Re: [tor-bugs] #12736 [Applications/Tor Browser]: DLL hijacking vulnerability in TBB

2016-12-29 Thread Tor Bug Tracker & Wiki
#12736: DLL hijacking vulnerability in TBB
+--
 Reporter:  underdoge   |  Owner:  tbb-team
 Type:  defect  | Status:  new
 Priority:  High|  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201608  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--

Comment (by gk):

 It seems there is a way to override `SafeDllSearchMode` to make sure that
 system32 is always checked first. According to Mozilla folks this can even
 be done by using a registry switch:

 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
 Options\firefox.exe

 + setting a QWORD named `MitigationOptions` to (0x1000   ).

 Might be a thing our NSIS script could do if that's the way we want to go?
 I have not tested this at all nor am sure if that's available on all
 Windows versions (maybe this is just for Windows 10 available:
 
https://blogs.msdn.microsoft.com/oldnewthing/20161013-00/?p=94505#comment-1268775
 ? and https://blogs.msdn.microsoft.com/oldnewthing/20161013-00/?p=94505 in
 general for a discussion about the problem)

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #12736 [Applications/Tor Browser]: DLL hijacking vulnerability in TBB

2016-12-20 Thread Tor Bug Tracker & Wiki
#12736: DLL hijacking vulnerability in TBB
+--
 Reporter:  underdoge   |  Owner:  tbb-team
 Type:  defect  | Status:  new
 Priority:  High|  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201608  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--

Comment (by gk):

 Yes with "directory Tor Browser got started from" I meant the application
 directory not the current directory (sorry for not being more explicit).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #12736 [Applications/Tor Browser]: DLL hijacking vulnerability in TBB

2016-12-20 Thread Tor Bug Tracker & Wiki
#12736: DLL hijacking vulnerability in TBB
+--
 Reporter:  underdoge   |  Owner:  tbb-team
 Type:  defect  | Status:  new
 Priority:  High|  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201608  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--

Comment (by boklm):

 If there is some way to run Tor Browser with a current working directory
 containing a malicious DLL, I am not sure that this DLL could be loaded,
 as the current directory comes after the application directory and the
 system directories in the search order, according to
 https://msdn.microsoft.com/en-us/library/ms682586.aspx.

 The only exceptions that I see that would allow loading a DLL from the
 current directory seems to be that:
 - the user disabled the SafeDllSearchMode option (which is enabled by
 default in current versions of Windows)
 - Tor Browser uses a DLL that is neither present in its application
 directory, or in the Windows and System directories, but present in a
 directory listed in the PATH environment variable.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #12736 [Applications/Tor Browser]: DLL hijacking vulnerability in TBB

2016-12-20 Thread Tor Bug Tracker & Wiki
#12736: DLL hijacking vulnerability in TBB
+--
 Reporter:  underdoge   |  Owner:  tbb-team
 Type:  defect  | Status:  new
 Priority:  High|  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201608  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--

Comment (by gk):

 The remaining things to do here are dealing with DLLs loaded from the
 directory Tor Browser got started from, see: https://msdn.microsoft.com
 /en-us/library/windows/desktop/ms682586%28v=vs.85%29.aspx.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #12736 [Applications/Tor Browser]: DLL hijacking vulnerability in TBB

2016-08-25 Thread Tor Bug Tracker & Wiki
#12736: DLL hijacking vulnerability in TBB
+--
 Reporter:  underdoge   |  Owner:  tbb-team
 Type:  defect  | Status:  new
 Priority:  High|  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201608  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--

Comment (by boklm):

 Vanilla firefox is also affected by this issue when HTTPS Everywhere is
 installed.

 I opened #19976 with a patch to fix the issue in HTTPS Everywhere.

