[<prev] [next>] [day] [month] [year] [list]
Message-ID: <36A950FB3F1E47B8A97E4FC9EEAFADD4@H270>
Date: Fri, 5 Mar 2021 23:45:45 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] Unholy CRAP: Moziila's executable installers
Hi @ll,
back in 2015 and 2016, I disclosed several BLOODY beginner's errors
alias epic failures in Mozilla's PERMANENTLY vulnerable executable
installers for Windows, built by completely incompetent tinkerers:
* Defense in depth -- the Mozilla way: return and exit codes are dispensable
<https://www.securityfocus.com/archive/1/534881> alias
<https://seclists.org/bugtraq/2015/Mar/74> and
<https://seclists.org/fulldisclosure/2015/Mar/90>
* Arbitrary code execution resp. escalation of privilege with Mozilla's SETUP.EXE
<https://www.securityfocus.com/archive/1/536778> alias
<https://seclists.org/bugtraq/2015/Oct/123> and
<https://seclists.org/fulldisclosure/2015/Oct/109>
* Mozilla doesn't care for upstream security fixes, and doesn't bother to send own security fixes upstream
<https://www.securityfocus.com/archive/1/538220> alias
<https://seclists.org/bugtraq/2016/Apr/161> and
<https://seclists.org/fulldisclosure/2016/May/2>
* [CVE-2014-1520] NOT FIXED: privilege escalation via Mozilla's executable installers
<https://www.securityfocus.com/archive/1/538679> alias
<https://seclists.org/bugtraq/2016/Jun/60>
<https://seclists.org/fulldisclosure/2016/Jun/27>
The Register picked it up:
<https://www.theregister.co.uk/2015/11/03/dev_to_mozilla_please_dump_ancient_windows_install_processes/>
In the meantime more than 5 years have passed, but Mozilla still has
ABSOLUTELY no clue and continues to put its poor unsuspecting victims
at risk.
JFTR: the well-known weaknesses demonstrated below are classified as
- CWE-377: Insecure Temporary File
<https://cwe.mitre.org/data/definitions/377.html>
- CWE-379: Creation of Temporary File in Directory with Incorrect Permissions
<https://cwe.mitre.org/data/definitions/379.html>
Proof
~~~~~
0. Log on to a current installation of Windows 10 20H* under the user
account created during Windows setup.
1. Download the (executable) online or offline installers for Mozilla
Firefox (<https://www.mozilla.org/en/firefox/download/thanks/> or
<https://www.mozilla.org/en/firefox/all/#product-desktop-release>)
and the (executable) offline installer for Mozilla Thunderbird
(<https://www.thunderbird.net/en-US/thunderbird/all/#product-desktop-release>),
then save them in your "Downloads" directory.
2. Start Windows Explorer, open the "Downloads" directory, then right-
click the downloaded installers to open their context menu and click
"Properties".
Switch to the "Digital Signatures" tab of the "Properties" dialog
box and notice the SHA-1 only signature: OUCH!
Mozilla, please quit your CA/B forum membership, NOW and forever!
JFTR: Windows 8[.1] (released 2012) and Windows 10 (released 2015)
support SHA-2 signatures out-of-the-box.
Even Windows 7, which went out of extended support in January
2020, supports SHA-2 signatures since October 14, 2014, when
update <https://support.microsoft.com/en-us/kb/2949927> was
published and distributed via Windows Update.
Microsoft deprecated and abandoned SHA-1 only certificates and
signatures in 2019, after announcing this step back in 2013!
3. Start a command prompt in the "Downloads" directory and run the
following command line to show the version string of the program
used to build the executable installers from their application
manifest:
FINDSTR.exe /C:"</description>" /E "Firefox Installer.exe" "Firefox*Setup*.exe" "Thunderbird*Setup*.exe"
| Firefox Installer.exe:<description>7-Zip Self-extracting Archive v18.05</description>
| Firefox Setup ....exe:<description>7-Zip Self-extracting Archive v18.05</description>
| Thunderbird Setup ....exe:<description>7-Zip Self-extracting Archive v18.05</description>
OUCH: Mozilla builds their executable installers with the superseded,
unsupported and possibly^Wdefinitely vulnerable version 18.05
of 7-Zip, released April 30, 2018.
The current version 19.00 of 7-Zip was released February 21, 2019,
more that 2 years ago.
As already reported in 2016, Mozilla's tinkerers don't care for
upstream fixes!
4. Run the following (block of) command lines to modify the NTFS ACL
of your "Temp" directory to deny execution of files beyond it,
change its path temporarily and execute the self-extractors:
ICACLS.exe "%TMP%" /Deny *S-1-1-0:(IO)(OI)(X)
FOR %? IN ("Firefox Installer.exe" "Firefox*Setup*.exe") DO @"%~f?"
SET TMP=NUL:
FOR %? IN ("Thunderbird*Setup*.exe") DO @"%~f?"
SET TMP=%TEMP%
Admire the 2 error message boxes (but DON'T close them yet):
| 7-Zip [X]
|
| (X) Access is denied.
|
| [ OK ]
| 7-Zip [X]
|
| (X) The system cannot find the file specified.
|
| [ OK ]
OUCH: access is denied where, and which file cannot be found?
