Opened 7 years ago

Closed 6 years ago

#10512 closed defect (fixed)

Firefox.exe doesn't have DEP enabled

Reported by: bastik Owned by: erinn
Priority: Medium Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords: tbb-security
Cc: tom@… Actual Points:
Parent ID: #10065 Points:
Reviewer: Sponsor:

Description

Firefox from the BrowserBundle 3.5 does not have DEP enabled.

Vanilla Firefox has, therefore I call it a defect.

Child Tickets

Change History (7)

comment:1 Changed 7 years ago by gk

Component: Firefox Patch IssuesTor bundles/installation
Owner: changed from mikeperry to erinn
Parent ID: #10065

comment:2 Changed 6 years ago by mikeperry

Keywords: tbb-security added

comment:3 Changed 6 years ago by tom

Cc: tom@… added

comment:4 Changed 6 years ago by tom

According to my testing, TBB 3.6.1 (both firefox.exe and tor.exe) have DEP, and in Process Explorer on Windows 7 shows "DEP (permanent)" - meaning it was compiled with it in.

comment:5 Changed 6 years ago by gk

Status: newneeds_information

bastik: How did you test whether DEP was enabled for firefox.exe in TBB 3.5? The Process Explorer shows "DEP (permanent)" for the one in TBB 3.5 as well.

comment:6 in reply to:  5 Changed 6 years ago by bastik

Replying to gk:

bastik: How did you test whether DEP was enabled for firefox.exe in TBB 3.5? The Process Explorer shows "DEP (permanent)" for the one in TBB 3.5 as well.

Last time I checked with the default taskmanager and DEP was enabled. I use(d) EMET to make every program use DEP, unless it opts-out. Today I tried with DEP opt-in and DEP is used for Firefox and TorBrowser as shown by the default taskmananger and Process Explorer. The latter shows "DEP permanent".

Back then I used some ancient version of PEStudio to see if it had DEP enabled. Maybe I checked with CFF Explorer, too. Today I checked Firefox and TorBrowser (3.5.2, the most ancient version I had around) with CFF Explorer 8 (VIII) and PEStudio 8.29. Both tell me that Firefox supports DEP and TorBrowser not.

CFF says under NT Headers > Optional Headers > "DLL Characteristics" > "Image is NX-compatible" without a checkmark for TorBrowser, but with checkmark for Firefox.

PEStudio changed the interface since I used it. Previously its GUI had a star for that. (Star if supported, no star if supported.) Now it writes "The image ignores Data Execution Prevention (DEP) as Mitigation technique"for TorBrowser and "The image uses Data Execution Prevention (DEP) as Mitigation technique" for Firefox.

Either the two tools are not functioning correctly, maybe because the build-process is removing header information or DEP is not functioning. My guess is that the build-process makes the binary look strange, what confuses the tools.

I have no idea how to test if DEP is actually working, beside writing exploit code that relies on DEP to fail or not be present.

If someone can confirm that DEP is working and/or that the build-process is responsible for that (binary looking strange), then this ticket is meaningless. Maybe it should be documented, then.

comment:7 Changed 6 years ago by mikeperry

Resolution: fixed
Status: needs_informationclosed

This should be fixed in 4.0-alpha-2.

Note: See TracTickets for help on using tickets.