exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Mozilla Arbitrary Code Execution / Privilege Escalation

Mozilla Arbitrary Code Execution / Privilege Escalation
Posted Mar 9, 2021
Authored by Stefan Kanthak

Mozilla has a flurry of random vulnerabilities surrounding their installers that haven't been addressed in quite some time.

tags | advisory, vulnerability
advisories | CVE-2014-1520
SHA-256 | b102795220f359831e9aaf51558fd518c42ae77372b502782bce1f141699f749

Mozilla Arbitrary Code Execution / Privilege Escalation

Change Mirror Download
Hi @ll,

back in 2015 and 2016, I disclosed several BLOODY beginner's errors
alias epic failures in Mozilla's PERMANENTLY vulnerable executable
installers for Windows, built by completely incompetent tinkerers:

* Defense in depth -- the Mozilla way: return and exit codes are dispensable
<https://www.securityfocus.com/archive/1/534881> alias
<https://seclists.org/bugtraq/2015/Mar/74> and
<https://seclists.org/fulldisclosure/2015/Mar/90>

* Arbitrary code execution resp. escalation of privilege with Mozilla's SETUP.EXE
<https://www.securityfocus.com/archive/1/536778> alias
<https://seclists.org/bugtraq/2015/Oct/123> and
<https://seclists.org/fulldisclosure/2015/Oct/109>

* Mozilla doesn't care for upstream security fixes, and doesn't bother to send own security fixes upstream
<https://www.securityfocus.com/archive/1/538220> alias
<https://seclists.org/bugtraq/2016/Apr/161> and
<https://seclists.org/fulldisclosure/2016/May/2>

* [CVE-2014-1520] NOT FIXED: privilege escalation via Mozilla's executable installers
<https://www.securityfocus.com/archive/1/538679> alias
<https://seclists.org/bugtraq/2016/Jun/60>
<https://seclists.org/fulldisclosure/2016/Jun/27>

The Register picked it up:
<https://www.theregister.co.uk/2015/11/03/dev_to_mozilla_please_dump_ancient_windows_install_processes/>

In the meantime more than 5 years have passed, but Mozilla still has
ABSOLUTELY no clue and continues to put its poor unsuspecting victims
at risk.

JFTR: the well-known weaknesses demonstrated below are classified as
- CWE-377: Insecure Temporary File
<https://cwe.mitre.org/data/definitions/377.html>
- CWE-379: Creation of Temporary File in Directory with Incorrect Permissions
<https://cwe.mitre.org/data/definitions/379.html>

