#12736: DLL hijacking vulnerability in TBB ------------------------------------------------+-------------------------- Reporter: underdoge | Owner: tbb-team Type: defect | Status: new Priority: High | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: tbb-security, TorBrowserTeam201608 | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: ------------------------------------------------+--------------------------
Comment (by cypherpunks): I tested TBB 6.0.3 on a clean Windows 7 system. Per procmon, TBB is looking for a .DLL, searching in the Browser dir, system dirs and Path: firefox.exe 1920 CreateFile C:\Tor Browser\Browser\.DLL NAME NOT FOUND firefox.exe 1920 CreateFile C:\Windows\SysWOW64\.DLL NAME NOT FOUND firefox.exe 1920 CreateFile C:\Windows\system\.DLL NAME NOT FOUND firefox.exe 1920 CreateFile C:\Windows\.DLL NAME NOT FOUND firefox.exe 1920 CreateFile C:\Windows\SysWOW64\.DLL NAME NOT FOUND firefox.exe 1920 CreateFile C:\Windows\.DLL NAME NOT FOUND firefox.exe 1920 CreateFile C:\Windows\SysWOW64\wbem\.DLL NAME NOT FOUND firefox.exe 1920 CreateFile C:\Windows\SysWOW64\WindowsPowerShell\v1.0\.DLL NAME NOT FOUND If ".DLL" exists, it is loaded and executed (DllMain is called): firefox.exe 2412 CreateFile C:\Tor Browser\Browser\.DLL SUCCESS firefox.exe 2412 QueryBasicInformationFile C:\Tor Browser\Browser\.DLL SUCCESS firefox.exe 2412 CloseFile C:\Tor Browser\Browser\.DLL SUCCESS firefox.exe 2412 CreateFile C:\Tor Browser\Browser\.DLL SUCCESS firefox.exe 2412 CreateFileMapping C:\Tor Browser\Browser\.DLL SUCCESS firefox.exe 2412 Load Image C:\Tor Browser\Browser\.DLL SUCCESS firefox.exe 2412 CloseFile C:\Tor Browser\Browser\.DLL SUCCESS A "normal" Firefox doesn't look for a ".DLL". So TBB presumably somewhere constructs a DLL name with a blank base name. At least with a current Windows version, the problem doesn't seem too bad. It doesn't look in the current directory for a ".DLL". -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12736#comment:7> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs