lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <36A950FB3F1E47B8A97E4FC9EEAFADD4@H270>
Date: Fri, 5 Mar 2021 23:45:45 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: [FD] Unholy CRAP: Moziila's executable installers

Hi @ll,

back in 2015 and 2016, I disclosed several BLOODY beginner's errors
alias epic failures in Mozilla's PERMANENTLY vulnerable executable
installers for Windows, built by completely incompetent tinkerers:

* Defense in depth -- the Mozilla way: return and exit codes are dispensable
  <https://www.securityfocus.com/archive/1/534881> alias
  <https://seclists.org/bugtraq/2015/Mar/74> and
  <https://seclists.org/fulldisclosure/2015/Mar/90>

* Arbitrary code execution resp. escalation of privilege with Mozilla's SETUP.EXE
  <https://www.securityfocus.com/archive/1/536778> alias
  <https://seclists.org/bugtraq/2015/Oct/123> and
  <https://seclists.org/fulldisclosure/2015/Oct/109>

* Mozilla doesn't care for upstream security fixes, and doesn't bother to send own security fixes upstream
  <https://www.securityfocus.com/archive/1/538220> alias
  <https://seclists.org/bugtraq/2016/Apr/161> and
  <https://seclists.org/fulldisclosure/2016/May/2>

* [CVE-2014-1520] NOT FIXED: privilege escalation via Mozilla's executable installers
  <https://www.securityfocus.com/archive/1/538679> alias
  <https://seclists.org/bugtraq/2016/Jun/60>
  <https://seclists.org/fulldisclosure/2016/Jun/27>

The Register picked it up:
<https://www.theregister.co.uk/2015/11/03/dev_to_mozilla_please_dump_ancient_windows_install_processes/>

In the meantime more than 5 years have passed, but Mozilla still has
ABSOLUTELY no clue and continues to put its poor unsuspecting victims
at risk.

JFTR: the well-known weaknesses demonstrated below are classified as
      - CWE-377: Insecure Temporary File
        <https://cwe.mitre.org/data/definitions/377.html>
      - CWE-379: Creation of Temporary File in Directory with Incorrect Permissions
        <https://cwe.mitre.org/data/definitions/379.html>

Proof
~~~~~

0. Log on to a current installation of Windows 10 20H* under the user
   account created during Windows setup.

1. Download the (executable) online or offline installers for Mozilla
   Firefox (<https://www.mozilla.org/en/firefox/download/thanks/> or
   <https://www.mozilla.org/en/firefox/all/#product-desktop-release>)
   and the (executable) offline installer for Mozilla Thunderbird
   (<https://www.thunderbird.net/en-US/thunderbird/all/#product-desktop-release>),
   then save them in your "Downloads" directory.

2. Start Windows Explorer, open the "Downloads" directory, then right-
   click the downloaded installers to open their context menu and click
   "Properties".
   Switch to the "Digital Signatures" tab of the "Properties" dialog
   box and notice the SHA-1 only signature: OUCH!

   Mozilla, please quit your CA/B forum membership, NOW and forever!

   JFTR: Windows 8[.1] (released 2012) and Windows 10 (released 2015)
         support SHA-2 signatures out-of-the-box.
         Even Windows 7, which went out of extended support in January
         2020, supports SHA-2 signatures since October 14, 2014, when
         update <https://support.microsoft.com/en-us/kb/2949927> was
         published and distributed via Windows Update.

   Microsoft deprecated and abandoned SHA-1 only certificates and
   signatures in 2019, after announcing this step back in 2013!

3. Start a command prompt in the "Downloads" directory and run the
   following command line to show the version string of the program
   used to build the executable installers from their application
   manifest:

   FINDSTR.exe /C:"</description>" /E "Firefox Installer.exe" "Firefox*Setup*.exe" "Thunderbird*Setup*.exe"

   | Firefox Installer.exe:<description>7-Zip Self-extracting Archive v18.05</description>
   | Firefox Setup ....exe:<description>7-Zip Self-extracting Archive v18.05</description>
   | Thunderbird Setup ....exe:<description>7-Zip Self-extracting Archive v18.05</description>

   OUCH: Mozilla builds their executable installers with the superseded,
         unsupported and possibly^Wdefinitely vulnerable version 18.05
         of 7-Zip, released April 30, 2018.

   The current version 19.00 of 7-Zip was released February 21, 2019,
   more that 2 years ago.

   As already reported in 2016, Mozilla's tinkerers don't care for
   upstream fixes!

4. Run the following (block of) command lines to modify the NTFS ACL
   of your "Temp" directory to deny execution of files beyond it,
   change its path temporarily and execute the self-extractors:

   ICACLS.exe "%TMP%" /Deny *S-1-1-0:(IO)(OI)(X)
   FOR %? IN ("Firefox Installer.exe" "Firefox*Setup*.exe") DO @"%~f?"
   SET TMP=NUL:
   FOR %? IN ("Thunderbird*Setup*.exe") DO @"%~f?"
   SET TMP=%TEMP%

   Admire the 2 error message boxes (but DON'T close them yet):

   | 7-Zip                [X]
   |
   | (X) Access is denied.          
   |
   |                [ OK ]

   | 7-Zip                                         [X]
   |
   | (X) The system cannot find the file specified.
   |
   |                                         [ OK ]

   OUCH: access is denied where, and which file cannot be found?

5. Run the following (block of) command lines to list the files and
   directories extracted to your "Temp" directory as well as their
   owner and permissions:
 
   FOR /D %? IN ("%TMP%\7zS*") DO @(
   DIR "%?" /A /Q
   ICACLS.EXE "%?"
   ICACLS.EXE "%?\setup*.exe")

   | Directory of C:\Users\Stefan\AppData\Local\Temp\7zSCA76A1C1
   |
   | 03/05/2021   6:13 PM <DIR>       AMNESIAC\Stefan      .
   ...
   | 02/22/2021   5:15 PM             AMNESIAC\Stefan  476.472 setup-stub.exe
   ...
   | C:\Users\Stefan\AppData\Local\Temp\7zSCA76A1C1 Everyone:(I)(OI)(IO)(DENY)(S,X)
   |                                                NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
   |                                                BUILTIN\Administrators:(I)(OI)(CI)(F)
   |                                                AMNESIAC\Stefan:(I)(OI)(CI)(F)
   |
   | Successfully processed 1 files; Failed processing 0 files
   |
   | C:\Users\Stefan\AppData\Local\Temp\7zSCA76A1C1\setup-stub.exe Everyone:(I)(OI)(IO)(DENY)(S,X)
   |                                                               NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
   |                                                               BUILTIN\Administrators:(I)(OI)(CI)(F)
   |                                                               AMNESIAC\Stefan:(I)(OI)(CI)(F)
   |
   | Successfully processed 1 files; Failed processing 0 files

   OUCH: the 7-Zip self-extractor fails to create directories and
         extracted files with proper permissions, allowing either
         the "denial of service" demonstrated here or the
         "escalation of privilege" already shown in 2015.

   OUCH: the 7-Zip self-extractor fails to check that extraction of
         its payload succeeds, there's only one subdirectory 7zS*
         present in %TEMP%, another "denial of service".

   Did I already state that 7-Zip is VULNERABLE crap, written by an
   incompetent kid that doesn't know the 101 of computer programming?

   Mozilla, abandon to use such CRAP!

6. Run the following (block of) command lines to copy the extracted
   setup*.exe to your "Downloads" directory, determine its version
   from the embedded application manifest, and execute it:

   FOR /D %? IN ("%TMP%\7zS*") DO @COPY "%?\setup*.exe"
   FINDSTR.exe /C:"<?xml version=" setup*.exe
   FOR %? IN (setup.exe setup-stub.exe) DO @"%~f?"

   |         1 file(s) copied.
   | [...]<description>Nullsoft Install System v3.01</description>[...]

   OUCH: the payload of the VULNERABLE 7-Zip self-extractor is built
         with the superseded, unsupported and possibly^Wdefinitely
         vulnerable version 3.01 of the Nullsoft Install System,
         released December 11, 2016; its current version is but 3.06.1,
         released July 31, 2020!

   Hey, you kids at Mozilla, are you sure that nobody fixes bugs and
   vulnerabilities in the course of 60 months and at least 5 releases!

7. Close the 2 open error message boxes from 7-Zip, then admire the
   error message box displayed from setup.exe or setup-stub.exe (but
   DON'T close it yet):

   | Setup                                                   [X]
   |
   |    Sorry, Firefox can't be installed. This version of
   |    Firefox requires Microsoft Windows 7 or newer.
   |    Please click the OK button for additional information.
   |
   |                                       [  OK  ] [ Cancel ]

   OUCH: VERY FUNNY, setup*.exe is actually running on Windows 10!

   Did I already state that NSIS too is VULNERABLE crap, written by an
   incompetent kid that doesn't know the 101 of computer programming?

   Hey Mozilla, abandon to use such CRAP!

8. Run the following (block of) command lines to determine the cause
   for the bogus error message:

   FOR /D %? IN ("%TMP%\ns*.tmp") DO @(
   DIR "%?" /A /Q
   ICACLS.exe "%?" /T)

   |  Directory of C:\Users\Stefan\AppData\Local\Temp\nsx8C5E.tmp
   |
   | 03/05/2021   6:15 PM <DIR>       AMNESIAC\Stefan      .
   ...
   | 03/05/2021   6:15 PM             AMNESIAC\Stefan   11.776 System.dll
   ...
   | C:\Users\Stefan\AppData\Local\Temp\nsx8C5E.tmp Everyone:(I)(OI)(IO)(DENY)(S,X)
   |                                                NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
   |                                                BUILTIN\Administrators:(I)(OI)(CI)(F)
   |                                                AMNESIAC\Stefan:(I)(OI)(CI)(F)
   |
   | C:\Users\Stefan\AppData\Local\Temp\nsx8C5E.tmp\System.dll Everyone:(I)(DENY)(S,X)
   |                                                           NT AUTHORITY\SYSTEM:(I)(F)
   |                                                           BUILTIN\Administrators:(I)(F)
   |                                                           AMNESIAC\Stefan:(I)(F)
   |
   | Successfully processed 2 files; Failed processing 0 files

   Ouch: NSIS too uses the "Temp" directory to create a subdirectory
         and extract executable files it tries to load later, but
         fails to create them with proper permissions!

9. Finally close the bogus error message box and run the following
   command line to remove the NTFS ACE added in step 4:

   ICACLS.exe "%TMP%" /Remove:d *S-1-1-0

stay tuned, and far away from executable installers as well as crap from Mozilla, NSIS and 7-Zip
Stefan Kanthak

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