mailing list archives
Mozilla Thunderbird installer can be used to execute malicious executable
From: <auto167445 () hushmail com>
Date: Wed, 09 Apr 2008 01:17:15 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Mozilla Thunderbird installer can be used to execute malicious
Thunderbird 184.108.40.206 (english) Win32 (latest release)
WinXP (english, admin account)
After installation the user is prompted with:
[x] Launch Mozilla Thunderbird now
If user continues, installer calls e.g.:
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
It has not been checked, which method of calling is used, WinExec()
or CreateProcess() or similar, both have a similar problem,
http://msdn2.microsoft.com/en-us/library/ms995319.aspx (April 2001)
... The executable name is treated as the first white space-
string in lpCmdLine. If the executable or path name has a space in
however, there is a risk that a malicious executable could be run
spaces are not properly handled. ...
... If a malicious user were to create a Trojan program called
"Program.exe" on a system, any program that incorrectly calls
or CreateProcess] using the Program Files directory will now launch
Trojan instead of the intended application. ...
Thunderbird installer does not care about that.
Simple example using a small application written in Visual Basic 6:
1. Compile as new project (or just use notepad.exe or similar):
Private Sub Form_Load()
2. Copy executable to C:\Program.exe (english windows) or to e.g.
C:\Programme\Mozilla.exe (german windows) or similar locations for
3. Use TB installer and let it launch Thunderbird after
4. Not Thunderbird but our (malicious) executable is launched.
Best use in Win2k as everybody can place files in C:\ or the drive
where Win2k is installed.
Notified vendor/bugzilla: No, feel free if you like...
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 3.0
-----END PGP SIGNATURE-----
Click here to find experienced pros to help with your home improvement project.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Mozilla Thunderbird installer can be used to execute malicious executable auto167445 (Apr 08)