DLL hijacking vulnerability in TBB
The current version of TBB is vulnerable to DLL hijacking. Vanilla Firefox is NOT vulnerable. Steps to reproduce:
- Create a malicious dll (source code for example is added)
- Rename the malicious dll to ".DLL" using the commandline tool ren.exe, because windows explorer prohibits such names
- Place ".DLL" into a folder listed in the %PATH% environment variable
- Start DbgView.exe (a tool from microsoft) to get text outputs from the dll
- Start Tor Browser Bundle
You will now see something similiar to: HIJACKDLL (C:....DLL) Started from: C:...\TorBrowser\Browser\firefox.exe as user Admin
This bug will probably be also triggered when TBB is registered as a default file handler and the malicious dll is in the same folder as the file opened by TBB. See http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586(v=vs.85).aspx for more information about DLL load order. But I haven't confirmed it yet, because I don't know in which cases the TBB could be opened as a default file handler.Carpet Bombing might also be possible. http://www.dhanjani.com/blog/2008/05/safari-carpet-b.html
Possible attack scenario would be an attacker who shares an url link file in a folder along with a hidden ".DLL" and the victims opens the url link file with TBB. Native code execution can then be used to unmask the user.
".DLL" smells like sprintf(DLLToLoad, "%s.DLL", EmptyDLLString)
Tested on: Win7x64 Tor Browser 3.6.3-Windows
Trac:
Username: underdoge