[tbb-bugs] #12736 [Tor Browser]: DLL hijacking vulnerability in TBB

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jul 29 15:24:23 UTC 2014

#12736: DLL hijacking vulnerability in TBB
 Reporter:  underdoge                            |          Owner:  tbb-
     Type:  defect                               |  team
 Priority:  normal                               |         Status:  new
Component:  Tor Browser                          |      Milestone:
 Keywords:  DLL-Hijack, vulnerability, code      |        Version:  Tor:
  execution                                      |  unspecified
Parent ID:                                       |  Actual Points:
                                                 |         Points:
 The current version of TBB is vulnerable to DLL hijacking. Vanilla Firefox
 is NOT vulnerable.
 Steps to reproduce:
 1) Create a malicious dll (source code for example is added)
 2) Rename the malicious dll to ".DLL" using the commandline tool ren.exe,
 because windows explorer prohibits such names
 3) Place ".DLL" into a folder listed in the %PATH% environment variable
 4) Start DbgView.exe (a tool from microsoft) to get text outputs from the
 5) Start Tor Browser Bundle

 You will now see something similiar to:
 HIJACKDLL (C:\...\.DLL) Started from:
 C:\...\TorBrowser\Browser\firefox.exe as user Admin

 This bug will probably be also triggered when TBB is registered as a
 default file handler and the malicious dll is in the same folder as the
 file opened by TBB. See http://msdn.microsoft.com/en-
 us/library/windows/desktop/ms682586(v=vs.85).aspx for more information
 about DLL load order. But I haven't confirmed it yet, because I don't know
 in which cases the TBB could be opened as a default file handler.Carpet
 Bombing might also be possible. http://www.dhanjani.com/blog/2008/05

 Possible attack scenario would be an attacker who shares an url link file
 in a folder along with a hidden ".DLL" and the victims opens the url link
 file with TBB. Native code execution can then be used to unmask the user.

 ".DLL" smells like sprintf(DLLToLoad, "%s.DLL", EmptyDLLString)

 Tested on:
 Tor Browser 3.6.3-Windows

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12736>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list