Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • T Tor Browser
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 1,019
    • Issues 1,019
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 3
    • Merge requests 3
  • Deployments
    • Deployments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • The Tor Project
  • Applications
  • Tor Browser
  • Issues
  • #12736
Closed
Open
Created Jul 29, 2014 by Trac@tracbot

DLL hijacking vulnerability in TBB

The current version of TBB is vulnerable to DLL hijacking. Vanilla Firefox is NOT vulnerable. Steps to reproduce:

  1. Create a malicious dll (source code for example is added)
  2. Rename the malicious dll to ".DLL" using the commandline tool ren.exe, because windows explorer prohibits such names
  3. Place ".DLL" into a folder listed in the %PATH% environment variable
  4. Start DbgView.exe (a tool from microsoft) to get text outputs from the dll
  5. Start Tor Browser Bundle

You will now see something similiar to: HIJACKDLL (C:....DLL) Started from: C:...\TorBrowser\Browser\firefox.exe as user Admin

This bug will probably be also triggered when TBB is registered as a default file handler and the malicious dll is in the same folder as the file opened by TBB. See http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx for more information about DLL load order. But I haven't confirmed it yet, because I don't know in which cases the TBB could be opened as a default file handler.Carpet Bombing might also be possible. http://www.dhanjani.com/blog/2008/05/safari-carpet-b.html

Possible attack scenario would be an attacker who shares an url link file in a folder along with a hidden ".DLL" and the victims opens the url link file with TBB. Native code execution can then be used to unmask the user.

".DLL" smells like sprintf(DLLToLoad, "%s.DLL", EmptyDLLString)

Tested on: Win7x64 Tor Browser 3.6.3-Windows

Trac:
Username: underdoge

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking