Mozilla SETUP.EXE DLL Injection

Type packetstorm
Reporter Stefan Kanthak
Modified 2015-10-29T00:00:00


                                            `Hi @ll,  
Mozilla's (executable) full setup packages for Windows allow arbitrary  
code execution resp. escalation of privilege: their SETUP.EXE loads  
SHFOLDER.DLL ['] from a temporary (sub)directory "%TEMP%\7zS<hex>.tmp\"  
created during self-extraction of the full setup packages.  
This vulnerability is well-known, every developer past absolute beginner  
should know about it: <>  
See <> for all the  
trouble Mozilla's developers went through to fix this vulnerability in  
the 7zip self-extractor.  
See <> for this  
vulnerability in their maintenance_installer.exe.  
Proof of concept:  
1. fetch any Mozilla full setup package (these are self-extracting  
archives built with 7zip), for example "Firefox Setup 38.3.0esr.exe"  
from <>  
2. extract this full setup package into an arbitrary directory, for  
example "%TEMP%\7zSxyz.tmp", using (again for example)  
7za.exe x -o"%TEMP%\7zSxyz.tmp" "Firefox Setup 38.3.0esr.exe"  
3. fetch <>  
(see <>) and save it  
as "%TEMP%\7zSxyz.tmp\shfolder.dll"  
4. start "%TEMP%\7zSxyz.tmp\setup.exe" per double-click:  
the installer detection of Windows user account control (see  
will chime in and prompt for consent resp. for an administrator  
password, then "%TEMP%\7zSxyz.tmp\setup.exe" loads  
"%TEMP%\7zSxyz.tmp\shfolder.dll" which displays a message box  
If your favourite applications are not distributed in the native  
installer package format of the resp. target OS: ask^WURGE their  
vendors/developers to provide native installation packages.  
If they don't: dump these applications, stay away from such software!  
1. Turn off privilege elevation for standard users and installer  
detection for all users:  
"ConsentPromptBehaviorUser"=dword:00000000 ; Automatically deny elevation requests  
See <>  
2. deny execution in all "%TEMP%" directories and their subdirectories:  
* add the NTFS ACE "(D;OIIO;WP;;;WD)" meaning "deny execution of  
files in this directory for everyone, inheritable to all files  
in all subdirectories" (use CACLS.EXE /SDDL for example);  
* use "software restriction policies" resp. AppLocker.  
stay tuned  
Stefan Kanthak  
PS: Mozilla sits on this unfixed vulnerability for about 30 months:  
see <>  
['] SHFOLDER.DLL is cruft from the last millennium, it was used on  
Windows 9x without Internet Explorer 4; see  
DONT USE the code shown in this MSKB article!  
See <>,  
<> and  
[²] self-extracting archives and executable installers are flawed^W  
insanely stupid in concept and dangerous in practice.  
ALWAYS use the resp. platforms native package and archive format.  
For Windows these are .INF (plus .CAB) and .MSI (plus .CAB),  
introduced 20 years ago (with Windows 95 and Windows NT4) resp.  
16 years ago (with Office 2000).  
Both .INF and .MSI are "opened" by programs residing in  
%SystemRoot%\System32\ which are therefore immune to this kind of  
"DLL (and EXE) Search Order Hijacking" attack.  
Since both .INF and .MSI can access the contents of .CAB directly  
they eliminate the attack vector "unsafe temporary directory" too.  
See <> and  
<> as example of a  
native installer package for "Firefox 38.3.0 ESR (x86 de)":  
1.a. create FIREFOX.CAB from the unpacked full setup package  
(see above; I used the german language version): run the  
command line  
MAKECAB.EXE /D SourceDir="%TEMP%\7zS<hex>.tmp\core" /F FIREFOX.DDF  
1.b. create FIREFOX.CAB from the copy installed on your system:  
run the command line  
MAKECAB.EXE /D SourceDir="%ProgramFiles%\Mozilla Firefox" /F FIREFOX.DDF  
2. install Firefox from FIREFOX.CAB: right-click FIREFOX.INF and  
then click "Install", or run the command line  
InfDefaultInstall.Exe "<path>\FIREFOX.INF"  
RunDll32.Exe SetupAPI.Dll,InstallHinfSection DefaultInstall 132 <path>\FIREFOX.INF