lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 9 Jul 2019 23:00:57 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] Mozilla's MSI installers: FUBAR (that's spelled "fucked-up
	beyond all repair")

Hi @ll,

Mozilla finally provides MSI installers for their just released
Firefox 68 and Firefox 68 ESR for Windows:
<https://archive.mozilla.org/pub/firefox/releases/68.0/win32/de/Firefox%20Setup%2068.0.msi>
<https://archive.mozilla.org/pub/firefox/releases/68.0esr/win32/de/Firefox%20Setup%2068.0esr.msi>

These MSI installers are but DEFECTIVE, VULNERABLE and a bluff:
Mozilla just wrapped their (UPX-compressed) 7-zip self-extractors,
which unpack the final NSIS installer to %TEMP% and run it from
there, preserving but all their already reported deficiencies and
vulnerabilities: see (among others)
<https://seclists.org/fulldisclosure/2018/Feb/58>
<https://seclists.org/fulldisclosure/2016/Jun/27>

Demonstration:
~~~~~~~~~~~~~~
In the user account created during Windows setup, add the NTFS
ACL "(D;OIIO;WP;;;WD)" meaning "deny execution of files for
everybody, inheritable to files in all subdirectories" to your
%TEMP%\ directory, then run the MSI installer.

As soon as the error dialog "7-Zip: (x) Access Denied!" is shown
peek into %SystemRoot%\Installer\ and your %TEMP%\ directory:

- the most recent "%SystemRoot%\Installer\MSI<4 hex digits>.tmp"
  is the UPX-compressed 7-zip self-extractor which is wrapped in
  the bogus MSI installer;

- this 7-zip self-extractor is run (elevated!) with the following
  command line:
  MSI*.tmp /S /TaskbarShortcut=true /DesktopShortcut=true /StartMenuShortcut=true /MaintenanceService=true
/RemoveDistribution=true /PreventRebootRequired=false /OptionalExtensions=true /LaunchedFromMSI

- it creates an UNPROTECTED subdirectory %TEMP%\7zS<8 hex digits>\
  which inherits the NTFS ACL from its parent %TEMP%\, thus
  granting full access for the (unprivileged) user account, who
  can tamper with the extracted files in any way, then runs (here:
  tries to run) the extracted "%TEMP%\7zS<8 hex digits>\setup.exe"
  elevated.


stay tuned, and FAR away from Mozilla's crap!
Stefan Kanthak

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists