DLL hijacking vulnerability in TBB

The current version of TBB is vulnerable to DLL hijacking. Vanilla Firefox is NOT vulnerable. Steps to reproduce:

  1. Create a malicious dll (source code for example is added)
  2. Rename the malicious dll to ".DLL" using the commandline tool ren.exe, because windows explorer prohibits such names
  3. Place ".DLL" into a folder listed in the %PATH% environment variable
  4. Start DbgView.exe (a tool from microsoft) to get text outputs from the dll
  5. Start Tor Browser Bundle

You will now see something similiar to: HIJACKDLL (C:....DLL) Started from: C:...\TorBrowser\Browser\firefox.exe as user Admin

This bug will probably be also triggered when TBB is registered as a default file handler and the malicious dll is in the same folder as the file opened by TBB. See http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx for more information about DLL load order. But I haven't confirmed it yet, because I don't know in which cases the TBB could be opened as a default file handler.Carpet Bombing might also be possible. http://www.dhanjani.com/blog/2008/05/safari-carpet-b.html

Possible attack scenario would be an attacker who shares an url link file in a folder along with a hidden ".DLL" and the victims opens the url link file with TBB. Native code execution can then be used to unmask the user.

".DLL" smells like sprintf(DLLToLoad, "%s.DLL", EmptyDLLString)

Tested on: Win7x64 Tor Browser 3.6.3-Windows

Trac:
Username: underdoge

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information