[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1BDC219C6EFB459495628D3C18C2BF0C@W340>
Date: Wed, 5 Aug 2015 17:33:09 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: "Mario Vilas" <mvilas@...il.com>
Cc: "bugtraq" <bugtraq@...urityfocus.com>,
"fulldisclosure" <fulldisclosure@...lists.org>
Subject: Re: [FD] Mozilla extensions: a security nightmare
"Mario Vilas" <mvilas@...il.com> wrote:
> %APPDATA% is within the user's home directory - by default it should
> not be writeable by other users.
Did I mention OTHER users?
Clearly not, so your "argument" is moot.
> If this is the case then the problem is one of bad file permissions,
> not the location.
>
> Incidentally, many other browsers and tons of software also store
> executable code in %APPDATA%.
Cf. <http://seclists.org/fulldisclosure/2013/Aug/198>
EVERY program which stores executable code in user-writable locations
is CRAPWARE and EVIL since it undermines the security boundary created
by privilege separation and installation of executables in write-protected
locations.
Both are BASIC principles of computer security.
> I think "security nightmare" may be a bit of an overstatement here.
No, it's just the right wording since it violates two basic principles.
> I'll refrain from panicking about this "issue" for the time being.
JFTR: top posting is a bad habit too!
On Tue, Aug 4, 2015 at 3:22 PM, Stefan Kanthak <stefan.kanthak@...go.de>
wrote:
> Hi @ll,
>
> Mozilla Thunderbird 38 and newer installs and activates per default
> the 'Lightning' extension.
>
> Since extensions live in the (Firefox and) Thunderbird profiles
> (which are stored beneath %APPDATA% in Windows) and 'Lightning' comes
> (at least for Windows) with a DLL and some Javascript, Thunderbird
> with 'Lightning' violates one of the mandatory and basic requirements
> of the now 20 year old "Designed for Windows" guidelines and breaks a
> security boundary: applications must be installed in %ProgramFiles%
> where they are protected against tampering by unprivileged users (and
> of course malware running in their user accounts too) since only
> privileged users can write there.
>
> Code installed in %APPDATA% (or any other user-writable location) is
> but not protected against tampering.
> This is a fundamental flaw of (not only) Mozilla's extensions, and a
> security nightmare.
>
> Separation of code from (user) data also allows to use whitelisting
> (see <https://technet.microsoft.com/en-us/library/bb457006.aspx> for
> example) to secure Windows desktops and servers: users (and of course
> Windows too) don't need to run code stored in their user profiles,
> they only need to run the installed programs/applications, so unwanted
> software including malware can easily be blocked from running.
>
> JFTR: current software separates code from data in virtual memory and
> uses "write xor execute" or "data execution prevention" to
> prevent both tampering of code and execution of data.
> The same separation and protection can and of course needs to be
> applied to code and data stored in the file system too!
>
> The Lightning extension for Windows but defeats the tamper protection
> and code/data separation provided by Windows:
>
> 1. its calbasecomps.dll can be replaced or overwritten with an
> arbitrary DLL which DllMain() is executed every time this DLL is
> loaded;
>
> 2. its (XUL/chrome) Javascripts can be replaced or overwritten and
> used to load and call arbitrary DLLs via js-ctypes.
>
> Only non-XUL/chrome Javascript is less critical since its execution
> is confined by (Firefox and) Thunderbird and subject to the
> restrictions imposed by these programs for non-XUL/chrome Javascript.
>
>
> Mitigation(s):
> ~~~~~~~~~~~~~~
>
> Disable profile local installation of extensions in Mozilla products,
> enable ONLY application global installation of extensions.
>
> stay tuned
> Stefan Kanthak
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
Powered by blists - more mailing lists