 Whith this patch applied, firefox.exe is no longer trying to find a .DLL
 library.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #12736 [Applications/Tor Browser]: DLL hijacking vulnerability in TBB

2016-08-24 Thread Tor Bug Tracker & Wiki
#12736: DLL hijacking vulnerability in TBB
+--
 Reporter:  underdoge   |  Owner:  tbb-team
 Type:  defect  | Status:  new
 Priority:  High|  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201608  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--

Comment (by boklm):

 I didn't try to do some debugging yet, but after looking at the HTTPS
 Everywhere code, I am wondering if it could be caused by the
 NSS.initialize function:
 https://gitweb.torproject.org/https-
 
everywhere.git/tree/src/chrome/content/code/NSS.js?id=7035dde6b76eb8be458d410768188d9cd5d09f89#n28

 {{{
   try {
 sharedLib = tcypes.open(nssPath);
   } catch (e) {

 }}}

 when `nssPath` is empty when called from:
 https://gitweb.torproject.org/https-everywhere.git/tree/src/components
 /ssl-observatory.js?id=7035dde6b76eb8be458d410768188d9cd5d09f89#n126
 {{{
   try {
 NSS.initialize("");
   } catch(e) {
 }}}

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #12736 [Applications/Tor Browser]: DLL hijacking vulnerability in TBB

2016-08-10 Thread Tor Bug Tracker & Wiki
#12736: DLL hijacking vulnerability in TBB
+--
 Reporter:  underdoge   |  Owner:  tbb-team
 Type:  defect  | Status:  new
 Priority:  High|  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201608  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--

Comment (by cypherpunks):

 This is somehow triggered by HTTPS Everywhere. TBB doesn't look for the
 ".DLL", if HTTPS Everywhere is disabled.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #12736 [Applications/Tor Browser]: DLL hijacking vulnerability in TBB

2016-08-10 Thread Tor Bug Tracker & Wiki
#12736: DLL hijacking vulnerability in TBB
+--
 Reporter:  underdoge   |  Owner:  tbb-team
 Type:  defect  | Status:  new
 Priority:  High|  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201608  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--

Comment (by cypherpunks):

 I tested TBB 6.0.3 on a clean Windows 7 system. Per procmon, TBB is
 looking for a .DLL, searching in the Browser dir, system dirs and Path:

 firefox.exe 1920CreateFile  C:\Tor Browser\Browser\.DLL
 NAME NOT FOUND
 firefox.exe 1920CreateFile  C:\Windows\SysWOW64\.DLL
 NAME NOT FOUND
 firefox.exe 1920CreateFile  C:\Windows\system\.DLL  NAME NOT
 FOUND
 firefox.exe 1920CreateFile  C:\Windows\.DLL NAME NOT FOUND
 firefox.exe 1920CreateFile  C:\Windows\SysWOW64\.DLL
 NAME NOT FOUND
 firefox.exe 1920CreateFile  C:\Windows\.DLL NAME NOT FOUND
 firefox.exe 1920CreateFile  C:\Windows\SysWOW64\wbem\.DLL
 NAME NOT FOUND
 firefox.exe 1920CreateFile
 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\.DLL NAME NOT FOUND

 If ".DLL" exists, it is loaded and executed (DllMain is called):
 firefox.exe 2412CreateFile  C:\Tor Browser\Browser\.DLL
 SUCCESS
 firefox.exe 2412QueryBasicInformationFile   C:\Tor
 Browser\Browser\.DLL SUCCESS
 firefox.exe 2412CloseFile   C:\Tor Browser\Browser\.DLL
 SUCCESS
 firefox.exe 2412CreateFile  C:\Tor Browser\Browser\.DLL
 SUCCESS
 firefox.exe 2412CreateFileMapping   C:\Tor
 Browser\Browser\.DLL SUCCESS
 firefox.exe 2412Load Image  C:\Tor Browser\Browser\.DLL
 SUCCESS
 firefox.exe 2412CloseFile   C:\Tor Browser\Browser\.DLL
 SUCCESS

 A "normal" Firefox doesn't look for a ".DLL". So TBB presumably somewhere
 constructs a DLL name with a blank base name.

 At least with a current Windows version, the problem doesn't seem too bad.
 It doesn't look in the current directory for a ".DLL".

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #12736 [Applications/Tor Browser]: DLL hijacking vulnerability in TBB

2016-08-10 Thread Tor Bug Tracker & Wiki
#12736: DLL hijacking vulnerability in TBB
+--
 Reporter:  underdoge   |  Owner:  tbb-team
 Type:  defect  | Status:  new
 Priority:  High|  Milestone:
Component:  Applications/Tor Browser|Version:
 Severity:  Normal  | Resolution:
 Keywords:  tbb-security, TorBrowserTeam201608  |  Actual Points:
Parent ID:  | Points:
 Reviewer:  |Sponsor:
+--
Changes (by gk):

 * keywords:  tbb-security => tbb-security, TorBrowserTeam201608
 * severity:   => Normal


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs