<a class="header-button" href="https://bugzilla.mozilla.org/home" title="Go to home page"> Bugzilla

Updated

•

11 years ago

Keywords: sec-high

Updated

•

11 years ago

Assignee: nobody → netzen

Comment 3

•

11 years ago

I'm still not getting how this is useful in an attack. If you can copy files around can't you copy or not copy any other file the updater needs or touches?

Holger Fuhrmannek

Reporter

Comment 4

•

11 years ago

An attack can look as follows (using firefox): - an attacker has already compromised a system and wants to get admin rights now - the attacker puts the updater.exe from the ff directory, an update.status (content: "pending") and update.version (content: "30.0") and a fake bcrypt.dll to C:\Users\<username>\AppData\Local\Mozilla\updates\308046B0AF4A39CB\updates\0 - the attacker sets "using the maintenance service for updating" in the firefox configuration to false if it is enabled - if the user starts firefox the next time, the update.exe will be execting and an UAC prompt from the updater.exe will appear - if the user agrees, the attack will be successful, because the bcypt.dll will be executed.

•

11 years ago

Attached file exploit bcrypt.dll (obsolete) — Details

Comment 8

•

11 years ago

Is it possible to also provide source code? Thanks.

Comment 9

•

11 years ago

Kamil I have a bit of a project for you or someone else on QA if your manager is OK with it. Could you verify this dll? If it reproduces, which based on Comment 6 it will, we should retry all the dlls in the intranet link mentioned in Comment 5 with the new PoC dll. We basically need to redo everything in that intranet page but with the new PoC dll. For what it's worth nothing in the DLL Hijacking intranet link was tested wrong, I just think the PoC differs in some way that we didn't test. So we should re-test with the new PoC for all Dlls and on all platforms.

Flags: needinfo?(kamiljoz)

Holger Fuhrmannek

Reporter

Comment 10

•

11 years ago

The exploit dll need to export the same functions as the original dll. I think that's the difference between the exploit dll and your dll. My dll is auto generate using this tool http://www.codeproject.com/Articles/16541/Create-your-Proxy-DLLs-automatically, i only added system('cmd').

Comment 11

•

11 years ago

Brian, so I ran through the test case following the information added in comment #4 and comment #6 and reproduced the problem. Once selected "OK" under the UAC prompt, I received a second cmd.exe that was spawned in "High" integrity.

Flags: needinfo?(kamiljoz)

Comment 12

•

11 years ago

Thanks ash and Kamil. So Kamil, for testing I think we just need an updated list per platform for any dll that is loaded. If it crashes on startup even, then that counts as something we need to protect against. Using the new dll won't help with this compared to the old dll. Please go through the list that you and others created at ahughes's wiki and make a new list for things we should protect against. This doesn't require you to go through every OS anymore. Just going through the main list. We should check all OS only after we have a fix to this. Before we weren't considering things that didn't launch a high integrity process. But as ash found, the calls can be forwarded to the real dll so the process doesn't crash, and yet can still run attack code.

Updated

•

11 years ago

Blocks: 985057

Updated

•

11 years ago

Blocks: 985059

Comment 13

•

11 years ago

I'm going to split this into three different tickets to keep it cleaner and easier to follow rather than just pasting everything in here and making it difficult to follow. This ticket will concentrate on the unknown DLL's that are loaded during the Installer Update process with app.update.services being disabled. The progress will be recorded in the following wiki: https://intranet.mozilla.org/User:Kjozwiak@mozilla.com/DLL_Hijacking_via_Update Bugs Created to track the regular Installer & Stub Installer: - Bug #985057 - The updater.exe loads the bcrypt.dll from the working directory (Installer) - Bug #985059 - The updater.exe loads the bcrypt.dll from the working directory (Stub Installer)

Summary: The updater.exe loads the bcrypt.dll from the working directory → The updater.exe loads the bcrypt.dll from the working directory (Installer Update)

Matt Wobensmith [:mwobensmith][:matt:]

Comment 14

•

11 years ago

Quick Update: - Installed all the needed Win OS's (both x64 and x86 versions) - Went through each OS and listed all the unknown DLL's (went through this process twice to make sure nothing was missing) - Once the entire unknown DLL list was created, went through each OS one more time to make sure nothing was missed - Beginning to create the exploit DLL's using the utility/process mentioned in comment #10 (will be adding those steps in the wiki for future reference)

Comment 15

•

11 years ago

Robert, can you take a look in bbondy's absence?

Flags: needinfo?(robert.strong.bugs)

Assignee

Comment 16

•

11 years ago

Matt, according to comment #13 and https://intranet.mozilla.org/User:Kjozwiak@mozilla.com/DLL_Hijacking_via_Update it doesn't appear that all of the affected dll's have been identified yet but I might be wrong so I'll needinfo Kamil. Kamil, have you completed the testing. I noticed that none of the dll's are bold.

Flags: needinfo?(robert.strong.bugs) → needinfo?(kamiljoz)

Comment 17

•

11 years ago

I'm finishing up some things with telemetry experiments as the iteration is ending this Monday. I should be done the two telemetry tickets by the end of this weekend and then I'm planning on tackling this. I have the environment all setup and just need to start creating the proxy DLL's, planning finishing this up at the end of next week.

Flags: needinfo?(kamiljoz)

Comment 18

•

11 years ago

Update: (see link in comment # 13 for DLL's that are exploitable) * Windows Vista x86: [FOUND 4 DLL's] * Windows Vista x64: [FOUND 3 DLL's] * Windows 7 x86: [FOUND 2 DLL's] * Windows 7 x64: [FOUND 2 DLL's] * Windows 8 x86: [FOUND 3 DLL's] * Windows 8 x64: [FOUND 3 DLL's]

Comment 19

•

Comment 26

•

11 years ago

Attached patch dlls.diff (obsolete) — Details — Splinter Review

This is not for review, but I just wanted to flag you for feedback to see if you agree. There's a total of 92 DLLs if you collapse each OS into a single directory. Each OS has a different combination of DLLs which are exploitable. Kamil spent a lot of time generating exploitable DLLs for each OS (Each OS needs it's own copy of the original DLL to forward the calls to so it is exploitable instead of crashing). Thank you Kamil, this wouldn't be possible without that work. The patch attached here fixes the problem on Windows 8.1 (54 DLLs). Creating this list of DLLs in the patch isn't as simple as just adding a string to the array. You need to be very careful about DLL load order and figure out how they should be ordered with the help of both Dependency Walker and procmon. For example, if you load a DLL from c:\windows\system32 directly, but that has a DLL dependency, it will load that dependency from the current directory and not c:\windows\system32. So you always have to make sure to load the dependency first from c:\windows\system32. For me to determine the ordering, I'd need to update a version of the patch on each of (winxpx86, winxpx64, vistax86, vistax64, win7x86, win7x64, win8x86, win8x64, win8.1x86, win8.1x64) There seems to be a at least a few DLL difference for each OS release. I'd expect this trend to continue for future OS releases. Every time you make any change to the loaddlls.cpp list, you need to re-test each and every DLL again and verify it with procmon because of the dependency problem described. That means on the next Windows release we'd have a lot of work again. --- So given all of that, I think the best course of action is to spend more time trying to find a one time fixes all solution. I'm going to work on a prototype app that gets this working, and then assuming I eventually succeed I'll port that up into updater.exe code. I'll update this ticket as I progress.

Attachment #8420726 - Flags: feedback?(robert.strong.bugs)

Assignee

Comment 27

•

11 years ago

I've been thinking along the same lines. Perhaps removing or renaming dll's at the start and preloading only the dll's required to perform the removes or renames and if renamed renaming them back at the end. Perhaps there is a cleaner way?

Assignee

Comment 28

•

11 years ago

Comment on attachment 8420726 [details] [diff] [review] dlls.diff Let's discuss other possibilities next week.

Attachment #8420726 - Flags: feedback?(robert.strong.bugs)

Comment 29

•

11 years ago

Yep I'm going to play with a couple ways along those lines and we'll talk more. Thanks!

Comment 30

•

11 years ago

Here's what I'm going to try going with: This code would run just before executing the updater elevated (which is only when the maintenance service is not used). 1. Updater.exe (unelvated) creates a subdir inside updates\0\<randomname> 2. copies self to new dir 3. Set ACL on the new DIR to be similar to program files 4. Verify that the dir has no DLLs in it, if it does error out. 5. Executes exe elevated in the new dir instead of at same path. <Update from elevated updater happens> 6. Removes permissions on current dir for all users (The elevated updater probably has to do this) 7. Updater.exe unelevated deletes the dir. This relies on updater dir being on an NTFS volume, but I think that's just about everyone. I don't think there's cause to worry about the XP case because it doesn't have integrity levels and so we aren't worried about someone using DLL injection to elevate a medium integrity malware to high.

Comment 31

•

11 years ago

Attached file WIP v1 (obsolete) — Details

Looks like it's going to work. I attached a prototype that does the needed actions. Note that we can also use this same process for the base installer exploits and the stub exploit. Maybe we'd put the code in a 7zip stub and then wrap the stub inside of it. (We'll discuss that later after this bug is done) Here's the new flow: 1. Create new directory inside the updater dir C:\Users\BrianR.Bondy\AppData\Local\Mozilla\updates\EEFEA8717BC47F65\updates\0\<newdir> 2. Copy updater.exe to <newdir> 3. Lock the <newdir> path so that properties can't be changed on the directory and it can't be deleted. 4. Set ACLs on <newdir> to deny all writes for the EVERYONE special group 5. Verify that the only file inside the dir is updater.exe 6. ***DO THE UPDATE*** (by executing <newdir>/updater.exe elevated. 7. Revert back the ACLs to the old ones. 8. unlock the path. 9. delete the <newdir> path.

Comment 32

•

11 years ago

Attached patch Securely update w/o the maintenance sevice - rev1. (obsolete) — Details — Splinter Review

This should be a catch all solution to stop all DLL attacks on updater.exe when the service is not used. When the service is used, we already protect against that by copying the file to the maintenance service directory. This works in a similar way by first copying updater.exe to a non-secure directory, then making it secure, then verifying that updater.exe is the only thing in that directory before executing it. If anything else got in, then it fails the update. Just requesting feedback first because after arriving at an f+ I want to request sec approval, and then push to oak for testing. I'll probably ask Kamil to help test too on other OS because I don't have the disk space currently for VMs. Testing just requires making sure updates work on each of the supported OS when the service is disabled. I did a local update and it worked, and was being elevated from the secure directory.

Attachment #8424397 - Flags: feedback?(robert.strong.bugs)

Assignee

Comment 33

•

11 years ago

Comment on attachment 8424397 [details] [diff] [review] Securely update w/o the maintenance sevice - rev1. Looks pretty damn good! nit: SECURE_ELEVATION_UPDATE_ERROR is a tad off. Perhaps SECURE_LOCATION_UPDATE_ERROR or similar. Do you think tests can be added for this? Looking forward to the final patch and thanks!

Attachment #8424397 - Flags: feedback?(robert.strong.bugs) → feedback+

Comment 34

•

11 years ago

this path is only hit when elevating, but I think maybe we can hack some kind of an env variable together to force doing that code without the elevation just to get it executing through tests. I think doing that is worth the extra effort.

Comment 35

•

11 years ago

Comment on attachment 8424397 [details] [diff] [review] Securely update w/o the maintenance sevice - rev1. This request is for landing this and possibly follow up minor changes to the patch on oak to test. And if after testing that passes, and after r+, also for landing on mozilla-inbound. [Security approval request comment] How easily could an exploit be constructed based on the patch? User needs to have physical unelevated access to the machine from a low integrity process at least via the same user account. Constructing a DLL isn't too hard if you are experienced at doing so. A typical developer doesn't know how to do that though. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? The source code and comments do make it a bit obvious that we're protecting against dll injection attacks. Which older supported branches are affected by this flaw? This issue has been present in some form forever. We realized recently that if you construct DLLs with the same export table as the matching DLL name, that the problem is generalized to a lot more DLLs that we didn't know about before. This bug is only present when updating without the NT service. If not all supported branches, which bug introduced the flaw? n/a Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Patch should be the same for all branches if we uplift. How likely is this patch to cause regressions; how much testing does it need? It's possible, but that's why I want to test thoroughly on oak. And ask for help from QA to help test other OS after initial testing.

Attachment #8424397 - Flags: sec-approval?

Updated

•

11 years ago

status-b2g18: --- → unaffected

status-b2g-v1.1hd: --- → unaffected

status-b2g-v1.2: --- → unaffected

status-b2g-v1.3: --- → unaffected

status-b2g-v1.3T: --- → unaffected

status-b2g-v1.4: --- → unaffected

status-b2g-v2.0: --- → unaffected

status-firefox29: --- → wontfix

status-firefox30: --- → affected

status-firefox31: --- → affected

status-firefox32: --- → affected

status-firefox-esr24: --- → affected

tracking-firefox30: --- → +

tracking-firefox31: --- → +

tracking-firefox32: --- → +

tracking-firefox-esr24: --- → +

Comment 36

•

11 years ago

Comment on attachment 8424397 [details] [diff] [review] Securely update w/o the maintenance sevice - rev1. sec-approval+ for trunk. Please make Aurora, Beta, and ESR24 patches to land once it is tested on trunk and trunk-like areas (as discussed) so we can have it fixed in all things.

Attachment #8424397 - Flags: sec-approval? → sec-approval+

Comment 37

•

11 years ago

Updates working well on win8.1 Pushed to try here: https://tbpl.mozilla.org/?tree=Try&rev=59ae08661e59 Waiting on the request for help testing until I finish the env var changes that allow updates to go through this code path.

Comment 38

•

11 years ago

Attached patch Securely update w/o the maintenance sevice - rev2. (obsolete) — Details — Splinter Review

Updated w/ review comments.

Attachment #8424397 - Attachment is obsolete: true

Attachment #8428989 - Flags: feedback+

Comment 39

•

11 years ago

Attached patch Patch for testing code path via env var - WIP (obsolete) — Details — Splinter Review

Comment 40

•

11 years ago

Attached patch Patch for testing code path via env var - WIPv2 (obsolete) — Details — Splinter Review

Attachment #8428992 - Attachment is obsolete: true

Comment 41

•

11 years ago

Whatever got sec-approval + here did not actually land to central and now we are already at the end of FF30 beta (only an RC next Monday for last minute - very low risk landings). This looks like a wontfix to me for 30 without a patch already prepared and tested, landed to central. What is the risk to the user of waiting one more cycle?

tracking-firefox-esr24: + → ?

Flags: needinfo?(dveditz)

Comment 42

•

11 years ago

There's a second patch in progress for test coverage, so I don't think it'll be landed on inbound in time. The first patch should not land until this second patch is ready.

Comment 43

•

11 years ago

Yeah, don't land anything until the next cycle.

status-firefox30: affected → wontfix

Flags: needinfo?(dveditz)

Comment 44

•

11 years ago

Attached patch Patch for testing code path via env var - rev1 (obsolete) — Details — Splinter Review

This makes it so all non service, Windows update tests, run through the code path of elevation. This includes things like creating the secure directory and copying in the updater binary. Instead of using the "runas" ShellExecute verb though, it just uses "open" to avoid the UAC prompt.

Attachment #8430488 - Attachment is obsolete: true

Attachment #8436637 - Flags: review?(robert.strong.bugs)

Comment 45

•

11 years ago

Comment on attachment 8428989 [details] [diff] [review] Securely update w/o the maintenance sevice - rev2. Review of attachment 8428989 [details] [diff] [review]: ----------------------------------------------------------------- You've taken a pass at this from the f+ before, but I'd like to go for a review now that the automated tests are passing. I wanted to call out that if any of the security steps to securing the updater.exe into its own directory fail, the whole update will not be applied. Let me know if you think this could be a problem with FAT32 or something like that. I don't think that kind of setup will exist in a non trivial way on Vista+, but I'm not 100% positive. We could consider only doing this for NTFS filesystems and if we confirm the path to the updater is a local file like we do here: http://dxr.mozilla.org/mozilla-central/source/toolkit/mozapps/update/common/updatehelper.cpp#693 Let me know your thoughts, and thanks for taking a look.

Attachment #8428989 - Flags: review?(robert.strong.bugs)

Assignee

Comment 46

•

11 years ago

Comment on attachment 8428989 [details] [diff] [review] Securely update w/o the maintenance sevice - rev2. Will review remainder as time permits. >diff --git a/toolkit/components/telemetry/Histograms.json b/toolkit/components/telemetry/Histograms.json >--- a/toolkit/components/telemetry/Histograms.json >+++ b/toolkit/components/telemetry/Histograms.json >@@ -3030,21 +3030,27 @@ > "UPDATER_LAST_NOTIFY_INTERVAL_DAYS_NOTIFY": { > "expires_in_version": "never", > "kind": "exponential", > "n_buckets": 10, > "high": "60", > "description": "Updater: The interval in days between the previous and the current background update check when the check was timer initiated" > }, > "UPDATER_STATUS_CODES": { >- "expires_in_version": "never", >+ "expires_in_version": "32.0a1", Just verifying that this do the "right thing" by using nsIVersionComparator.

Comment 47

•

11 years ago

(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #46) > Comment on attachment 8428989 [details] [diff] [review] > Securely update w/o the maintenance sevice - rev2. > > Will review remainder as time permits. > > >diff --git a/toolkit/components/telemetry/Histograms.json b/toolkit/components/telemetry/Histograms.json > >--- a/toolkit/components/telemetry/Histograms.json > >+++ b/toolkit/components/telemetry/Histograms.json > >@@ -3030,21 +3030,27 @@ > > "UPDATER_LAST_NOTIFY_INTERVAL_DAYS_NOTIFY": { > > "expires_in_version": "never", > > "kind": "exponential", > > "n_buckets": 10, > > "high": "60", > > "description": "Updater: The interval in days between the previous and the current background update check when the check was timer initiated" > > }, > > "UPDATER_STATUS_CODES": { > >- "expires_in_version": "never", > >+ "expires_in_version": "32.0a1", > Just verifying that this do the "right thing" by using nsIVersionComparator. I verified that this works correctly with a devtools chrome enabled scratchpad. But I'm going to update it to 34 since this will likely land sometime in 33. 32.0a1 was only applicable if this was landing in 32.

Comment 48

•

11 years ago

Attached patch Patch for testing code path via env var - rev2 (obsolete) — Details — Splinter Review

Added an ifdef to stub out the disabling privs logging since it was causing comparison problems for the re-launched updater (both not launched and elevated was appending logs for staged updates). Was a test only problem.

Attachment #8436637 - Attachment is obsolete: true

Attachment #8436637 - Flags: review?(robert.strong.bugs)

Attachment #8439667 - Flags: review?(robert.strong.bugs)

Comment 49

•

11 years ago

Attached patch Securely update w/o the maintenance sevice - rev3 (obsolete) — Details — Splinter Review

Updated telemetry expiring version from the last patch.

