lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <4E7329F629DF4C7FAE0F6DCCDEAAE439@W340>
Date: Tue, 13 Oct 2015 21:14:30 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...lists.org
Subject: [FD] Mozilla extensions: a security nightmare (part 2)

Hi @ll,

Mozilla Firefox 38 (both standard and ESR) and newer installs and per
default activates Cisco's OpenH264 video codec; see <about:plugins>

Firefox 33 to 37 downloaded this codec and installed it on demand; see
<http://blogs.cisco.com/collaboration/ciscos-openh264-now-part-of-firefox>

This extension comes as "Gecko media plugin"[*]; for Windows it is
implemented as DLL ... and installed into the Firefox profiles (which
are stored beneath "%APPDATA%" in Windows).

This is a fundamental design flaw of (not only) Mozilla's extensions,
and a security nightmare.

Code installed in "%APPDATA%" (or any other user-writable location)
is not protected against tampering, it can be overwritten by the
unprivileged user (or malware running with the users credentials):
a modified "gmpopenh264.dll" may be loaded by Mozilla Firefox and it's
DllMain() routine executed.

Once again Mozilla's bad habits break a security boundary and violate
one of the mandatory and basic requirements of the now 20 year old
"Designed for Windows" guidelines: applications (more precise: their
executable code) must be installed in "%ProgramFiles%" where they are
protected against tampering by unprivileged users (and of course malware
running in their user accounts too) since only privileged users can write
there.

JFTR:
~~~~~
* there is ABSOLUTELY NO NEED to create a directory "gmp-openh264\1.4"
  in EVERY Firefox profile and copy "gmpopenh264.dll" into it:

* the other "Gecko media plugin" distributed with Mozilla Firefox is
  installed in "%ProgramFiles\Mozilla Firefox\gmp-clearkey\0.1"

* "clearkey.dll" is digitally signed by Mozilla;

* "gmpopenh264.dll" is but NOT digitally signed!

[*] see <https://wiki.mozilla.org/GeckoMediaPlugins>


Mitigations:
~~~~~~~~~~~~
0) until Mozilla starts to develop a sense for (their users) safety
   and security and installs (a digitally signed) "gmpopenh264.dll"
   in "%ProgramFiles\Mozilla Firefox\gmp-openh264\1.4" stay away from
   their products!

1) if you can't, open <about:config> and edit/set
   media.gmp-gmpopenh264.provider.enabled to false

   You have to set this preference in ALL Mozilla profiles!

2) fortunately there's but a global preference too:

   a) create a text file "presets.js" in the installation directory
      of Mozilla Firefox (typically "%ProgramFiles%\Mozilla Firefox\")
      and add the following lines:

      defaultPref("media.gmp-gmpopenh264.enabled", false);
      defaultPref("media.gmp-gmpopenh264.provider.enabled", false);

   b) create a subdirectory "\Defaults\Prefs\" in the installation
      directory.

   c) create a text file "local-settings.js" in this subdirectory and
      add the following lines:

      pref("general.config.filename", "presets.js");
      pref("general.config.obscure_value", 0);

      This file lets Mozilla Firefox use the "presets.js" created
      before.

3) if you generally don't want executables stored in (Windows) user
   profiles to be run, use one or both of the following techniques:

   a) enable SAFER alias Software Protection Policy or AppLocker
      and create a rule to deny execution in "%USERPROFILE%" and
      below.

   b) add the inheritable NTFS ACE "(D;OIIO;WP;;;WD)"[*] to every
      "%USERPROFILE%" and "%ALLUSERSPROFILE%" alias "%ProgramData".

      Yes, this stops self-extracting installers which unpack their
      payload to %TEMP%; but these are flawed per concept too!
      If you need to support such crap, consider to remove the USER
      environment variables %TEMP% and %TMP% of the administrator
      account. The administrator will then use the systems %TEMP%
      alias %SystemRoot%\Temp

   [*] this is the SDDL notation for "deny execution of files in this
       directory and its subdirectories for all users"


stay tuned
Stefan Kanthak


PS: see <http://seclists.org/fulldisclosure/2015/Aug/7> if you missed
    part 1

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