Re: [FD] Mozilla extensions: a security nightmare

["Stefan Kanthak" <stefan.kanthak () nexgo de>]

"Mario Vilas" <mvilas () gmail com> wrote:

> If it can only be written by your own user, what would be the
> security boundary being crossed here?

Please read AGAIN what I already wrote!

| The security boundary created by privilege separation

ie. Administrator/root vs. "user"

| and installation of executables in write-protected locations.

ie. %ProgramFiles% or /usr/bin, where only privileged users can write.

regards
Stefan

PS: top-posting is EVIL too!

On Wed, Aug 5, 2015 at 5:33 PM, Stefan Kanthak <stefan.kanthak () nexgo de>
wrote:

> "Mario Vilas" <mvilas () gmail com> wrote:
>
> > %APPDATA% is within the user's home directory - by default it should
> > not be writeable by other users.
>
> Did I mention OTHER users?
> Clearly not, so your "argument" is moot.
>
> > If this is the case then the problem is one of bad file permissions,
> > not the location.
> >
> > Incidentally, many other browsers and tons of software also store
> > executable code in %APPDATA%.
>
> Cf. <http://seclists.org/fulldisclosure/2013/Aug/198>
>
> EVERY program which stores executable code in user-writable locations
> is CRAPWARE and EVIL since it undermines the security boundary created
> by privilege separation and installation of executables in write-protected
> locations.
> Both are BASIC principles of computer security.
>
> > I think "security nightmare" may be a bit of an overstatement here.
>
> No, it's just the right wording since it violates two basic principles.
>
> > I'll refrain from panicking about this "issue" for the time being.
>
> JFTR: top posting is a bad habit too!
>
> On Tue, Aug 4, 2015 at 3:22 PM, Stefan Kanthak <stefan.kanthak () nexgo de>
> wrote:
>
> > Hi @ll,
> >
> > Mozilla Thunderbird 38 and newer installs and activates per default
> > the 'Lightning' extension.
> >
> > Since extensions live in the (Firefox and) Thunderbird profiles
> > (which are stored beneath %APPDATA% in Windows) and 'Lightning' comes
> > (at least for Windows) with a DLL and some Javascript, Thunderbird
> > with 'Lightning' violates one of the mandatory and basic requirements
> > of the now 20 year old "Designed for Windows" guidelines and breaks a
> > security boundary: applications must be installed in %ProgramFiles%
> > where they are protected against tampering by unprivileged users (and
> > of course malware running in their user accounts too) since only
> > privileged users can write there.
> >
> > Code installed in %APPDATA% (or any other user-writable location) is
> > but not protected against tampering.
> > This is a fundamental flaw of (not only) Mozilla's extensions, and a
> > security nightmare.
> >
> > Separation of code from (user) data also allows to use whitelisting
> > (see <https://technet.microsoft.com/en-us/library/bb457006.aspx> for
> > example) to secure Windows desktops and servers: users (and of course
> > Windows too) don't need to run code stored in their user profiles,
> > they only need to run the installed programs/applications, so unwanted
> > software including malware can easily be blocked from running.
> >
> > JFTR: current software separates code from data in virtual memory and
> >       uses "write xor execute" or "data execution prevention" to
> >       prevent both tampering of code and execution of data.
> >       The same separation and protection can and of course needs to be
> >       applied to code and data stored in the file system too!
> >
> > The Lightning extension for Windows but defeats the tamper protection
> > and code/data separation provided by Windows:
> >
> > 1. its calbasecomps.dll can be replaced or overwritten with an
> >    arbitrary DLL which DllMain() is executed every time this DLL is
> >    loaded;
> >
> > 2. its (XUL/chrome) Javascripts can be replaced or overwritten and
> >    used to load and call arbitrary DLLs via js-ctypes.
> >
> >    Only non-XUL/chrome Javascript is less critical since its execution
> >    is confined by (Firefox and) Thunderbird and subject to the
> >    restrictions imposed by these programs for non-XUL/chrome Javascript.
> >
> >
> > Mitigation(s):
> > ~~~~~~~~~~~~~~
> >
> > Disable profile local installation of extensions in Mozilla products,
> > enable ONLY application global installation of extensions.
> >
> > stay tuned
> > Stefan Kanthak
> >
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > https://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: http://seclists.org/fulldisclosure/



-- 
"There's a reason we separate military and the police: one fights the enemy
of the state, the other serves and protects the people. When the military
becomes both, then the enemies of the state tend to become the people."