lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 4 Aug 2015 15:22:18 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <fulldisclosure@...lists.org>
Subject: Mozilla extensions: a security nightmare

Hi @ll,

Mozilla Thunderbird 38 and newer installs and activates per default
the 'Lightning' extension.

Since extensions live in the (Firefox and) Thunderbird profiles
(which are stored beneath %APPDATA% in Windows) and 'Lightning' comes
(at least for Windows) with a DLL and some Javascript, Thunderbird
with 'Lightning' violates one of the mandatory and basic requirements
of the now 20 year old "Designed for Windows" guidelines and breaks a
security boundary: applications must be installed in %ProgramFiles%
where they are protected against tampering by unprivileged users (and
of course malware running in their user accounts too) since only
privileged users can write there.

Code installed in %APPDATA% (or any other user-writable location) is
but not protected against tampering.
This is a fundamental flaw of (not only) Mozilla's extensions, and a
security nightmare.

Separation of code from (user) data also allows to use whitelisting
(see <https://technet.microsoft.com/en-us/library/bb457006.aspx> for
example) to secure Windows desktops and servers: users (and of course
Windows too) don't need to run code stored in their user profiles,
they only need to run the installed programs/applications, so unwanted
software including malware can easily be blocked from running.

JFTR: current software separates code from data in virtual memory and
      uses "write xor execute" or "data execution prevention" to
      prevent both tampering of code and execution of data.
      The same separation and protection can and of course needs to be
      applied to code and data stored in the file system too!

The Lightning extension for Windows but defeats the tamper protection
and code/data separation provided by Windows:

1. its calbasecomps.dll can be replaced or overwritten with an
   arbitrary DLL which DllMain() is executed every time this DLL is
   loaded;

2. its (XUL/chrome) Javascripts can be replaced or overwritten and
   used to load and call arbitrary DLLs via js-ctypes.

   Only non-XUL/chrome Javascript is less critical since its execution
   is confined by (Firefox and) Thunderbird and subject to the
   restrictions imposed by these programs for non-XUL/chrome Javascript.


Mitigation(s):
~~~~~~~~~~~~~~

Disable profile local installation of extensions in Mozilla products,
enable ONLY application global installation of extensions.

stay tuned
Stefan Kanthak

Powered by blists - more mailing lists