lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080408231715.AFA712004C@mailserver7.hushmail.com>
Date: Wed, 09 Apr 2008 01:17:15 +0200
From: <auto167445@...hmail.com>
To: <full-disclosure@...ts.grok.org.uk>
Cc: 
Subject: Mozilla Thunderbird installer can be used to
	execute malicious executable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mozilla Thunderbird installer can be used to execute malicious
executable

Tested:
Thunderbird 2.0.0.12 (english) Win32 (latest release)
Win2k (german)
WinXP (english, admin account)

After installation the user is prompted with:
[x] Launch Mozilla Thunderbird now

If user continues, installer calls e.g.:
C:\Program Files\Mozilla Thunderbird\thunderbird.exe

It has not been checked, which method of calling is used, WinExec()
or CreateProcess() or similar, both have a similar problem,
described here:

http://msdn2.microsoft.com/en-us/library/ms995319.aspx (April 2001)

... The executable name is treated as the first white space-
delimited
string in lpCmdLine. If the executable or path name has a space in
it
however, there is a risk that a malicious executable could be run
if the
spaces are not properly handled. ...

... If a malicious user were to create a Trojan program called
"Program.exe" on a system, any program that incorrectly calls
WinExec [
or CreateProcess] using the Program Files directory will now launch
the
Trojan instead of the intended application. ...

Thunderbird installer does not care about that.

Simple example using a small application written in Visual Basic 6:

1. Compile as new project (or just use notepad.exe or similar):

Private Sub Form_Load()
    MsgBox Command
End Sub

2. Copy executable to C:\Program.exe (english windows) or to e.g.
C:\Programme\Mozilla.exe (german windows) or similar locations for
other languages.

3. Use TB installer and let it launch Thunderbird after
installation.

4. Not Thunderbird but our (malicious) executable is launched.

Best use in Win2k as everybody can place files in C:\ or the drive
where Win2k is installed.

Notified vendor/bugzilla: No, feel free if you like...
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkf7/PsACgkQR2f2vaRxONGhIwP/UF/eiDY5slGT0OXhzAwOSj8icD2z
uBRwoYsZsGMTJ3WIR/xv2/65VU3v/wBHa8eAsfwQXOHqjoaqafRlVkbAU5TEiRjgAzFz
auwkbsv/CwLa3Rx+lS0t+s6Wnkq8gKbrWO7VRWwevv2OVzBSa6kHH1PP5BUAbsnvgl4U
VLxgz0Y=
=PirT
-----END PGP SIGNATURE-----

--
Click here to find experienced pros to help with your home improvement project.
http://tagline.hushmail.com/fc/Ioyw6h4eNIBnvFczLvoAGvNWggIjIbhkeH35nQ02m0ViZ5OIt8WHNm/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