[<prev] [next>] [day] [month] [year] [list]
Message-ID: <DDA12F4228F64EA29012F6D5E7CA2B41@W340>
Date: Wed, 28 Oct 2015 20:04:23 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: <bugtraq@...urityfocus.com>
Subject: Arbitrary code execution resp. escalation of privilege with Mozilla's SETUP.EXE
Hi @ll,
Mozilla's (executable) full setup packages for Windows allow arbitrary
code execution resp. escalation of privilege: their SETUP.EXE loads
SHFOLDER.DLL ['] from a temporary (sub)directory "%TEMP%\7zS<hex>.tmp\"
created during self-extraction of the full setup packages.
This vulnerability is well-known, every developer past absolute beginner
should know about it: <https://capec.mitre.org/data/definitions/471.html>
See <https://bugzilla.mozilla.org/show_bug.cgi?id=792106> for all the
trouble Mozilla's developers went through to fix this vulnerability in
the 7zip self-extractor.
See <https://bugzilla.mozilla.org/show_bug.cgi?id=961676> for this
vulnerability in their maintenance_installer.exe.
Proof of concept:
~~~~~~~~~~~~~~~~~
1. fetch any Mozilla full setup package (these are self-extracting
archives built with 7zip), for example "Firefox Setup 38.3.0esr.exe"
from <https://www.mozilla.org/en-US/firefox/organizations/all/>
2. extract this full setup package into an arbitrary directory, for
example "%TEMP%\7zSxyz.tmp", using (again for example)
7za.exe x -o"%TEMP%\7zSxyz.tmp" "Firefox Setup 38.3.0esr.exe"
3. fetch <http://home.arcor.de/skanthak/download/SENTINEL.DLL>
(see <http://home.arcor.de/skanthak/sentinel.html>) and save it
as "%TEMP%\7zSxyz.tmp\shfolder.dll"
4. start "%TEMP%\7zSxyz.tmp\setup.exe" per double-click:
the installer detection of Windows user account control (see
<https://technet.microsoft.com/en-us/library/dd835540.aspx#BKMK_InstDet>)
will chime in and prompt for consent resp. for an administrator
password, then "%TEMP%\7zSxyz.tmp\setup.exe" loads
"%TEMP%\7zSxyz.tmp\shfolder.dll" which displays a message box
Mitigation(s):
~~~~~~~~~~~~~~
0. DON'T USE EXECUTABLE INSTALLERS [²]!
If your favourite applications are not distributed in the native
installer package format of the resp. target OS: ask^WURGE their
vendors/developers to provide native installation packages.
If they don't: dump these applications, stay away from such software!
1. Turn off privilege elevation for standard users and installer
detection for all users:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorUser"=dword:00000000 ; Automatically deny elevation requests
"EnableInstallerDetection"=dword:00000000
See <https://technet.microsoft.com/en-us/library/dd835564.aspx>
2. deny execution in all "%TEMP%" directories and their subdirectories:
* add the NTFS ACE "(D;OIIO;WP;;;WD)" meaning "deny execution of
files in this directory for everyone, inheritable to all files
in all subdirectories" (use CACLS.EXE /SDDL for example);
* use "software restriction policies" resp. AppLocker.
stay tuned
Stefan Kanthak
PS: Mozilla sits on this unfixed vulnerability for about 30 months:
see <https://bugzilla.mozilla.org/show_bug.cgi?id=861012>
['] SHFOLDER.DLL is cruft from the last millennium, it was used on
Windows 9x without Internet Explorer 4; see
<https://support.microsoft.com/en-us/kb/241733>
DONT USE the code shown in this MSKB article!
See <https://msdn.microsoft.com/en-us/library/ff919712.aspx>,
<https://msdn.microsoft.com/en-us/library/ms682586.aspx> and
<https://technet.microsoft.com/en-us/library/2269637.aspx>
[²] self-extracting archives and executable installers are flawed^W
insanely stupid in concept and dangerous in practice.
DON'T USE SUCH CRUFT!
ALWAYS use the resp. platforms native package and archive format.
For Windows these are .INF (plus .CAB) and .MSI (plus .CAB),
introduced 20 years ago (with Windows 95 and Windows NT4) resp.
16 years ago (with Office 2000).
Both .INF and .MSI are "opened" by programs residing in
%SystemRoot%\System32\ which are therefore immune to this kind of
"DLL (and EXE) Search Order Hijacking" attack.
Since both .INF and .MSI can access the contents of .CAB directly
they eliminate the attack vector "unsafe temporary directory" too.
See <http://home.arcor.de/skanthak/temp/FIREFOX.INF> and
<http://home.arcor.de/skanthak/temp/FIREFOX.DDF> as example of a
native installer package for "Firefox 38.3.0 ESR (x86 de)":
1.a. create FIREFOX.CAB from the unpacked full setup package
(see above; I used the german language version): run the
command line
MAKECAB.EXE /D SourceDir="%TEMP%\7zS<hex>.tmp\core" /F FIREFOX.DDF
1.b. create FIREFOX.CAB from the copy installed on your system:
run the command line
MAKECAB.EXE /D SourceDir="%ProgramFiles%\Mozilla Firefox" /F FIREFOX.DDF
2. install Firefox from FIREFOX.CAB: right-click FIREFOX.INF and
then click "Install", or run the command line
InfDefaultInstall.Exe "<path>\FIREFOX.INF"
resp.
RunDll32.Exe SetupAPI.Dll,InstallHinfSection DefaultInstall 132 <path>\FIREFOX.INF
Powered by blists - more mailing lists