Proof
~~~~~

0. Log on to a current installation of Windows 10 20H* under the user
account created during Windows setup.

1. Download the (executable) online or offline installers for Mozilla
Firefox (<https://www.mozilla.org/en/firefox/download/thanks/> or
<https://www.mozilla.org/en/firefox/all/#product-desktop-release>)
and the (executable) offline installer for Mozilla Thunderbird
(<https://www.thunderbird.net/en-US/thunderbird/all/#product-desktop-release>),
then save them in your "Downloads" directory.

2. Start Windows Explorer, open the "Downloads" directory, then right-
click the downloaded installers to open their context menu and click
"Properties".
Switch to the "Digital Signatures" tab of the "Properties" dialog
box and notice the SHA-1 only signature: OUCH!

Mozilla, please quit your CA/B forum membership, NOW and forever!

JFTR: Windows 8[.1] (released 2012) and Windows 10 (released 2015)
support SHA-2 signatures out-of-the-box.
Even Windows 7, which went out of extended support in January
2020, supports SHA-2 signatures since October 14, 2014, when
update <https://support.microsoft.com/en-us/kb/2949927> was
published and distributed via Windows Update.

Microsoft deprecated and abandoned SHA-1 only certificates and
signatures in 2019, after announcing this step back in 2013!

3. Start a command prompt in the "Downloads" directory and run the
following command line to show the version string of the program
used to build the executable installers from their application
manifest:

FINDSTR.exe /C:"</description>" /E "Firefox Installer.exe" "Firefox*Setup*.exe" "Thunderbird*Setup*.exe"

| Firefox Installer.exe:<description>7-Zip Self-extracting Archive v18.05</description>
| Firefox Setup ....exe:<description>7-Zip Self-extracting Archive v18.05</description>
| Thunderbird Setup ....exe:<description>7-Zip Self-extracting Archive v18.05</description>

OUCH: Mozilla builds their executable installers with the superseded,
unsupported and possibly^Wdefinitely vulnerable version 18.05
of 7-Zip, released April 30, 2018.

The current version 19.00 of 7-Zip was released February 21, 2019,
more that 2 years ago.

As already reported in 2016, Mozilla's tinkerers don't care for
upstream fixes!

4. Run the following (block of) command lines to modify the NTFS ACL
of your "Temp" directory to deny execution of files beyond it,
change its path temporarily and execute the self-extractors:

ICACLS.exe "%TMP%" /Deny *S-1-1-0:(IO)(OI)(X)
FOR %? IN ("Firefox Installer.exe" "Firefox*Setup*.exe") DO @"%~f?"
SET TMP=NUL:
FOR %? IN ("Thunderbird*Setup*.exe") DO @"%~f?"
SET TMP=%TEMP%

Admire the 2 error message boxes (but DON'T close them yet):

| 7-Zip [X]
|
| (X) Access is denied.
|
| [ OK ]

| 7-Zip [X]
|
| (X) The system cannot find the file specified.
|
| [ OK ]

OUCH: access is denied where, and which file cannot be found?

5. Run the following (block of) command lines to list the files and
directories extracted to your "Temp" directory as well as their
owner and permissions:

FOR /D %? IN ("%TMP%\7zS*") DO @(
DIR "%?" /A /Q
ICACLS.EXE "%?"
ICACLS.EXE "%?\setup*.exe")

| Directory of C:\Users\Stefan\AppData\Local\Temp\7zSCA76A1C1
|
| 03/05/2021 6:13 PM <DIR> AMNESIAC\Stefan .
...
| 02/22/2021 5:15 PM AMNESIAC\Stefan 476.472 setup-stub.exe
...
| C:\Users\Stefan\AppData\Local\Temp\7zSCA76A1C1 Everyone:(I)(OI)(IO)(DENY)(S,X)
| NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
| BUILTIN\Administrators:(I)(OI)(CI)(F)
| AMNESIAC\Stefan:(I)(OI)(CI)(F)
|
| Successfully processed 1 files; Failed processing 0 files
|
| C:\Users\Stefan\AppData\Local\Temp\7zSCA76A1C1\setup-stub.exe Everyone:(I)(OI)(IO)(DENY)(S,X)
| NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
| BUILTIN\Administrators:(I)(OI)(CI)(F)
| AMNESIAC\Stefan:(I)(OI)(CI)(F)
|
| Successfully processed 1 files; Failed processing 0 files

OUCH: the 7-Zip self-extractor fails to create directories and
extracted files with proper permissions, allowing either
the "denial of service" demonstrated here or the
"escalation of privilege" already shown in 2015.

OUCH: the 7-Zip self-extractor fails to check that extraction of
its payload succeeds, there's only one subdirectory 7zS*
present in %TEMP%, another "denial of service".

Did I already state that 7-Zip is VULNERABLE crap, written by an
incompetent kid that doesn't know the 101 of computer programming?

Mozilla, abandon to use such CRAP!

6. Run the following (block of) command lines to copy the extracted
setup*.exe to your "Downloads" directory, determine its version
from the embedded application manifest, and execute it:

FOR /D %? IN ("%TMP%\7zS*") DO @COPY "%?\setup*.exe"
FINDSTR.exe /C:"<?xml version=" setup*.exe
FOR %? IN (setup.exe setup-stub.exe) DO @"%~f?"

| 1 file(s) copied.
| [...]<description>Nullsoft Install System v3.01</description>[...]

OUCH: the payload of the VULNERABLE 7-Zip self-extractor is built
with the superseded, unsupported and possibly^Wdefinitely
vulnerable version 3.01 of the Nullsoft Install System,
released December 11, 2016; its current version is but 3.06.1,
released July 31, 2020!

Hey, you kids at Mozilla, are you sure that nobody fixes bugs and
vulnerabilities in the course of 60 months and at least 5 releases!

7. Close the 2 open error message boxes from 7-Zip, then admire the
error message box displayed from setup.exe or setup-stub.exe (but
DON'T close it yet):

| Setup [X]
|
| Sorry, Firefox can't be installed. This version of
| Firefox requires Microsoft Windows 7 or newer.
| Please click the OK button for additional information.
|
| [ OK ] [ Cancel ]

OUCH: VERY FUNNY, setup*.exe is actually running on Windows 10!

Did I already state that NSIS too is VULNERABLE crap, written by an
incompetent kid that doesn't know the 101 of computer programming?

Hey Mozilla, abandon to use such CRAP!

8. Run the following (block of) command lines to determine the cause
for the bogus error message:

FOR /D %? IN ("%TMP%\ns*.tmp") DO @(
DIR "%?" /A /Q
ICACLS.exe "%?" /T)

| Directory of C:\Users\Stefan\AppData\Local\Temp\nsx8C5E.tmp
|
| 03/05/2021 6:15 PM <DIR> AMNESIAC\Stefan .
...
| 03/05/2021 6:15 PM AMNESIAC\Stefan 11.776 System.dll
...
| C:\Users\Stefan\AppData\Local\Temp\nsx8C5E.tmp Everyone:(I)(OI)(IO)(DENY)(S,X)
| NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
| BUILTIN\Administrators:(I)(OI)(CI)(F)
| AMNESIAC\Stefan:(I)(OI)(CI)(F)
|
| C:\Users\Stefan\AppData\Local\Temp\nsx8C5E.tmp\System.dll Everyone:(I)(DENY)(S,X)
| NT AUTHORITY\SYSTEM:(I)(F)
| BUILTIN\Administrators:(I)(F)
| AMNESIAC\Stefan:(I)(F)
|
| Successfully processed 2 files; Failed processing 0 files

Ouch: NSIS too uses the "Temp" directory to create a subdirectory
and extract executable files it tries to load later, but
fails to create them with proper permissions!

9. Finally close the bogus error message box and run the following
command line to remove the NTFS ACE added in step 4:

ICACLS.exe "%TMP%" /Remove:d *S-1-1-0

stay tuned, and far away from executable installers as well as crap from Mozilla, NSIS and 7-Zip
Stefan Kanthak


Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    18 Files
  • 21
    Jun 21st
    8 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close