[tbb-bugs] #12736 [Applications/Tor Browser]: DLL hijacking vulnerability in TBB

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Aug 10 18:08:54 UTC 2016 

#12736: DLL hijacking vulnerability in TBB
------------------------------------------------+--------------------------
 Reporter:  underdoge                           |          Owner:  tbb-team
     Type:  defect                              |         Status:  new
 Priority:  High                                |      Milestone:
Component:  Applications/Tor Browser            |        Version:
 Severity:  Normal                              |     Resolution:
 Keywords:  tbb-security, TorBrowserTeam201608  |  Actual Points:
Parent ID:                                      |         Points:
 Reviewer:                                      |        Sponsor:
------------------------------------------------+--------------------------

Comment (by cypherpunks):

 I tested TBB 6.0.3 on a clean Windows 7 system. Per procmon, TBB is
 looking for a .DLL, searching in the Browser dir, system dirs and Path:

 firefox.exe     1920    CreateFile      C:\Tor Browser\Browser\.DLL
 NAME NOT FOUND
 firefox.exe     1920    CreateFile      C:\Windows\SysWOW64\.DLL
 NAME NOT FOUND
 firefox.exe     1920    CreateFile      C:\Windows\system\.DLL  NAME NOT
 FOUND
 firefox.exe     1920    CreateFile      C:\Windows\.DLL NAME NOT FOUND
 firefox.exe     1920    CreateFile      C:\Windows\SysWOW64\.DLL
 NAME NOT FOUND
 firefox.exe     1920    CreateFile      C:\Windows\.DLL NAME NOT FOUND
 firefox.exe     1920    CreateFile      C:\Windows\SysWOW64\wbem\.DLL
 NAME NOT FOUND
 firefox.exe     1920    CreateFile
 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\.DLL NAME NOT FOUND

 If ".DLL" exists, it is loaded and executed (DllMain is called):
 firefox.exe     2412    CreateFile      C:\Tor Browser\Browser\.DLL
 SUCCESS
 firefox.exe     2412    QueryBasicInformationFile       C:\Tor
 Browser\Browser\.DLL     SUCCESS
 firefox.exe     2412    CloseFile       C:\Tor Browser\Browser\.DLL
 SUCCESS
 firefox.exe     2412    CreateFile      C:\Tor Browser\Browser\.DLL
 SUCCESS
 firefox.exe     2412    CreateFileMapping       C:\Tor
 Browser\Browser\.DLL     SUCCESS
 firefox.exe     2412    Load Image      C:\Tor Browser\Browser\.DLL
 SUCCESS
 firefox.exe     2412    CloseFile       C:\Tor Browser\Browser\.DLL
 SUCCESS

 A "normal" Firefox doesn't look for a ".DLL". So TBB presumably somewhere
 constructs a DLL name with a blank base name.

 At least with a current Windows version, the problem doesn't seem too bad.
 It doesn't look in the current directory for a ".DLL".

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12736#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list