Hi @ll,

Mozilla's (executable) full setup packages for Windows allow arbitrary
code execution resp. escalation of privilege: their SETUP.EXE loads
SHFOLDER.DLL ['] from a temporary (sub)directory "%TEMP%\7zS<hex>.tmp\"
created during self-extraction of the full setup packages.

This vulnerability is well-known, every developer past absolute beginner
should know about it: <https://capec.mitre.org/data/definitions/471.html>

See <https://bugzilla.mozilla.org/show_bug.cgi?id=792106> for all the
trouble Mozilla's developers went through to fix this vulnerability in
the 7zip self-extractor.
See <https://bugzilla.mozilla.org/show_bug.cgi?id=961676> for this
vulnerability in their maintenance_installer.exe.


Proof of concept:
~~~~~~~~~~~~~~~~~

1. fetch any Mozilla full setup package (these are self-extracting
   archives built with 7zip), for example "Firefox Setup 38.3.0esr.exe"
   from <https://www.mozilla.org/en-US/firefox/organizations/all/>

2. extract this full setup package into an arbitrary directory, for
   example "%TEMP%\7zSxyz.tmp", using (again for example)
      7za.exe x -o"%TEMP%\7zSxyz.tmp" "Firefox Setup 38.3.0esr.exe"

3. fetch <http://home.arcor.de/skanthak/download/SENTINEL.DLL>
   (see <http://home.arcor.de/skanthak/sentinel.html>) and save it
   as "%TEMP%\7zSxyz.tmp\shfolder.dll"

4. start "%TEMP%\7zSxyz.tmp\setup.exe" per double-click:
   the installer detection of Windows user account control (see
   <https://technet.microsoft.com/en-us/library/dd835540.aspx#BKMK_InstDet>)
   will chime in and prompt for consent resp. for an administrator
   password, then "%TEMP%\7zSxyz.tmp\setup.exe" loads
   "%TEMP%\7zSxyz.tmp\shfolder.dll" which displays a message box


Mitigation(s):
~~~~~~~~~~~~~~

0. DON'T USE EXECUTABLE INSTALLERS [²]!

   If your favourite applications are not distributed in the native
   installer package format of the resp. target OS: ask^WURGE their
   vendors/developers to provide native installation packages.
   If they don't: dump these applications, stay away from such software!

1. Turn off privilege elevation for standard users and installer
   detection for all users:

   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
   "ConsentPromptBehaviorUser"=dword:00000000 ; Automatically deny elevation requests
   "EnableInstallerDetection"=dword:00000000

   See <https://technet.microsoft.com/en-us/library/dd835564.aspx>

2. deny execution in all "%TEMP%" directories and their subdirectories:

   * add the NTFS ACE "(D;OIIO;WP;;;WD)" meaning "deny execution of
     files in this directory for everyone, inheritable to all files
     in all subdirectories" (use CACLS.EXE /SDDL for example);

   * use "software restriction policies" resp. AppLocker.


stay tuned
Stefan Kanthak


PS: Mozilla sits on this unfixed vulnerability for about 30 months:
    see <https://bugzilla.mozilla.org/show_bug.cgi?id=861012>


['] SHFOLDER.DLL is cruft from the last millennium, it was used on
    Windows 9x without Internet Explorer 4; see
    <https://support.microsoft.com/en-us/kb/241733>

    DONT USE the code shown in this MSKB article!

    See <https://msdn.microsoft.com/en-us/library/ff919712.aspx>,
    <https://msdn.microsoft.com/en-us/library/ms682586.aspx> and
    <https://technet.microsoft.com/en-us/library/2269637.aspx>


[²] self-extracting archives and executable installers are flawed^W
    insanely stupid in concept and dangerous in practice.

    DON'T USE SUCH CRUFT!
    ALWAYS use the resp. platforms native package and archive format.

    For Windows these are .INF (plus .CAB) and .MSI (plus .CAB),
    introduced 20 years ago (with Windows 95 and Windows NT4) resp.
    16 years ago (with Office 2000).

    Both .INF and .MSI are "opened" by programs residing in
    %SystemRoot%\System32\ which are therefore immune to this kind of
    "DLL (and EXE) Search Order Hijacking" attack.
    Since both .INF and .MSI can access the contents of .CAB directly
    they eliminate the attack vector "unsafe temporary directory" too.

    See <http://home.arcor.de/skanthak/temp/FIREFOX.INF> and
    <http://home.arcor.de/skanthak/temp/FIREFOX.DDF> as example of a
    native installer package for "Firefox 38.3.0 ESR (x86 de)":

    1.a. create FIREFOX.CAB from the unpacked full setup package
         (see above; I used the german language version): run the
         command line
           MAKECAB.EXE /D SourceDir="%TEMP%\7zS<hex>.tmp\core" /F FIREFOX.DDF

    1.b. create FIREFOX.CAB from the copy installed on your system:
         run the command line
           MAKECAB.EXE /D SourceDir="%ProgramFiles%\Mozilla Firefox" /F FIREFOX.DDF

    2. install Firefox from FIREFOX.CAB: right-click FIREFOX.INF and
       then click "Install", or run the command line
           InfDefaultInstall.Exe "<path>\FIREFOX.INF"
       resp.
           RunDll32.Exe SetupAPI.Dll,InstallHinfSection DefaultInstall 132 <path>\FIREFOX.INF