5. Run the following (block of) command lines to list the files and
directories extracted to your "Temp" directory as well as their
owner and permissions:
FOR /D %? IN ("%TMP%\7zS*") DO @(
DIR "%?" /A /Q
ICACLS.EXE "%?"
ICACLS.EXE "%?\setup*.exe")
| Directory of C:\Users\Stefan\AppData\Local\Temp\7zSCA76A1C1
|
| 03/05/2021 6:13 PM <DIR> AMNESIAC\Stefan .
...
| 02/22/2021 5:15 PM AMNESIAC\Stefan 476.472 setup-stub.exe
...
| C:\Users\Stefan\AppData\Local\Temp\7zSCA76A1C1 Everyone:(I)(OI)(IO)(DENY)(S,X)
| NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
| BUILTIN\Administrators:(I)(OI)(CI)(F)
| AMNESIAC\Stefan:(I)(OI)(CI)(F)
|
| Successfully processed 1 files; Failed processing 0 files
|
| C:\Users\Stefan\AppData\Local\Temp\7zSCA76A1C1\setup-stub.exe Everyone:(I)(OI)(IO)(DENY)(S,X)
| NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
| BUILTIN\Administrators:(I)(OI)(CI)(F)
| AMNESIAC\Stefan:(I)(OI)(CI)(F)
|
| Successfully processed 1 files; Failed processing 0 files
OUCH: the 7-Zip self-extractor fails to create directories and
extracted files with proper permissions, allowing either
the "denial of service" demonstrated here or the
"escalation of privilege" already shown in 2015.
OUCH: the 7-Zip self-extractor fails to check that extraction of
its payload succeeds, there's only one subdirectory 7zS*
present in %TEMP%, another "denial of service".
Did I already state that 7-Zip is VULNERABLE crap, written by an
incompetent kid that doesn't know the 101 of computer programming?
Mozilla, abandon to use such CRAP!
6. Run the following (block of) command lines to copy the extracted
setup*.exe to your "Downloads" directory, determine its version
from the embedded application manifest, and execute it:
FOR /D %? IN ("%TMP%\7zS*") DO @COPY "%?\setup*.exe"
FINDSTR.exe /C:"<?xml version=" setup*.exe
FOR %? IN (setup.exe setup-stub.exe) DO @"%~f?"
| 1 file(s) copied.
| [...]<description>Nullsoft Install System v3.01</description>[...]
OUCH: the payload of the VULNERABLE 7-Zip self-extractor is built
with the superseded, unsupported and possibly^Wdefinitely
vulnerable version 3.01 of the Nullsoft Install System,
released December 11, 2016; its current version is but 3.06.1,
released July 31, 2020!
Hey, you kids at Mozilla, are you sure that nobody fixes bugs and
vulnerabilities in the course of 60 months and at least 5 releases!
7. Close the 2 open error message boxes from 7-Zip, then admire the
error message box displayed from setup.exe or setup-stub.exe (but
DON'T close it yet):
| Setup [X]
|
| Sorry, Firefox can't be installed. This version of
| Firefox requires Microsoft Windows 7 or newer.
| Please click the OK button for additional information.
|
| [ OK ] [ Cancel ]
OUCH: VERY FUNNY, setup*.exe is actually running on Windows 10!
Did I already state that NSIS too is VULNERABLE crap, written by an
incompetent kid that doesn't know the 101 of computer programming?
Hey Mozilla, abandon to use such CRAP!
8. Run the following (block of) command lines to determine the cause
for the bogus error message:
FOR /D %? IN ("%TMP%\ns*.tmp") DO @(
DIR "%?" /A /Q
ICACLS.exe "%?" /T)
| Directory of C:\Users\Stefan\AppData\Local\Temp\nsx8C5E.tmp
|
| 03/05/2021 6:15 PM <DIR> AMNESIAC\Stefan .
...
| 03/05/2021 6:15 PM AMNESIAC\Stefan 11.776 System.dll
...
| C:\Users\Stefan\AppData\Local\Temp\nsx8C5E.tmp Everyone:(I)(OI)(IO)(DENY)(S,X)
| NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
| BUILTIN\Administrators:(I)(OI)(CI)(F)
| AMNESIAC\Stefan:(I)(OI)(CI)(F)
|
| C:\Users\Stefan\AppData\Local\Temp\nsx8C5E.tmp\System.dll Everyone:(I)(DENY)(S,X)
| NT AUTHORITY\SYSTEM:(I)(F)
| BUILTIN\Administrators:(I)(F)
| AMNESIAC\Stefan:(I)(F)
|
| Successfully processed 2 files; Failed processing 0 files
Ouch: NSIS too uses the "Temp" directory to create a subdirectory
and extract executable files it tries to load later, but
fails to create them with proper permissions!
9. Finally close the bogus error message box and run the following
command line to remove the NTFS ACE added in step 4:
ICACLS.exe "%TMP%" /Remove:d *S-1-1-0
stay tuned, and far away from executable installers as well as crap from Mozilla, NSIS and 7-Zip
Stefan Kanthak
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists