Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Mozilla Thunderbird installer can be used to execute malicious executable
From: <auto167445 () hushmail com>
Date: Wed, 09 Apr 2008 01:17:15 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mozilla Thunderbird installer can be used to execute malicious
executable

Tested:
Thunderbird 2.0.0.12 (english) Win32 (latest release)
Win2k (german)
WinXP (english, admin account)

After installation the user is prompted with:
[x] Launch Mozilla Thunderbird now

If user continues, installer calls e.g.:
C:\Program Files\Mozilla Thunderbird\thunderbird.exe

It has not been checked, which method of calling is used, WinExec()
or CreateProcess() or similar, both have a similar problem,
described here:

http://msdn2.microsoft.com/en-us/library/ms995319.aspx (April 2001)

... The executable name is treated as the first white space-
delimited
string in lpCmdLine. If the executable or path name has a space in
it
however, there is a risk that a malicious executable could be run
if the
spaces are not properly handled. ...

... If a malicious user were to create a Trojan program called
"Program.exe" on a system, any program that incorrectly calls
WinExec [
or CreateProcess] using the Program Files directory will now launch
the
Trojan instead of the intended application. ...

Thunderbird installer does not care about that.

Simple example using a small application written in Visual Basic 6:

1. Compile as new project (or just use notepad.exe or similar):

Private Sub Form_Load()
    MsgBox Command
End Sub

2. Copy executable to C:\Program.exe (english windows) or to e.g.
C:\Programme\Mozilla.exe (german windows) or similar locations for
other languages.

3. Use TB installer and let it launch Thunderbird after
installation.

4. Not Thunderbird but our (malicious) executable is launched.

Best use in Win2k as everybody can place files in C:\ or the drive
where Win2k is installed.

Notified vendor/bugzilla: No, feel free if you like...
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0

wpwEAQECAAYFAkf7/PsACgkQR2f2vaRxONGhIwP/UF/eiDY5slGT0OXhzAwOSj8icD2z
uBRwoYsZsGMTJ3WIR/xv2/65VU3v/wBHa8eAsfwQXOHqjoaqafRlVkbAU5TEiRjgAzFz
auwkbsv/CwLa3Rx+lS0t+s6Wnkq8gKbrWO7VRWwevv2OVzBSa6kHH1PP5BUAbsnvgl4U
VLxgz0Y=
=PirT
-----END PGP SIGNATURE-----

--
Click here to find experienced pros to help with your home improvement project.
http://tagline.hushmail.com/fc/Ioyw6h4eNIBnvFczLvoAGvNWggIjIbhkeH35nQ02m0ViZ5OIt8WHNm/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Mozilla Thunderbird installer can be used to execute malicious executable auto167445 (Apr 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault