full results are being added here as we test:
https://intranet.mozilla.org/User:Ahughes@mozilla.com/DLL_Hijacking
Comment 1 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-14 09:02:42 PDT
Created attachment 762724 [details] [diff] [review]
patch rev1 - oleacc.dll and apphelp.dll
Comment 2 Brian R. Bondy [:bbondy] 2013-06-14 09:05:14 PDT
Comment on attachment 762724 [details] [diff] [review]
patch rev1 - oleacc.dll and apphelp.dll

Review of attachment 762724 [details] [diff] [review]:
-----------------------------------------------------------------

We need another patch with a new sfx too
Comment 3 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-14 09:06:23 PDT
Yep, I'll create one today
Comment 4 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-14 09:59:06 PDT
Created attachment 762747 [details] [diff] [review]
new 7zip sfx

Brian, could you verify that I got the version and manifest correct? Thanks!
Comment 5 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-14 10:00:11 PDT
Changing from sec-high to sec-moderate since this is for medium integrity dll's
Comment 6 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-14 12:11:23 PDT
Pushed to mozilla-inbound
https://hg.mozilla.org/integration/mozilla-inbound/rev/1393fe579803
Comment 7 Justin Wood (:Callek) 2013-06-14 12:25:09 PDT
This will also need a comm-central/ patch (likely in a new bug) for TB and SeaMonkey

https://hg.mozilla.org/comm-central/file/788084ca950a/other-licenses/7zstub
Comment 8 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-14 12:27:51 PDT
(In reply to Justin Wood (:Callek) from comment #7)
> This will also need a comm-central/ patch (likely in a new bug) for TB and
> SeaMonkey
> 
> https://hg.mozilla.org/comm-central/file/788084ca950a/other-licenses/7zstub
If you file the bug I'll submit the patch.
Comment 9 Justin Wood (:Callek) 2013-06-14 12:37:54 PDT
(In reply to Robert Strong [:rstrong] (do not email) from comment #8)
> (In reply to Justin Wood (:Callek) from comment #7)
> > This will also need a comm-central/ patch (likely in a new bug) for TB and
> > SeaMonkey
> > 
> > https://hg.mozilla.org/comm-central/file/788084ca950a/other-licenses/7zstub
> If you file the bug I'll submit the patch.

Bug 883322
Comment 10 Ryan VanderMeulen [:RyanVM] 2013-06-14 19:03:17 PDT
https://hg.mozilla.org/mozilla-central/rev/1393fe579803
Comment 11 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-17 10:53:56 PDT
Kamil, could you verify the two dll's that have been added? Thanks!
Comment 12 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-17 14:23:29 PDT
Comment on attachment 762724 [details] [diff] [review]
patch rev1 - oleacc.dll and apphelp.dll

For both patches

[Approval Request Comment]
Bug caused by (feature/regressing bug #): This has been around since we have had Firefox installers.
User impact if declined: possibility of launching a process in the user's security context.
Testing completed (on m-c, etc.): has baked for a few days on m-c. This only adds 2 dll's to the existing dll's to preload and this code has been in use for some time now.
Risk to taking this patch (and alternatives if risky): minimal
String or IDL/UUID changes made by this patch: none
Comment 13 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-17 15:53:04 PDT
Pushed combined patch to mozilla-aurora
https://hg.mozilla.org/releases/mozilla-aurora/rev/3f7234d9c1d9

Note: this affects the full installer as well so adding affected to esr as well.
Comment 14 Kamil Jozwiak [:kjozwiak] 2013-06-18 19:34:05 PDT
Firefox 23 Testing/Verification Results:

Tested the issue using the full installer & stub executable from the following build:
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013-06-18-00-40-18-mozilla-aurora/

Windows 8 x64:

C:\Windows\SysWOW64\oleacc.dll <- Passed (cmd.exe was not executed)

- Went through both FULL & Stub installers

Windows XP Pro SP2 x64:

C:\WINDOWS\SysWOW64\apphelp.dll <- Passed (cmd.exe was not executed)

- Went through both FULL & STUB installers
Comment 15 Robert Strong [:rstrong] (use needinfo to contact me) 2013-06-18 19:35:11 PDT
Thanks Kamil!
Comment 16 Kamil Jozwiak [:kjozwiak] 2013-06-18 19:38:23 PDT
Firefox 24 Testing/Verification Results:

Tested the issue using the full installer & stub executable from the following build:
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013-06-18-03-13-35-mozilla-central/

Windows 8 x64:

C:\Windows\SysWOW64\oleacc.dll <- Passed (cmd.exe was not executed)

- Went through both the FULL & STUB installers

Windows XP Pro SP2 x64:

C:\WINDOWS\SysWOW64\apphelp.dll <- Passed (cmd.exe was not executed)

- Went through both FULL & STUB installers
Comment 17 Kamil Jozwiak [:kjozwiak] 2013-06-18 19:40:16 PDT
(In reply to Robert Strong [:rstrong] (do not email) from comment #15)
> Thanks Kamil!

no worries! I accidentally selected the incorrect build to mark as verified so the "Verified" messages are switched but tested both and everything works without any issues.

Note You need to log in before you can comment on or make changes to this bug.