Full Disclosure mailing list archives
Mozilla Thunderbird installer can be used to execute malicious executable
From: <auto167445 () hushmail com>
Date: Wed, 09 Apr 2008 01:17:15 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mozilla Thunderbird installer can be used to execute malicious executable Tested: Thunderbird 2.0.0.12 (english) Win32 (latest release) Win2k (german) WinXP (english, admin account) After installation the user is prompted with: [x] Launch Mozilla Thunderbird now If user continues, installer calls e.g.: C:\Program Files\Mozilla Thunderbird\thunderbird.exe It has not been checked, which method of calling is used, WinExec() or CreateProcess() or similar, both have a similar problem, described here: http://msdn2.microsoft.com/en-us/library/ms995319.aspx (April 2001) ... The executable name is treated as the first white space- delimited string in lpCmdLine. If the executable or path name has a space in it however, there is a risk that a malicious executable could be run if the spaces are not properly handled. ... ... If a malicious user were to create a Trojan program called "Program.exe" on a system, any program that incorrectly calls WinExec [ or CreateProcess] using the Program Files directory will now launch the Trojan instead of the intended application. ... Thunderbird installer does not care about that. Simple example using a small application written in Visual Basic 6: 1. Compile as new project (or just use notepad.exe or similar): Private Sub Form_Load() MsgBox Command End Sub 2. Copy executable to C:\Program.exe (english windows) or to e.g. C:\Programme\Mozilla.exe (german windows) or similar locations for other languages. 3. Use TB installer and let it launch Thunderbird after installation. 4. Not Thunderbird but our (malicious) executable is launched. Best use in Win2k as everybody can place files in C:\ or the drive where Win2k is installed. Notified vendor/bugzilla: No, feel free if you like... -----BEGIN PGP SIGNATURE----- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQECAAYFAkf7/PsACgkQR2f2vaRxONGhIwP/UF/eiDY5slGT0OXhzAwOSj8icD2z uBRwoYsZsGMTJ3WIR/xv2/65VU3v/wBHa8eAsfwQXOHqjoaqafRlVkbAU5TEiRjgAzFz auwkbsv/CwLa3Rx+lS0t+s6Wnkq8gKbrWO7VRWwevv2OVzBSa6kHH1PP5BUAbsnvgl4U VLxgz0Y= =PirT -----END PGP SIGNATURE----- -- Click here to find experienced pros to help with your home improvement project. http://tagline.hushmail.com/fc/Ioyw6h4eNIBnvFczLvoAGvNWggIjIbhkeH35nQ02m0ViZ5OIt8WHNm/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Mozilla Thunderbird installer can be used to execute malicious executable auto167445 (Apr 08)