Attachment #8428989 - Attachment is obsolete: true

Attachment #8428989 - Flags: review?(robert.strong.bugs)

Attachment #8439670 - Flags: review?(robert.strong.bugs)

Assignee

Comment 50

•

11 years ago

Comment on attachment 8439667 [details] [diff] [review] Patch for testing code path via env var - rev2 ># HG changeset patch ># Parent ea1c16faa3b19bfa67c3b1c1deeff14916be6313 ># User Brian R. Bondy <netzen@gmail.com> > >diff --git a/toolkit/mozapps/update/common/uachelper.cpp b/toolkit/mozapps/update/common/uachelper.cpp >--- a/toolkit/mozapps/update/common/uachelper.cpp >+++ b/toolkit/mozapps/update/common/uachelper.cpp >@@ -157,21 +157,25 @@ UACHelper::DisableUnneededPrivileges(HAN > return FALSE; > } > token = obtainedToken; > } > > BOOL result = TRUE; > for (size_t i = 0; i < count; i++) { > if (SetPrivilege(token, unneededPrivs[i], FALSE)) { >+#ifdef UPDATER_LOG_PRIVS > LOG(("Disabled unneeded token privilege: %s.", > unneededPrivs[i])); >+#endif > } else { >+#ifdef UPDATER_LOG_PRIVS > LOG(("Could not disable token privilege value: %s. (%d)", > unneededPrivs[i], GetLastError())); >+#endif > result = FALSE; > } > } > > if (obtainedToken) { > CloseHandle(obtainedToken); > } > return result; >diff --git a/toolkit/mozapps/update/tests/unit_aus_update/head_update.js b/toolkit/mozapps/update/tests/unit_aus_update/head_update.js >--- a/toolkit/mozapps/update/tests/unit_aus_update/head_update.js >+++ b/toolkit/mozapps/update/tests/unit_aus_update/head_update.js >@@ -1503,25 +1503,28 @@ function runUpdate(aExpectedExitValue, a > } > logTestInfo("running the updater: " + updateBin.path + " " + args.join(" ")); > > let env = AUS_Cc["@mozilla.org/process/environment;1"]. > getService(AUS_Ci.nsIEnvironment); > if (gDisableReplaceFallback) { > env.set("MOZ_NO_REPLACE_FALLBACK", "1"); > } >+ env.set("MOZ_EMULATE_ELEVATION_PATH", "1"); > > let process = AUS_Cc["@mozilla.org/process/util;1"]. > createInstance(AUS_Ci.nsIProcess); > process.init(updateBin); >+ > process.run(true, args, args.length); > > if (gDisableReplaceFallback) { > env.set("MOZ_NO_REPLACE_FALLBACK", ""); > } >+ env.set("MOZ_EMULATE_ELEVATION_PATH", ""); > > let status = readStatusFile(); > if (process.exitValue != aExpectedExitValue || status != aExpectedStatus) { > if (process.exitValue != aExpectedExitValue) { > logTestInfo("updater exited with unexpected value! Got: " + > process.exitValue + ", Expected: " + aExpectedExitValue); > } > if (status != aExpectedStatus) { >diff --git a/toolkit/mozapps/update/updater/updater.cpp b/toolkit/mozapps/update/updater/updater.cpp >--- a/toolkit/mozapps/update/updater/updater.cpp >+++ b/toolkit/mozapps/update/updater/updater.cpp >... >@@ -2770,17 +2767,19 @@ int NS_main(int argc, NS_tchar **argv) > } else { > lastFallbackError = FALLBACKKEY_LAUNCH_ERROR; > } > } > > // If the service can't be used when staging and update, make sure that nit: please fix s/staging and update/staging an update/ > // the UAC prompt is not shown! In this case, just set the status to > // pending and the update will be applied during the next startup. >- if (!useService && sStagedUpdate) { >+ // If emulateElevation is set, we want to fall through to elevate, so >+ // don't exist here. nit: // When emulateElevation is true fall through to the elevation code path.

Attachment #8439667 - Flags: review?(robert.strong.bugs) → review+

Assignee

Comment 51

•

11 years ago

Comment on attachment 8439670 [details] [diff] [review] Securely update w/o the maintenance sevice - rev3 Throughout the new code s/NULL/nullptr/ >diff --git a/toolkit/mozapps/update/common/uachelper.cpp b/toolkit/mozapps/update/common/uachelper.cpp >--- a/toolkit/mozapps/update/common/uachelper.cpp >+++ b/toolkit/mozapps/update/common/uachelper.cpp >@@ -215,8 +216,96 @@ UACHelper::CanUserElevate() >... >+/** >+ * Determines if the specified directory only has updater.exe inside of it, >+ * and nothing else. >+ * >+ * @param inputPath the directory path to search >+ * @return true if updater.exe is the only file in the directory >+ */ >+bool >+UACHelper::IsDirectorySafe(LPCWSTR inputPath) >+{ >+ WIN32_FIND_DATAW findData; >+ HANDLE findHandle = NULL; >+ >+ WCHAR searchPath[MAX_PATH + 1] = { L'\0' }; >+ wsprintfW(searchPath, L"%s\\*.*", inputPath); >+ >+ findHandle = FindFirstFileW(searchPath, &findData); >+ if(findHandle == INVALID_HANDLE_VALUE) { >+ return false; nit: indentation >+ } >+ >+ // Enumerate the files and if we find anything other than the current >+ // directory, the parent directory, or updater.exe. Then fail. >+ do { >+ if(wcscmp(findData.cFileName, L".") != 0 && >+ wcscmp(findData.cFileName, L"..") != 0 && >+ wcscmp(findData.cFileName, L"updater.exe") != 0) { >+ FindClose(findHandle); >+ return false; >+ } nit: indentation >+ } >+ while(FindNextFileW(findHandle, &findData)); } while(...) on same line per https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Coding_Style#Control_Structures

Assignee

Comment 52

•

11 years ago

Comment on attachment 8439670 [details] [diff] [review] Securely update w/o the maintenance sevice - rev3 s/NULL/nullptr/ for this as well >diff --git a/toolkit/mozapps/update/updater/updater.cpp b/toolkit/mozapps/update/updater/updater.cpp >--- a/toolkit/mozapps/update/updater/updater.cpp >+++ b/toolkit/mozapps/update/updater/updater.cpp >@@ -2795,45 +2796,147 @@ int NS_main(int argc, NS_tchar **argv) >... >- // using the service is because we are testing. >- if (!useService && !noServiceFallback && >+ // using the service is because we are testing. >+ if (!useService && !noServiceFallback && > updateLockFileHandle == INVALID_HANDLE_VALUE) { >- SHELLEXECUTEINFO sinfo; >- memset(&sinfo, 0, sizeof(SHELLEXECUTEINFO)); >- sinfo.cbSize = sizeof(SHELLEXECUTEINFO); >- sinfo.fMask = SEE_MASK_FLAG_NO_UI | >- SEE_MASK_FLAG_DDEWAIT | >- SEE_MASK_NOCLOSEPROCESS; >- sinfo.hwnd = nullptr; >- sinfo.lpFile = argv[0]; >- sinfo.lpParameters = cmdLine; >- sinfo.lpVerb = L"runas"; >- sinfo.nShow = SW_SHOWNORMAL; >- >- bool result = ShellExecuteEx(&sinfo); >- free(cmdLine); >- >- if (result) { >- WaitForSingleObject(sinfo.hProcess, INFINITE); >- CloseHandle(sinfo.hProcess); >+ >+ // Get a unique directory name to secure >+ RPC_WSTR guidString = RPC_WSTR(L""); >+ GUID guid; >+ HRESULT hr = CoCreateGuid(&guid); >+ BOOL result = TRUE; >+ bool safeToUpdate = true; >+ WCHAR secureUpdaterPath[MAX_PATH + 1] = { L'\0' }; >+ WCHAR secureDirPath[MAX_PATH + 1] = { L'\0' }; >+ if (SUCCEEDED(hr)) { >+ UuidToString(&guid, &guidString); >+ result = PathGetSiblingFilePath(secureDirPath, argv[0], >+ reinterpret_cast<LPCWSTR>(guidString)); >+ RpcStringFree(&guidString); > } else { >- WriteStatusFile(ELEVATION_CANCELED); >+ // This should never happen, but just in case >+ result = PathGetSiblingFilePath(secureDirPath, argv[0], L"tmp_update"); > } >+ >+ if (!result) { >+ fprintf(stderr, "Could not obtain temp directory path"); nit: s/temp/secure update/ >+ safeToUpdate = false; >+ } >+ >+ // If it's still safe to update, create the directory >+ if (safeToUpdate) { >+ result = CreateDirectory(secureDirPath, NULL); >+ if (!result) { >+ fprintf(stderr, "Could not create temp directory"); nit: s/temp/secure update/ >+ safeToUpdate = false; >+ } >+ } >+ >+ // If it's still safe to update, get the new updater path >+ if (safeToUpdate) { >+ wcsncpy(secureUpdaterPath, secureDirPath, MAX_PATH); >+ result = PathAppendSafe(secureUpdaterPath, L"updater.exe"); >+ if (!result) { >+ fprintf(stderr, "Could not obtain secure temp file name"); nit: s/temp/updater/ >+ safeToUpdate = false; >+ } >+ } >+ >+ // If it's still safe to update, copy the file in >+ if (safeToUpdate) { >+ result = CopyFileW(argv[0], secureUpdaterPath, TRUE); >+ if (!result) { >+ fprintf(stderr, "Could not copy updater to new location"); nit: s/new/secure/ >+ safeToUpdate = false; >+ } >+ } >+ >+ // If it's still safe to update, restrict access to the directory item >+ // itself so that the directory cannot be deleted and re-created, >+ // nor have its properties modified. Note that this does not disallow >+ // adding items inside the directory. >+ HANDLE handle = INVALID_HANDLE_VALUE; >+ if (safeToUpdate) { >+ handle = CreateFileW(secureDirPath, GENERIC_READ, FILE_SHARE_READ, >+ NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, >+ NULL); >+ safeToUpdate = handle != INVALID_HANDLE_VALUE; >+ } >+ >+ // If it's still safe to update, deny write access completely to the >+ // directory. >+ PACL originalACL = nullptr; >+ if (safeToUpdate) { >+ safeToUpdate = UACHelper::DenyWriteACLOnPath(secureDirPath, >+ &originalACL); >+ } >+ >+ // If it's still safe to update, verify that there is only updater.exe >+ // in the directory and nothing else. >+ if (safeToUpdate) { >+ if (!UACHelper::IsDirectorySafe(secureDirPath)) { >+ safeToUpdate = false; >+ } >+ } >+ >+ if (!safeToUpdate) { >+ fprintf(stderr, "Could not copy path to secure location because it " >+ "is not safe to do so."); The failure isn't really about copying a path >+ WriteStatusFile(SECURE_LOCATION_UPDATE_ERROR); >+ } else { >+ SHELLEXECUTEINFO sinfo; >+ memset(&sinfo, 0, sizeof(SHELLEXECUTEINFO)); >+ sinfo.cbSize = sizeof(SHELLEXECUTEINFO); >+ sinfo.fMask = SEE_MASK_FLAG_NO_UI | >+ SEE_MASK_FLAG_DDEWAIT | >+ SEE_MASK_NOCLOSEPROCESS; >+ sinfo.hwnd = nullptr; >+ sinfo.lpFile = secureUpdaterPath; >+ sinfo.lpParameters = cmdLine; >+ sinfo.lpVerb = L"runas"; >+ sinfo.nShow = SW_SHOWNORMAL; >+ >+ bool result = ShellExecuteEx(&sinfo); >+ free(cmdLine); >+ >+ if (result) { >+ WaitForSingleObject(sinfo.hProcess, INFINITE); >+ CloseHandle(sinfo.hProcess); >+ } else { >+ WriteStatusFile(ELEVATION_CANCELED); >+ } >+ } >+ >+ // All done, revert back the permissions. >+ if (originalACL) { >+ SetNamedSecurityInfoW(const_cast<LPWSTR>(secureDirPath), SE_FILE_OBJECT, >+ DACL_SECURITY_INFORMATION, NULL, NULL, >+ originalACL, NULL); >+ LocalFree(originalACL); >+ } >+ >+ // Done with the directory, no need to lock it. >+ if (INVALID_HANDLE_VALUE != handle) >+ CloseHandle(handle); nit: braces I'm a tad concerned about the possibility of the directory being left behind without the permissions being reset but I *think* that is just my paranoia speaking.

11 years ago

Great news, thanks for digging into it!

Comment 63

•

11 years ago

Hey Robert, I looked into this and the reason why is because the originalACL pointer actually points to a location within the buffer of sd. So freeing it early causes problems when it is used. I'll upload a new patch with your fix and mine shortly and push to oak for testing.

Sylvestre Ledru [:Sylvestre]

Comment 64

•

11 years ago

Attached patch Securely update w/o the maintenance sevice - rev5 (obsolete) — Details — Splinter Review

Carrying forward r+. - Includes rstrong's fix for not freeing - Includes fix for returning / freeing sd at an appropriate time This should not land until it is passes tests though. I'm pushing it to oak now. I didn't try locally because I updated the patch on OSX but if there's any issues I'll put a new patch up.

Attachment #8441797 - Attachment is obsolete: true

Attachment #8450714 - Flags: review+

•

11 years ago

Is there a plan to have a fix landed for 31? If yes, it should land before Thursday (gtb of beta 9).

Updated

•

11 years ago

Flags: needinfo?(netzen)

Comment 69

•

11 years ago

Thanks for the heads up. If the manual testing is done by then and it all passes then maybe ya. If not, then it's safer to just wait one more version. It may be safer to wait anyway without uplifting early with a little bake time because of the chance of affecting updates.

Flags: needinfo?(netzen)

Comment 70

•

11 years ago

I'll get started this afternoon and post the results once I'm done. I should be done by Wednesday.

Comment 71

•

11 years ago

I think we should probably wait anyway so don't kill yourself to get it done early. More bake time on Nightly is probably better for this type of bug.

Comment 72

•

11 years ago

Sounds good Brian, I'll start either way and make sure there isn't anything major that stands out. But I agree, having this bake a bit longer on Nightly is probably the best route.

Comment 73

•

11 years ago

That said, if we don't get this in 31, we'll have to backport it to ESR31 later since it is a sec-high bug.

Assignee

Comment 74

•

11 years ago

Understood and backporting would be the better route since there is a decent chance for edge cases with this method of dealing with the possibility of files being copied into the directory we run the updater on a system.

Comment 75

•

11 years ago

This definitely not going to get in 31, so marking wontfix, will leave the ? on ESR24 in case we want to consider it for the next ESR24 (and once flags are available we'll want this for the ESR31 that ships with FF32 as well) - finally, updating the FF33 flags as it doesn't appear this has landed on trunk yet.

status-firefox31: affected → wontfix

status-firefox33: --- → affected

tracking-firefox33: --- → +

Updated

•

11 years ago

status-firefox-esr31: --- → affected

tracking-firefox-esr24: ? → 32+

tracking-firefox-esr31: --- → 32+

Comment 76

•

•

10 years ago

Thanks Brian. I agree about testing on m-c. Generally we give a couple of days on m-c unless a patch is thought to be riskier. If you think a couple of days will be enough in this case, we can still target beta9. However, if there is enough risk, I agree that we should wait a couple of weeks for beta1. Al/Dan - Are you OK from a security standpoint of holding this fix off until Firefox 33?

Flags: needinfo?(netzen)

Flags: needinfo?(dveditz)

Flags: needinfo?(abillings)

Comment 89

•

10 years ago

Yes there is significantly more risk than a typical patch. Also I'm hesitant to land this *right* now because I won't have a lot of time available if there is fallout. I'd recommend waiting until after the next release, landing on m-c around beta-1, and then uplifting to aurora and beta after a couple weeks. I'm not currently under contract right now so I can't guarantee availability for fallout right now. I can land if someone feels strongly about it, but I don't think there's a significant security risk in waiting. This issue is only exploitable if the user has locally installed malware or access and most people are updating with the service which doesn't have this issue.

Flags: needinfo?(netzen)

Comment 90

•

10 years ago

I'm inclined to follow Brian's recommendation of landing after the merge (around 33 beta1 time frame) and considering for uplift around 33 beta 4/5. I will wait to hear from Dan or Al before confirming the plan.

Comment 91

•

10 years ago

Awaiting their response too, but I do think that's the best plan forward independent of my availability. I think it's too late to have it on release channel so there'd be no benefit to landing on m-c before the next uplift anyway.

Comment 92

•

10 years ago

I agree, with only a beta or two before RC we should not cram it into Firefox 32 at this point in which case landing the first week in September (after the merge) is fine

Flags: needinfo?(dveditz)

Updated

•

10 years ago

status-firefox32: affected → wontfix

status-firefox34: --- → affected

Flags: needinfo?(abillings)

Comment 93

•

10 years ago

I have marked Firefox 32 as won't fix. We'll get this in 33.

Comment 94

•

10 years ago

I agree. No reason to shove this in with the risk.

Comment 95

•

10 years ago

Fixing ESR flags.

tracking-firefox-esr24: 32+ → ?

tracking-firefox-esr31: 32+ → ?

Comment 96

•

10 years ago

Update: Compared the patches in this bug to the ones in oak which was tested by Kamil. It's been a while since I've looked at this bug and I wasn't sure if they were the exact same, but they match up. I pushed to try, if everything passes I'll be pushing to inbound as early as tomorrow.

Comment 97

•

10 years ago

Once the patch/changes make it into m-c, I'll go through the test cases from comment #79, comment #80, comment #81, comment #82 and comment #83 to double check and make sure everything is still working as expected.

https://hg.mozilla.org/integration/mozilla-inbound/rev/9f8afdcdc9ba https://hg.mozilla.org/integration/mozilla-inbound/rev/a7a1eb4df27b

Comment 98

•

10 years ago

Target Milestone: --- → mozilla35

Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)

Comment 99

•

10 years ago

https://hg.mozilla.org/mozilla-central/rev/9f8afdcdc9ba https://hg.mozilla.org/mozilla-central/rev/a7a1eb4df27b

Status: ASSIGNED → RESOLVED

Closed: 10 years ago

status-firefox35: --- → fixed

Resolution: --- → FIXED

Updated

•

10 years ago

Flags: sec-bounty? → sec-bounty+

Assignee

Comment 101

•

10 years ago

Kamil, any estimate as to when you will have time to verify this bug? Thanks!

Flags: needinfo?(kamiljoz)

Sylvestre Ledru [:Sylvestre]

Comment 102

•

10 years ago

Robert, going to start today (in a few minutes here) and should probably be done by tomorrow afternoon.

Flags: needinfo?(kamiljoz)

Comment 103

•

10 years ago

Kamil, any progress on this? Brian, could you fill an uplift request for aurora, beta and esr31? Thanks

status-firefox-esr24: affected → wontfix

tracking-firefox-esr24: ? → -

Flags: needinfo?(netzen)

Flags: needinfo?(kamiljoz)

Assignee

Comment 104

•

10 years ago

I am concerned that this change caused a significant increase in the test failures that are recorded in bug 1027039.

Comment 105

•

10 years ago

so it looks like the intermittent failure you mentioned used to happen even before this landed, but on the 10th and the 15th it had a few failures each. I'm not sure if that's because we only stared them on those days, or if there was something special that happened only on those days. Anyway I'm going to look into it more but we shouldn't uplift until we figure out if the intermittent update failure is tests only or if it can affect real users too.

Flags: needinfo?(netzen)

•

10 years ago

Note: looks like the failure in bug 1027039 changed since the one time it happened around 3 months ago. The update.log back then contained data so I don't think it was the same failure and it has happened been reported 13 times since 9/10.

Comment 110

•

10 years ago

I don't think there's a concern but I plan to push it to try first just to be safest.

Comment 111

•

10 years ago

I basically finished testing most of the OS's in m-c and never ran into an issue while going through the updating process. I tried on all the OS's via VM's and on several other physical machines without any problems. I completed about 35 updates per OS/architecture, about 350 updates in total. I'll talk to Brian and see if there's anything we can do to try to reproduce this on oak once the backout from m-c is completed.

Flags: needinfo?(kamiljoz)

Comment 112

•

10 years ago

Backed out here: https://hg.mozilla.org/integration/mozilla-inbound/rev/238c2d44c904 It looks like this fix is causing an intermittent problem in tests and a different intermittent problem outside of tests. This is a very risky type of change by nature, and we made every precaution possible before landing, but there must still be some edge cases left to resolve. The in tests one shouldn't be too hard to track down. The other one I'm not sure off hand how we can reproduce. But it's safest to not have this on m-c and definitely we shouldn't let it ride an uplift to aurora and beyond. We made the right calls earlier in not landing this close to an uplift. What makes it risky is that normally a change like this can be coded with a fallback in mind, where if it fails you fall back to the old functionality, but since this is to stop a security attack you can't do that. Kamil thanks for doing so many tests on all the OS' so far, I'll re-ping you once this lands on m-c again.

Status: RESOLVED → REOPENED

status-firefox35: fixed → affected

Resolution: FIXED → ---

Assignee

Comment 113

•

10 years ago

Looks like bug 1027039 comment #11 is the first instance where this hit a tree other than m-c or m-c integration branches so unless I am badly mistaken this didn't cause bug 1027039. Both :) and :(

Comment 114

•

10 years ago

Ya seen that just now. It's possible though that it's somehow related in some strange way because of the service. But I don't think so. The telemetry data showing the error is hit though is enough to warrant the backout alone. Let's see with happens with the test failure in the next couple days.

Assignee

•

10 years ago

I'll run the tests without my changes using the newer maintenance service again to test that.

Comment 119

•

10 years ago

It could be, but shouldn't. But if there's an independent bug causing maintenance service to not be updated when running tests then either bug could have caused the esr test failures. What should be happening is that the bootstrap service test should use whatever old service is currently installed (It gets reset on each reboot which I think is each test run) to replace the maintenance service to the one that's being tested. Then the rest of the updater service tests use that new service. Check if your try pushes were around the times of the failures. What's really strange to me if it's this bug is that there were no starred failures before the 10th, this landed on the 5th. Also if there was some kind of problem comparing the updater binaries in bug 1027039 because of us locking something from this bug, well that locking code shouldn't execute on service updates where the verify compare code is run.

Assignee

Comment 120

•

10 years ago

If it isn't due to my try pushes or possibly the pushes to oak carrying over to other runs then I suspect either an infrastructure change or possibly a change that has been uplifted everywhere. Looking at today's beta push log nothing stood out though.

Assignee

Comment 121

•

10 years ago

So, I was able to reproduce the test failure using the new service and the old tests so I think it is from my try pushes. Once again both a :) and :(

Phil Ringnalda (:philor)

Comment 122

•

10 years ago

Indeed. I almost got there on my own, wanting to blame it on "a failure on trunk carries over to later runs on other branches," but I kept finding that the slaves failing on release branches hadn't had a starred failure on trunk, only unstarred failures on try. Or in some cases, unstarred greens, on your try pushes. Don't suppose you know exactly what broken files in what locations on each version of Windows need to be removed to unbreak a slave? Inconveniently, what releng would usually do, just reimage the affected slaves, isn't possible at the moment because reimaging returns a slave that doesn't actually do anything at all right now, at least on Win8 and probably Win7.

Assignee

Comment 123

•

10 years ago

The maintenanceservice.exe under Mozilla Maintenance Service\ in the x86 PROGRAMFILES needs to be restored to the one from the image.

Comment 124

•

10 years ago

Talked to Brian quickly and he suggested trying it on Win XP. I didn't get to Win XP when I was testing it in m-c but I did go through it in oak and never ran into an issue updating (comment #83). Here's the cases that I quickly went through via m-c: For the below, I went through both Win XP x64 and x86 (VM's): Builds updating from: - http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2014-09-01-09-10-08-mozilla-central/ (before fix) - http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2014-09-06-03-02-04-mozilla-central/ (after fix) - updated fx 5 different times with app.update.service.enabled;true without issues - updated fx 5 different times with app.update.service.enabled;false without issues I'll wait for more information from Brian's investigation into the issue and help wherever I can.

Comment 125

•

10 years ago

Attached patch new patch to land to gather more data. v1. (obsolete) — Details — Splinter Review

So this still does all the same security steps as before. But if any one step fails, it'll write a status failure with a code matching the exact failure. And it'll allow the update to proceed. Upon loading post update processing, it'll log an extra telemetry entry for the status code, and it will reset itself to successful. After review, I'll run this through try and on oak before pushing to m-c. The plan would be to keep this on m-c for a few days and then back it out. Then hopefully we'll know more about why we have failures to make a new patch. If we get to a newer fix, then it'll likely not make it on this train, but would be the next one.

Attachment #8495662 - Flags: review?(robert.strong.bugs)

•

10 years ago

> Notcied that never has changed to default in a few places. Could you investigate that and change > this if it should be? I think default has some set expiration from when it was introduced? Never sounds correct to me because we don't want it going away. > Just to verify, the plan is for these extra error codes to away? Correct. > Is this just to clean up the log output? This isn't new in this new patch, but I believe it was causing a test failure when comparing log output without it ifdef'ed out. Because the test goes through the uac route so it calls it twice and the log gets appended. > remove extra line Will do. > please hold off on landing this again until a couple of days after mac v2 signing has landed. Will do.

Comment 130

•

10 years ago

(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #128) > Notcied that never has changed to default in a few places. Could you investigate that and change this > if it should be? Looks like that was introduced here: https://bugzilla.mozilla.org/show_bug.cgi?id=1045108 To differentiate probes that have never had a default set from those that should actually never expire. We definitely do want to never expire though for the status code.

Assignee

Comment 131

•

10 years ago

Thanks for looking into it!

Comment 132

•

10 years ago

Attached patch new patch to land to gather more data. v2 (obsolete) — Details — Splinter Review

Carrying forward r+. Addressed nit. Waiting to land on Oak for further testing until the Mac signing stuff is out of the way. This is to avoid the chance of slowing down Mac signing work due to potential problems with this.

Attachment #8495662 - Attachment is obsolete: true

Attachment #8496386 - Flags: review+

Comment 133

•

10 years ago

By the way we can use a similar method as introduced in this patch for various MAR signing work when we're landing it so ensure potential problems introduced by that work doesn't stop updates.

Comment 134

•

10 years ago

rstrong I think the mac stuff just landed right? Is it ok to land this on oak and then a couple days later on m-c?

Benjamin Kerensa [:bkerensa]

Assignee

Comment 135

•

10 years ago

Yes

Comment 136

•

10 years ago

This is already to late for 33 so I’m going track for 34+ and Wontfix on 33.

status-firefox33: affected → wontfix

tracking-firefox34: --- → +

Comment 137

•

10 years ago

Kamil could you try a few updates from Oak. Things look good to me for pushing to m-c. In particular you don't need to test anything with bad dlls, just updates w/ and w/o the service on xp, vista, and win7 (or instead of win7 win8): This is the build: http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2014-10-03-13-46-22-oak/firefox-35.0a1.en-US.win32.installer.exe It should update to the latest on Oak. If you run into any problems at all, please take a zip of the updater logs. Also after the browser starts back up, check about:telemetry for UPDATER_ALL_STATUS_CODES and screenshot it. I'll attached an example screenshot above. If everything works for you and you don't run into any errors yourself I'll push to m-c.

Flags: needinfo?(kamiljoz)

Comment 138

•

10 years ago

Attached image Screen Shot 2014-10-07 at 11.13.43 PM.png (obsolete) — Details

Telemetry histogram to look for after the browser restarts after an update. In particular if the update didn't apply.

Comment 139

•

10 years ago

I haven't forgotten about this Brian ;) Just finishing up the 31.2.0esr release. After that, this is next on my to do list. Thanks for all the info in comment #137, I'll start doing updates over the weekend and post finding/information here.

Flags: needinfo?(kamiljoz)

Comment 140

•

10 years ago

I actually just had to back out the bug from oak for other testing. I'll ping you outside of this bug for when to continue. Should be within a few days.

Updated

•

10 years ago

status-firefox36: --- → affected

Benjamin Kerensa [:bkerensa]

Updated

•

10 years ago

Depends on: 1085026

•

10 years ago

Given comment 142, I'm marking 34 as wontfix. We can consider this again for Firefox 35.

status-firefox34: affected → wontfix

tracking-firefox35: --- → +

Andrew McCreight [:mccr8]

Comment 144

•

10 years ago

Brian, has the MAR file signing stuff landed yet? If not, what bug is tracking that? Can this bug move forward again? This bug is almost a year old. Thanks.

Flags: needinfo?(netzen)

Comment 145

•

10 years ago

Not yet, unfortunately the MAR signing is a really big project and I'm working through some hard to fix test problems right now. I think it'll be landed in 2014 and then I can come back to this. Tracking bug for that work is: bug 973933

Flags: needinfo?(netzen)

Updated

•

10 years ago

tracking-firefox-esr31: 34+ → 35+

Comment 146

•

10 years ago

We're getting close to final beta on FF35 and there's nothing new to consider here, wontfixing for 35 and putting esr31 tracking back to ? for now until we land this on mainline and know which ESR it can ride along with.

status-firefox35: affected → wontfix

status-firefox37: --- → affected

tracking-firefox-esr31: 35+ → ?

Assignee

Comment 147

•

10 years ago

Brian, I spent some time coming up with an alternate approach so please don't work on this until I have a chance to finish it up and run it by you. Thanks!

Comment 148

•

10 years ago

Sounds good, thanks!

Assignee

Comment 149

•

10 years ago

Attached patch patch rev1 - alt approach (obsolete) — Details — Splinter Review

I tested both 32 and 64 bit on WinXP, WinVista, and Win7 using the dll's Kamil provided. The only issue is that both 32 and 64 bit WinVista crashed with apphelp.dll and had the 1 medium integrity cmd prompt. I suspect this is a bug in Vista and though it might possible to mitigate I am not too concerned with it... please let me know if you are. No other cmd prompts were created. I verified that on Win 8.1 that SetDefaultDllDirectories does the right thing and doesn't load any of the dll's. I haven't tested WinVista or Win7 with KB2533623 to make sure it does the right thing. I'm going to add entries for 64 bit Firefox on Win7 in a followup patch if this approach makes sense hence why the f? vs. r?

Attachment #8543599 - Flags: feedback?(netzen)

Assignee

Comment 150

•

10 years ago

Also haven't tested SetDefaultDllDirectories on Win8 yet.

Assignee

Comment 151

•

10 years ago

Pushed to try https://tbpl.mozilla.org/?tree=Try&rev=f912a9ac41f4 https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=f912a9ac41f4

Comment 152

•

10 years ago

Comment on attachment 8543599 [details] [diff] [review] patch rev1 - alt approach Review of attachment 8543599 [details] [diff] [review]: ----------------------------------------------------------------- SetDefaultDllDirectories was not used originally because I thought/think (and MSDN says) that it only effects LoadLibrary based DLL loading and not implicitly loaded dependencies: http://www.dependencywalker.com/help/html/dependency_types.htm I'm pretty sure we tried using it before, but that could have been pre- construction of these new types of DLLs.

Attachment #8543599 - Flags: feedback?(netzen)

Comment 153

•

10 years ago

Kamil are those DLLS linked above the ones created by constructing new special DLLs with fake exports which forward to the real exports when being run? rstrong are you having the dlls all be extracted into the dir where the updater runs and for a whole update operation?

Flags: needinfo?(robert.strong.bugs)

Flags: needinfo?(kjozwiak)

Assignee

Comment 154

•

10 years ago

(In reply to Brian R. Bondy [:bbondy] from comment #153) >... > rstrong are you having the dlls all be extracted into the dir where the > updater runs and for a whole update operation? Yes... with staging and the service disabled. I also verified that without this patch the cmd prompts are displayed. I'll let Kamil verify but it does appear to me to be the case. I also tested updating with all dll's in place and when using the preload none of the other dll's launched a cmd prompt when using the LOAD_WITH_ALTERED_SEARCH_PATH flag whereas they did when that wasn't used. The same was true when using SetDefaultDllDirectories. MSDN says, "The DLL search path is the set of directories that are searched for a DLL when a full path is not specified in a LoadLibrary or LoadLibraryEx function call, or when a full path to the DLL is specified but the system must search for dependent DLLs. The standard DLL search path contains directories that can be vulnerable to a DLL pre-loading attack. An application can use the SetDefaultDllDirectories function to specify a default DLL search path for the process that eliminates the most vulnerable directories and limits the other directories that are searched. The process DLL search path applies only to the calling process and persists for the life of the process." My interpretation of this is that when specifying LOAD_LIBRARY_SEARCH_SYSTEM32 then it will look in the system32 directory for the dll when a path is not specified. I tested this on Win8.1 and it didn't launch a cmd prompt and without it it did launch a cmd prompt. Note that this patch no cmd prompts are launched for any of the dll's except for the one case on WinVista I mentioned.

Flags: needinfo?(robert.strong.bugs)

Assignee

Comment 155

•

10 years ago

For reference http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515%28v=vs.85%29.aspx

Assignee

Comment 156

•

10 years ago

Brian, if you have an old type of dll I can also verify that it does the right thing. Thanks!

Assignee

Comment 157

•

10 years ago

For comment #156

Flags: needinfo?(netzen)

Assignee

Comment 158

•

10 years ago

(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #154) > (In reply to Brian R. Bondy [:bbondy] from comment #153) >... > MSDN says, "The DLL search path is the set of directories that are searched > for a DLL when a full path is not specified in a LoadLibrary or > LoadLibraryEx function call, or when a full path to the DLL is specified but > the system must search for dependent DLLs. > > The standard DLL search path contains directories that can be vulnerable to > a DLL pre-loading attack. An application can use the > SetDefaultDllDirectories function to specify a default DLL search path for > the process that eliminates the most vulnerable directories and limits the > other directories that are searched. The process DLL search path applies > only to the calling process and persists for the life of the process." This doesn't cover it all by any means and the msdn page should be referenced. http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515%28v=vs.85%29.aspx

Comment 159

•

10 years ago

OK I'd much prefer this approach as long as it works. I think the next step is to get some installers built for testing by Kamil to see if that works. And if so I'm fine with r+'ing this approach. Also since SetDefaultDllDirectories is win8+ only we'd need to test win7 and winvista separately. Regarding the medium integrity process that is started, that's not concerning to me. Only high integrity is concerning. Although the crash could mean that there is some way not to crash that could lead to a high integrity possibly. Not likely, but perhaps possible.

Flags: needinfo?(netzen)

Assignee

•

10 years ago

Attached file updater.exe without changes — Details

This is a try server updater without the changes from patch "rev1 - alt approach". By replacing the updater from the installer I linked to with this you can test the failure case with the dlls.

Assignee

Comment 164

•

10 years ago

Kamil, are the above steps sufficient for you to test?

Flags: needinfo?(kjozwiak)

Assignee

Comment 165

•

10 years ago

regarding comment #164

Flags: needinfo?(kjozwiak)

Assignee

Comment 166

•

10 years ago

(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #162) >... > Add the following new string pref > app.update.url.override=https://exchangecode.com/robert/work/snippets/ > bug945192.xml That should be an http url... so app.update.url.override=http://exchangecode.com/robert/work/snippets/bug945192.xml

Assignee

Comment 167

•

10 years ago

I verified that SetDefaultDllDirectories is called on WinVista x86 with KB2533623 installed and that updates work without launching a cmd prompt with all dll's except apphelp.dll. I also verified that the apphelp.dll is causing the WinVista crash before AutoLoadSystemDependencies is even called so the mitigations won't prevent the crash.

Assignee

Comment 168

•

10 years ago

Attached patch patch rev2 - alt approach (obsolete) — Details — Splinter Review

An early return was accidentally removed.

Attachment #8543599 - Attachment is obsolete: true

Assignee

Assignee

Comment 188

•

10 years ago

I have changed it and it worked without a problem... changed it back and it failed again. I suspect that it is doing its own loadlibrary call after reading the registry and that is using the default search path which would look in the app dir first since it doesn't have an absolute path.

Assignee

•

10 years ago

* installed bug945192-installer.exe from comment # 162 * changed the "name" and "issuer" keys via HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MaintenanceService\a4948786b022cc1a376991b44efb838c\0 * restarted the VM machine * set "app.update.service.enabled=false" * set "app.update.staging.enabled=false" * set "devtools.errorconsole.enabled=true" * added "app.update.url.override=https://exchangecode.com/robert/work/snippets/bug945192.xml" * changed the "default" update channel to "xpcshell-test" via channel-prefs.js I kept receiving the following error under the error console so I added https://exchangecode.com into the security exception list and continued with the update. exchangecode.com:443 uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. The certificate expired on 5/15/2008 8:00 PM. (Error code: sec_error_unknown_issuer) Once I configured everything using the above steps, I selected "About" and received an update which added "update.mar", "update.status" and "update.version" into "C:\Users\Kamil Jozwiak\AppData\Local\Mozilla\updates\EEFEA8717BC47F65\updates\0". At that point, I added "bcrypt.dll" and "bcrypt_orig.dll" into the "updates\0" folder and selected "Restart Nightly to Update". I tried this using the new updater.exe that comes with the installable from comment # 162 and the updater.exe from comment # 175: - updater.exe from the installable in comment # 162 didn't launch any CMD windows (using bcrypt.dll) - updater.exe from comment # 175 launched a bunch of CMD's in High Integrity (using bcrypt.dll) However, once fx restarted, I always receive a prompt indicating that "The Update could not be installed (patch apply failed)". Robert, does this look like it's correct? I'm not sure if fx should actually be updating or is the failure expected? If this is correct, I'll go through the rest of the DLL's on Win 8 x86/x64 and Win 8.1 x86/x64.

Flags: needinfo?(robert.strong.bugs)

Assignee

Comment 194

•

10 years ago

(In reply to Kamil Jozwiak [:kjozwiak] from comment #193) > * installed bug945192-installer.exe from comment # 162 > * changed the "name" and "issuer" keys via > HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MaintenanceService\a4948786b022cc1a376991 > b44efb838c\0 > * restarted the VM machine > * set "app.update.service.enabled=false" > * set "app.update.staging.enabled=false" > * set "devtools.errorconsole.enabled=true" > * added > "app.update.url.override=https://exchangecode.com/robert/work/snippets/ > bug945192.xml" > * changed the "default" update channel to "xpcshell-test" via > channel-prefs.js > > I kept receiving the following error under the error console so I added > https://exchangecode.com into the security exception list and continued with > the update. Use http and not https instead. ( comment #166 ) > exchangecode.com:443 uses an invalid security certificate. > The certificate is not trusted because no issuer chain was provided. > The certificate expired on 5/15/2008 8:00 PM. > (Error code: sec_error_unknown_issuer) > > Once I configured everything using the above steps, I selected "About" and > received an update which added "update.mar", "update.status" and > "update.version" into "C:\Users\Kamil > Jozwiak\AppData\Local\Mozilla\updates\EEFEA8717BC47F65\updates\0". At that > point, I added "bcrypt.dll" and "bcrypt_orig.dll" into the "updates\0" > folder and selected "Restart Nightly to Update". > > I tried this using the new updater.exe that comes with the installable from > comment # 162 and the updater.exe from comment # 175: > > - updater.exe from the installable in comment # 162 didn't launch any CMD > windows (using bcrypt.dll) > - updater.exe from comment # 175 launched a bunch of CMD's in High Integrity > (using bcrypt.dll) > > However, once fx restarted, I always receive a prompt indicating that "The > Update could not be installed (patch apply failed)". > > Robert, does this look like it's correct? I'm not sure if fx should actually > be updating or is the failure expected? If this is correct, I'll go through > the rest of the DLL's on Win 8 x86/x64 and Win 8.1 x86/x64. Thanks Kamil! That appears to be due to the rdaenh.dll issue. What OS were you using?

Flags: needinfo?(robert.strong.bugs)

Assignee

Comment 195

•

10 years ago

Attached file last-update.log (obsolete) — Details

I get the same error when I try to update without adding the DLL's into the update directory. I've attached the "last-update.log" in case it sheds some light. Let me know if I can attach anything else that will help you!

Assignee

Comment 208

•

10 years ago

Attached file cert.reg — Details

Try it again after importing these reg entries by double clicking the file, etc.

Assignee

Comment 209

•

10 years ago

Kamil, I suspect it is due to the reg entries being incorrect especially since it works for me on Win 8.1 x64 on hardware and Win 8 x86 on a VM. The attachment should resolve it for you. Thanks

Flags: needinfo?(kjozwiak)

Assignee

Comment 210

•

10 years ago

After testing on all Windows versions though not all SPs it appears that the rsaenh.dll issue only affects WinXP and WinVista. I also checked the registry on the systems and only WinXP and WinVista don't specify the path to rsaenh.dll. Since other versions of Windows specify the full path and this only affecting older versions of Windows I'm much more ok with changing the registry when possible.

Assignee

Comment 211

•

10 years ago

Kamil, you might want to delete the reg entries parent before importing the reg file

Assignee

Updated

•

10 years ago

Assignee: netzen → robert.strong.bugs

Comment 212

•

10 years ago

Robert, that definitely did it. I wasn't aware that I need to add the exact reg for this to work and was editing the one my machine created. I quickly tried it by applying the .reg from comment # 209 and it updated without displaying the error prompt. Apologies for the back and forth :/ Learned something new though! I'll go through all the DLL's on Win 8 x64/x86 and Win 8.1 x64/x86 first thing tomorrow morning.

Flags: needinfo?(kjozwiak)

Assignee

Comment 213

•

10 years ago

Kamil, not a problem whatsoever and I'm glad everything worked out! You can test Win7 and above with 32 bit Firefox. After I get a hack in for the registry entry WinXP and WinVista should be good to test. Would you be able to get the list of DLL's on Win7 with Firefox 64 bit as you did for Firefox 32 bit? Only Win7 is needed since we only support Firefox on Win7 and above and the call to SetDefaultDllDirectories fixes this bug on Win8 and above. Thanks!

Comment 214

•

10 years ago

Using the updater.exe from comment # 163, I reproduced the original issue. Once reproduced, I went through all the DLL's using the following OS's: * Quick Note: used fx x86 for the below tests - Win 8 x64 - PASSED (no CMD prompts appearing) - Win 8.1 x64 - PASSED (no CMD prompts appearing) - Win 8 x86 - PASSED (no CMD prompts appearing) - Win 8.1 x86 - PASSED (no CMD prompts appearing) - Win 7 SP1 x64 - PASSED (no CMD prompts appearing) - Win 7 SP1 x86 - PASSED (no CMD prompts appearing) > Would you be able to get the list of DLL's on Win7 with Firefox 64 bit as you did for Firefox 32 bit? > Only Win7 is needed since we only support Firefox on Win7 and above and the call to > SetDefaultDllDirectories fixes this bug on Win8 and above. Thanks! I'll try getting it done sometime this week but it will be pretty hard as I'm doing fx35 and ESR verifications (release week). I can get it done Monday/Tuesday of next week. Let me know if you need it sooner.

Assignee

Comment 215

•

10 years ago

Attached patch patch w/ registry hack (obsolete) — Details — Splinter Review

I didn't add comments since that would make the local exploit obvious

Attachment #8544294 - Attachment is obsolete: true

Attachment #8545187 - Flags: feedback?(netzen)

Assignee

Comment 216

•

10 years ago

Also, pushed to try https://tbpl.mozilla.org/?tree=Try&rev=11b93804f541 Kamil, thanks for everything and when you can get to it would be great!

Comment 217

•

10 years ago

Comment on attachment 8545187 [details] [diff] [review] patch w/ registry hack Review of attachment 8545187 [details] [diff] [review]: ----------------------------------------------------------------- ::: toolkit/mozapps/update/updater/updater.cpp @@ +2134,5 @@ > > #ifdef MOZ_VERIFY_MAR_SIGNATURE > if (rv == OK) { > +#ifdef XP_WIN > + HKEY baseKey; Please initialize this, baseKey may not be set to NULL always on all failure cases in RegOpenKeyExW.

Attachment #8545187 - Flags: feedback?(netzen) → review+

Assignee

Comment 218

•

10 years ago

Attached patch patch w/ registry hack comments addressed (obsolete) — Details — Splinter Review

Attachment #8545187 - Attachment is obsolete: true

Attachment #8545438 - Flags: feedback?(netzen)

Assignee

Comment 219

•

10 years ago

New installer for testing Firefox 32 bit http://exchangecode.com/robert/work/bug945192-installer-v2.exe I've included the change to app.update.url.override in this installer so it doesn't need to be added during testing.

Comment 220

•

10 years ago

Comment on attachment 8545438 [details] [diff] [review] patch w/ registry hack comments addressed Review of attachment 8545438 [details] [diff] [review]: ----------------------------------------------------------------- Thanks and thanks for searching for other instances of this as well.

Attachment #8545438 - Flags: feedback?(netzen) → feedback+

Assignee

Comment 221

•

10 years ago

(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #219) > New installer for testing Firefox 32 bit > http://exchangecode.com/robert/work/bug945192-installer-v2.exe > > I've included the change to app.update.url.override in this installer so it > doesn't need to be added during testing. Turns out this doesn't cover everything so I need to do more investigation. :(

Assignee

Comment 222

•

10 years ago

Attached patch patch w/ registry hack comments addressed (obsolete) — Details — Splinter Review

Fixed typo. New try run to generate signed files https://tbpl.mozilla.org/?tree=Try&rev=64e60a206537

Attachment #8545438 - Attachment is obsolete: true

Assignee

Comment 223

•

10 years ago

New installer for testing Firefox 32 bit using the latest patch http://exchangecode.com/robert/work/bug945192-installer-v2.exe I've included the change to app.update.url.override in this installer so it doesn't need to be added during testing. I've tested this on WinXP SP2, Vista x86 and x64 with and without KB2533623, Windows 8 x86, and Windows 8.1 x64 and it addresses everything for Firefox x86 except the crash due to apphelp.dll on Vista x86 and x64 which crashes before elevation, a non-elevated cmd prompt is launched, and no elevated cmd prompt is launched. I think the patch as it stands covers everything for Firefox x86. The only thing left is getting the DLL's for Firefox x64 on Win7. Kamil, I wouldn't bother testing until after Firefox x64 is addressed.

Status: REOPENED → ASSIGNED

Assignee

Comment 224

•

10 years ago

I also tested Win7 x86 and x64 with and without KB2533623 and it addressed this bug as well.

Assignee

Comment 225

•

10 years ago

Comment on attachment 8545679 [details] [diff] [review] patch w/ registry hack comments addressed Let's get this reviewed and I'll create a separate patch for x64.

Attachment #8545679 - Flags: review?(netzen)

Comment 226

•

10 years ago

> I think the patch as it stands covers everything for Firefox x86. The only thing left is getting the > DLL's for Firefox x64 on Win7. I'll start that sometime this weekend and should be done by Monday. Robert, should I go through all the DLL's in Vista/XP like I did in comment # 214 for the x86 patch?

Assignee

Comment 227

•

10 years ago

Kamil, you can wait until I get a Firefox x64 version in case more changes are needed so you won't have to repeatedly test.

Assignee

•

10 years ago

dveditz, if / when this lands it is going to be pretty obvious what is being addressed. How would you like to handle it and specifically around timing during the next cycle and code comments that will just make it easier what is being addressed?

Flags: needinfo?(dveditz)

Assignee

Comment 232

•

10 years ago

(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #231) > dveditz, if / when this lands it is going to be pretty obvious what is being > addressed. How would you like to handle it and specifically around timing > during the next cycle and code comments that will just make it easier what > is being addressed? s/make it easier what/make it easier to understand what/

Comment 233

•

10 years ago

Comment on attachment 8545679 [details] [diff] [review] patch w/ registry hack comments addressed Review of attachment 8545679 [details] [diff] [review]: ----------------------------------------------------------------- Sorry for the delay, looks good.

Attachment #8545679 - Flags: review?(netzen) → review+

Comment 234

•

10 years ago

(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #231) > if / when this lands it is going to be pretty obvious what is being > addressed. How would you like to handle it and specifically around timing > during the next cycle and code comments that will just make it easier to > understand what is being addressed? Assuming we're confident in the patch enough to land all branches (beta + ESR in particular) how much testing do you need? We're at the beginning of a cycle--can you get enough testing if you land now and uplift to branches in the next week or so? It's fairly obvious what's going on from the patch, but it's a local exploit rather than remote so that takes a lot of the heat off. And no one wants to break the updater! So it'd be ideal to get it into the same release as the cycle you land in (that is, if you land now get it into Firefox 36) but apart from that land as early as you need to get sufficient testing. Above is provisional, please request sec-approval? on the patch and answer the questions just in case some detail changes the picture. But "soon" is probably fine.

status-b2g-v2.1: --- → unaffected

status-b2g-v2.2: --- → unaffected

status-b2g-master: --- → unaffected

status-firefox38: --- → affected

tracking-firefox36: --- → +

tracking-firefox37: --- → +

tracking-firefox38: --- → +

Flags: needinfo?(dveditz)

Comment 235

•

10 years ago

Attached file wrappit.cpp — Details

Robert, so I went through the entire process on Win 7 x64 using fx x64 and generated all the proxy DLL's using the same method as before. However, I couldn't reproduce the original issue using the DLL's I've listed below.. The CMD prompts never appeared. I tried several times, created the proxy DLL's a few times to make sure I was doing it correctly but still couldn't get any CMD prompts to appear. I think the program that I'm using is always creating x86 proxy DLL's rather than x64 DLL's hence not being able to reproduce the problem on x64. Either that or fx x64 is doing something differently than fx x86? I've attached the source of the program that I'm using, could you take a look and see if that's the case? If it is, would you be able to modify it so it spits out x64 DLL's?? (if that's even the issue) Program being used: http://www.codeproject.com/Articles/16541/Create-your-Proxy-DLLs-automatically Unknown DLL's (FX x64 on Win 7 x64): C:\Windows\System32\wsock32.dll C:\Windows\System32\cryptsp.dll C:\Windows\System32\cryptbase.dll C:\Windows\System32\secur32.dll C:\Windows\System32\ws2help.dll C:\Windows\System32\apphelp.dll C:\Windows\System32\bcryptprimitives.dll C:\Windows\System32\bcrypt.dll C:\Windows\System32\uxtheme.dll C:\Windows\System32\propsys.dll C:\Windows\System32\ntmarta.dll C:\Windows\System32\shdocvw.dll C:\Windows\System32\version.dll C:\Windows\System32\sspicli.dll C:\Windows\System32\api-ms-win-downlevel-advapi32-l2-1-0.dll C:\Windows\System32\mpr.dll C:\Windows\System32\rsaenh.dll C:\Windows\System32\dwmapi.dll

Comment 236

•

10 years ago

After doing a quick search, using "dumpbin.exe /headers name.dll", reveals that the proxy DLL's being generated have "x86" under "FILE HEADER VALUES"

Assignee

Comment 237

•

10 years ago

I went through the dll's loaded and limited the preloads to just the dlls loaded from the update directory which I believe will solve this. I'll verify over the weekend. http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/rstrong@mozilla.com-8b431b099e47/

Comment 238

•

Assignee

•

10 years ago

Attached patch Combined patch — Details — Splinter Review

Carrying forward r+

•

Assignee

Comment 257

•

10 years ago

On Win 7 x86 commctl32.dll opened one cmd prompt without elevation. On Win Vista x86 commctl32.dll opened two cmd prompts... 1 without elevation and 1 with elevation. Locations of the dlls had to be as follows Win 7 updates\0\updater.exe.Local\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll The original dll had to be prefixed with a '.' and located in the following directory updates\0\.comctl32_orig.dll Win Vista updates\0\updater.exe.Local\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll The original dll had to be prefixed with a '.' and located in the following directory updates\0\.comctl32_orig.dll Brian, what do you think of the approach I outlined in comment #250?

Flags: needinfo?(netzen)

Comment 258

•

10 years ago

I think it would be good to land without the additional work but just keep this bug private if that's possible. That's probably a call for someone on the sec team (I see you have dveditz flagged already for more info for that). I agree with running the update from the application directory and not using bgupdates. We should minimize this to only on the OS' where it is needed and keep existing flows without the service the same. If that doesn't work for some reason we could always fall back to the original patch for this, but it was failing when landed for some machines for an unknown reason via telemetry stats so I'd rather avoid that original approach that I did if possible.

Flags: needinfo?(netzen)

Comment 259

•

10 years ago

(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #251) > dveditz, I'd like your take on comment #250 250+ comments! MS has really made a mess of this, haven't they? I'd go ahead and land the great improvements you've already got: it solves the problem for people who have purchased their computer in the last 5 years, and that number is only going to grow. Make them safe and then we can worry about Win XP/Vista separately.

Flags: needinfo?(dveditz)

Assignee

Comment 260

•

10 years ago

Not surprised to see that Win XP also has the updater.exe.Local SxS bug updater.exe.Local\WOW64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5FA17F4E\comctl32.dll I verified again that Win7 doesn't load the updater.exe.Local\*\comctl32.dll in the elevated process. I'll check whether Win8 and Win8.1 also don't load the updater.exe.Local\*\comctl32.dll in the elevated process and I think that will be it for this approach and I'll work on implementing comment #250 hopefully soon after.

Assignee

Comment 261

•

10 years ago

Attached patch esr31 combined patch — Details — Splinter Review

Only an esr31 patch was needed since the existing patch applies cleanly to aurora and beta.

Attachment #8556620 - Flags: review+

Assignee

Comment 266

•

10 years ago

For the complete fix as outlined in comment #250 I'd like to use a new bug. Are you ok with my doing this?

Flags: needinfo?(dveditz)

Flags: needinfo?(abillings)

Comment 267

•

10 years ago

Comment on attachment 8556256 [details] [diff] [review] combined patch [Triage Comment]

Flags: needinfo?(abillings)

Attachment #8556256 - Flags: approval-mozilla-beta+

Attachment #8556256 - Flags: approval-mozilla-aurora+

Updated

•

10 years ago

Attachment #8556620 - Flags: approval-mozilla-esr31+

Assignee

Updated

•

10 years ago

Flags: needinfo?(dveditz)

Assignee

Updated

•

10 years ago

Depends on: CVE-2015-2720

Assignee

Comment 268

•

10 years ago

Pushed to fx-team https://hg.mozilla.org/integration/fx-team/rev/8f65c2be0e01 Filed bug 1127481 for followup as outlined in comment #250

Target Milestone: mozilla35 → mozilla38

Assignee

Updated

•

10 years ago

Summary: The updater.exe loads the bcrypt.dll and other dll's from the working and binary directory (Application Update) → The updater.exe loads the bcrypt.dll and other dll's from the working and binary directory when not using the service (Application Update)

Ryan VanderMeulen [:RyanVM]

Assignee

Updated

•

10 years ago

Attachment #8556244 - Attachment is obsolete: true

Comment 269

•

10 years ago

https://hg.mozilla.org/releases/mozilla-aurora/rev/a04793749000 https://hg.mozilla.org/releases/mozilla-beta/rev/cf270a9a66ad https://hg.mozilla.org/releases/mozilla-esr31/rev/2d48f64fe6d5

status-firefox36: affected → fixed

status-firefox37: affected → fixed

status-firefox38: affected → fixed

status-firefox-esr31: affected → fixed

Ryan VanderMeulen [:RyanVM]

Assignee

Comment 270

•

10 years ago

(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #263) >... > How likely is this patch to cause regressions; how much testing does it need? > Very unlikely to create regressions. I'd like this to be on Nightly for a > few days before uplifting just in case though I have very few concerns about > it regressing. I didn't realize this was going to be uplifted before it had been on Nightly a couple of days as I stated. I think it will be ok *crosses fingers* Kamil, I went ahead and used procmon to see all attempts to load dll's from the update directory instead of going with unknown dll's. I suggest going with your existing method where you use proxy dll's as well as using procmon to find any dll load attempts. When doing that you should create a directory named updater.exe.Local alongside the updater.exe to find the SxS dll directory it tries to load on Win 7 and below. Then run it again with procmon and the updater.exe.Local\<sxs directory name>. In my tests it will try to load comctl32.dll from this directory. See comment #257 for more information. I think in the end you'll end up with Win XP - x86 and x64 Firefox x86 - wow64log.dll and the updater.exe.Local\<sxs directory name>\comctl32.dll both medium and elevated Win Vista - x86 and x64 Firefox x86 - apphelp.dll and the updater.exe.Local\<sxs directory name>\comctl32.dll both medium and elevated Win 7 - x86 and x64 Firefox x86 - updater.exe.Local\<sxs directory name>\comctl32.dll only medium Win 7 - x64 Firefox x64 - updater.exe.Local\<sxs directory name>\comctl32.dll only medium Win 8 and Win 8.1 - x86 and x64 Firefox x86 - none Win 8 and Win 8.1 - x64 Firefox x64 - none Please also verify that an updater.exe.Local file doesn't try to load sxs dll's from the directory or any other dll's besides wow64log.dll on WinXP and apphelp.dll on Win Vista. It would be good to check the affect of KB2533623 on Win Vista and Win 7 as well.

Flags: needinfo?(kjozwiak)

Comment 271

•

10 years ago

https://hg.mozilla.org/mozilla-central/rev/8f65c2be0e01

Status: ASSIGNED → RESOLVED

Closed: 10 years ago → 10 years ago

Resolution: --- → FIXED

Ryan VanderMeulen [:RyanVM]

•

10 years ago

status-firefox38: fixed → verified

status-firefox-esr31: fixed → verified

Comment 280

•

10 years ago

:rstrong, :abillings, This broke MSVC2010 (on win2k3) for SeaMonkey builds, I'm loathe to backout a sec fix to produce our builds, but I don't see a way around it at a glance, this Function is not available in the SDK we have at present. Note MSVC2010 is still supported on beta/esr31 at present, even though Firefox's official builds use MSVC 2013. e:/builds/slave/rel-c-beta-w32-bld/build/mozilla/toolkit/mozapps/update/updater/loaddlls.cpp(24) : error C2065: 'SetDefaultDllDirectories' : undeclared identifier e:/builds/slave/rel-c-beta-w32-bld/build/mozilla/toolkit/mozapps/update/updater/loaddlls.cpp(25) : error C2065: 'SetDefaultDllDirectories' : undeclared identifier e:/builds/slave/rel-c-beta-w32-bld/build/mozilla/toolkit/mozapps/update/updater/loaddlls.cpp(27) : error C2065: 'LOAD_LIBRARY_SEARCH_SYSTEM32' : undeclared identifier Any ideas that allows us to proceed?

Flags: needinfo?(robert.strong.bugs)

Flags: needinfo?(abillings)

Assignee

Comment 281

•

10 years ago

Either try adding an #ifndef for that and then define it or update the build system.

Flags: needinfo?(robert.strong.bugs)

Assignee

•

10 years ago

Attached patch Followup esr31 patch — Details — Splinter Review

Followup patch to support SDK's that don't have SetDefaultDllDirectories or LOAD_LIBRARY_SEARCH_SYSTEM32

Attachment #8565217 - Flags: review?(netzen)

Comment 286

•

10 years ago

Comment on attachment 8565217 [details] [diff] [review] Followup esr31 patch Review of attachment 8565217 [details] [diff] [review]: ----------------------------------------------------------------- imo we should land on beta as well, since we do support old sdk's there. (Its just not P1) -- either way SeaMonkey will take the reviewed patch on our beta train.

Attachment #8565217 - Flags: feedback+

Comment 287

•

10 years ago

Comment on attachment 8565217 [details] [diff] [review] Followup esr31 patch given the beta->release merge is scheduled for tomorrow, I'm requesting approval-beta here. Ahead of the review Approval Request Comment [Feature/regressing bug #]: This One [User impact if declined]: Unable to build with MSVC2010 + older SDK's [Describe test coverage new/current, TreeHerder]: Minimal, current code uses newer SDKs that won't trip without this code, however Current code trees do exercise these files. [Risks and why]: Low, just defining features in newer SDKs so older SDKs can build [String/UUID change made/needed]: None

Attachment #8565217 - Flags: approval-mozilla-beta?

Comment 288

•

10 years ago

Comment on attachment 8565217 [details] [diff] [review] Followup esr31 patch Review of attachment 8565217 [details] [diff] [review]: ----------------------------------------------------------------- Great!

Attachment #8565217 - Flags: review?(netzen) → review+

Sylvestre Ledru [:Sylvestre]

Assignee

•

10 years ago

Attachment #8565217 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Updated

•

10 years ago

Attachment #8565217 - Flags: approval-mozilla-esr31? → approval-mozilla-esr31+

Assignee

Comment 291

•

10 years ago

Pushed to mozilla-esr31 https://hg.mozilla.org/releases/mozilla-esr31/rev/83fb28b2c991

https://hg.mozilla.org/releases/mozilla-beta/rev/cce919848572

Comment 292

•

10 years ago

Updated

•

10 years ago

Whiteboard: [adv-main36+][adv-esr31.5+]

Assignee

Comment 293

•

10 years ago

Just to make sure comment 263 was noticed: Note: since this is not a complete fix I'd like to not open this bug to the public until after I have changed the update process to run out of the application directory when not using the service. That will happen in bug 1127481

Updated

•

10 years ago

Whiteboard: [adv-main36+][adv-esr31.5+] → [adv-main36-][adv-esr31.5-][embargo opening until bug 1127481 fixed]

Updated

•

10 years ago

Alias: CVE-2015-0833